Cатсн²² (in)sесuяitу / ChrisJohnRiley

ITWeb Security Summit

ChrisJohnRiley — Thu, 10 May 2012 12:45:35 +0000

It’s been a while since I last posted… between a trip to the UK (for BSides London) and a few days in bed with con-flu, it’s been a busy few weeks.

I’m flying out to South Africa this weekend to take part in the ITWeb Security Summit in Johannesburg. There are a lot of great speakers talking, and I was honoured to be asked to present some of my SAP research as part of the “Enterprise Resource Planning” track.

This will be the last time I’ll be presenting this material, so hopefully it will go down well. This research has been ongoing for the last year or so, and it was time to move my focus off onto some other projects I’ve got running. Plus, nobody likes to see research that’s old and busted. The information I’ll be presenting is “out there” for the community, so I’m happy to cover it one last time before I put it to bed. So much hacking, so little time

If you’re attending the conference please come up and say hi… I only bite on request!

Tagged: Conference, ITWebsec, sap

Security Forum 2012

ChrisJohnRiley — Thu, 19 Apr 2012 12:30:53 +0000

The Security Forum is the annual IT-Security Conference in Hagenberg that addresses current issues in this domain. Traditionally it takes place over the course of two days in April. On the first day visitors are offered technical as well as management-oriented papers by representatives of business, research and public service.

After last years security forum I couldn’t very well miss this years event, and it didn’t disappoint. Although a number of the presentations were a little too management focused and light on technical details for my liking, these were overshadowed by great presentations from Scott Behrens from Neohapsis and the short but very interesting Security Insight talks that took place in the evening.

Just like last year the real benefit I feel came from the discussions between sessions. Talking to the presenters and attendees is always the high-point of these conferences I find.

Below is a few brief notes on the presentations I managed to attend and think are worth noting. Slides aren’t yet available for most talks as far as I’m aware.

Webshell Detection using NeoPI (Scott Behrens)

(https://www.securityforum.at/agenda-2/neopi/)

This talk concentrated on the issue of detecting webshells when performing incident response. When faced with a collection of servers and maybe more than 20,000 files present in a webroot, how can you find the needle amongst the needles. Scott demonstrated a number of analysis techniques that can be used to better discover webshells present on a system, and showed the abilities of the NeoPI script to dig into a webroot and point out discrepancies and possibly malicious webshells.

The NeoPI script is currently available on the Neohapsis github page and is looking for people to assist in future development and testing.

Security Insights (evening talks)

(https://www.securityforum.at/security-insights/)

The evening talks moved away from the more management style presentations during the day and focused more on technical projects. Three of the talks were of particular interest.

Sicherheit in der Bürgerkartenumgebung (Wolfgang Ettlinger)

In this talk Wolfgang discussed some of the issues he discovered when testing the security of the Austrian Citizen Card. In Austria this card can be used to officially sign documents and prove the identity of the holder. This includes the ability to sign-in to online banking using the card and a pin to prove the holder is who they say they are. Wolfgang showed a number of vulnerabilities in the BKU (the Java based environment that deals with PIN authentication and card communication) and showed the ability for an attacker to steal the PIN and use it to sign documents or perform actions as the user. A more detailed write-up is available on Wolfgang’s blog.

Covert Channel Protocol – verdeckte Informationsübertragung (Florian Preinstorfer)

Florian discussed his ongoing research into covert channels and in particular discussed his (PoC) implementation that uses both HTTP, ICMP and DNS to transfer data covertly by using client and server-side proxies to alter traffic. Although the work is still ongoing I’m looking forward to seeing what the final result it, as the premise seems interesting. As soon as code is released or more information becomes available I’ll make sure to post it up in my [SuggestedReading] feed.

Oh noes! Another Android Malware Talk (Thomas Eder, Michael Rodler)

The final presentation of the night walked us through an analysis of Android malware (in particular an SMS application that sends premium rate SMS messages). The tools discussed were the usual fare, however the presenters are working together with a larger team to implemented a more automated and structured way to analyse Android malware called EPIC (DE). The project is still in it’s PoC phase, but seems to be something to keep an eye on!

Special thanks to the Hagenberger Kreis for making the conference such an enjoyable experience… Hope to see you all next year!

Tagged: hagenberg, SecurityForum

PrintJob MITM – Testers Wanted

ChrisJohnRiley — Wed, 11 Apr 2012 12:00:27 +0000

I had some time over the long weekend to tweak a Metasploit script I’ve had lying around for a few ~~months~~ years. When I wrote the Python prn-2-me script I also drew up the basics of a printjob MITM module for Metasploit but never managed to finish it up.

The Python version is limited in that it was designed to handle RAW print streams only… it was also really badly written (like most of my ~~early~~ Python stuff). The Metasploit Module I’m testing currently should also handle LPR/LPD printjobs by sitting in the middle and passing communications backwards and forwards between the client and the printer. I’ve also begun to look at implementing some IPP sniffing as well, using the same technique as LPR/LPD (streaming the data to the printer and sniffing out the printjob and Metadata).

This is still a work in progress, and handling LPR/LPD and IPP is a bit more tricky than RAW printjobs.

A couple of helpful folks have been testing out the module for me… if you want to assist please take a look at the module and see what you think (download link below). If you have any problems please do a packet capture so I can see what’s not working correctly and adapt the module. As the various printers and drivers handle things slightly differently the idea is to look at as many models as possibly (not just HP!).

Links:

Python prn-2-me (HERE)
Metasploit auxiliary/server/capture/printjob_capture.rb –> In Development!

Tagged: IPP, Metasploit, mitm, pcl, postscript, print

Getting your message across: Screenshots

ChrisJohnRiley — Sat, 07 Apr 2012 15:21:45 +0000

Since I’ve finally started doing something with pentestreports.com I thought it was time to write-up some interesting content. Seeing as this one has been bugging me for a while, I thought it would make an interesting starting point. As always, comments are welcomed and encouraged!

Getting the message across in a penetration testing report isn’t always the easiest thing. Explain in 500 words or less, to somebody who may or may not know what TCP is, how you used a forged HTTP request header to inject falsified log requests into their database and perform stored cross-site scripting on administrators… yeah, it’s not easy. So, a picture is worth a thousand words, and we’re going to need to use all the options available to us to convey the issue at hand.

The problem is… people don’t always spend as much time thinking about that picture as they would writing 500 words! and they should! Here’s a few of the screenshot-crimes I’ve seen over the last 10 years or so in technology. These aren’t restricted to Penetration Testing… so should be applicable for any graphical representation!

The lazyboy

Well I guess it gets the message across… but I’m not really sure what that message really is! A screenshot is designed to help get a message across and prove that something was achieved. This kind of screenshot does nothing more than show that you can press a few keys and take a screenshot. Did I perform an XSS in your website, was it reflective? stored? second-order? Who knows…

This screenshot shows nothing.

Full-on

Is that bigfoot? Nope, it’s hard to see, but that’s actually a screenshot! Crop people… no, don’t think, just crop. At least you’re getting more of the message across than the lazyboy, but you’re not helping yourself here. Make sure that when you take a screenshot everything you NEED to show is in a small area that will be easily visible and readable when the screenshot is cropped. A full screen capture is fine for note taking, but the final version needs to be cropped and annotated if needed.

The OTT

OMG where do I look first! 3 screenshots layered one on top of the other… does it tell a story? without any annotation or further information then it’s just a jumbled mess of text. This is a perfect candidate for multiple screenshots, or at the very least a few boxes to focus the reader in on the places where the REAL information is!

Side-note: Screenshots of code are mostly a waste of time… copy/paste the effected code and highlight the section effected.

Click Happy

You may think I’ve gone off the deep-end on this one… but I’m afraid not. Some people actually think that photos are a replacement for a good, well-formed screenshot! Sometimes you just can’t avoid a photo, but think carefully. Easy to do badly! Hard to pull off.

Exceptions to this last one are obvious really. Physical security tests/results, or anything that can’t be screenshotted. Just remember, if you can use a screenshot, it’s going to look a whole lot better than a photo.

Note: If you NEED to do photos… don’t use your phone! Buy a digital camera and learn how to use it!

Conclusion

Take time to think out your screenshots. Not only if you need one, but how you can best show the issue(s) and how a reader will view it. The viewer may not have your technical knowledge, and may not know what the issue really is. Make that screenshot count!

Tagged: penetration testing, Reporting, Reports, Screenshots

Scammers gonna scam

ChrisJohnRiley — Sat, 31 Mar 2012 12:55:41 +0000

It’s been a while since I’ve thought about our resident snake oil salesman, Gregory D Evans… and there’s be far to much seriousness on the blog recently. So here’s a little deviation from your usual programming. Sorry!

I’ve been noticing, as many have I’m sure, a lot of spam messages on the Twitters over the last few months. I’ve been a good little worker and reported them as spam, every little helps after all. However I thought it was about time to name and shame (like he’s not already shamed). Still, it’s worth a few seconds to make a screenshot and share it for prosperity.

I guess hot girls like Hackers!

The levels of spam have reduced (maybe due to people reporting them repeatedly, maybe due to dwindling funds), but you can usually pick up a few by searching on the phrases “AM I HACKER PROOF is a” and “Gregory Evans is one of the”. The posts forward to an amazon.com page together with an affiliate link (using several affiliate link tags - diabetescure-20, worldmixmasal-20, neoopt06-21, twitterservice-20). You can find the same affiliates posting LocatePc spam as well on occasion.

I’m not one to judge on how people do business, but this kind of thing doesn’t really strike me as something an honest and professional Information Security company would take part in.

Just before I go here’s a quick some food for thought… the @gregorydevans account now has over 27,000 followers. Wow that’s amazing, much more than most… he must he really famous and well-respected! Of course, this rise all happened in the last month. From zero to spam follower hero in a month! I’ll leave that one for you to think on

Lets give the man the benefit of the doubt… after all, he’s the world’s number 1 hacker. Still seems strange that the @amihackerproof account seems to have a similar arc in followers! The stats are unfortunately a little lacking, as the stats are only tracked from March 23rd 2012.

Tagged: LIGATT, spam

EU legislation – Digging below the FUD line (cont.)

ChrisJohnRiley — Thu, 29 Mar 2012 13:30:53 +0000

Earlier on I posted up my thoughts on the EU Legislation – “Attacks against information systems”.

At the time I held back from commenting on some quotes in the news story as I wanted to mull over my response a little longer.

In the news article posted on europarl.europa.eu one of the MEPs responsible for the amendments and the final legislation was asked to comment on the proposal. A couple of her responses warrant a rebuttal.. although at this stage things are far to far gone to make much change at the EU level.

”We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations. The financial damage caused for companies, private users and the public side amounts to several billions each year” said rapporteur Monika Hohlmeier (EPP, DE). “No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world” she added.

The last sentence in particular really made it clear the lack of understanding of the InfoSec industry. Monika Hohlmeier talks about liability incurred through lack of testing and confuses a number of issues.

This comment would fit nicely and make sense if we were talking about lack of security testing by software vendors. I agree they should be held liable for shortcuts and sloppy work. Especially if it puts others at risk!

However in the context of this legislation it seems to point more to companies releasing tools that *could* be used by attackers. Putting aside the fact that almost any program could be used offensively, it’s obvious that if security tools are outlawed by poorly drafted and written legislation like this, then companies won’t have the tools required to perform the testing required.

To put it in the same context as Monika Hohlmeier used…

A car manufacturer would not be able to test the reliability and security of their cars if the tools, methods and knowledge required for that testing was against the law. A company can only secure a product from potential problems (whether security or not) by using methods and techniques to test them. Car companies have and will continue to go through rigorous checks by crashing cars, dropping them on their roofs and spinning them on a wet surface to see how they react.

In the security field we do the same thing, by creating tests to see if systems are secure. We take an app and send unexpected input, attempt to force the application out of control, and take advantage of insecurities to see how far the issue goes.

You wouldn’t tell a car manufacturer that their crash tests are illegal as they cause a car to crash… So don’t try to tell us that possession of tools we need for our jobs put our jobs, and livelihoods at risk! The lack of context you placed in this legislation causes everybody to interpret the meaning. I doubt that your goal, or the goal of this legislation is to hinder, disrupt or block valid security research and testing, however the effects have to to be seen… 202(c) had the wrong effect due to it’s lax wording… don’t let this EU legislation drive all security research out of Europe.

My 0.02¢ on the issue…

Links:

EU legislation – Digging below the FUD line (blog.c22.cc)
Hacking IT Systems to become a criminal offence (Europarl article)
Draft Report / Amendments – Monika Hohlmeier (PDF)
Draft Report / Amendments – 34 – 128 (PDF)
Final (Attacks against information systems) (PDF)
Draft Agenda of the LIBE Meeting of 26-27 March 2012 (PDF)
Meeting notes and links LIBE Meeting (Europarl site)
Monika Hohlmeier (MEP Information Page)
Jan Philipp Albrech (MEP Information Page)

Tagged: EU Legislation, EuroParl, Possession of Tools

EU legislation – Digging below the FUD line

ChrisJohnRiley — Thu, 29 Mar 2012 08:05:56 +0000

Yesterday I started to see some chatter on Twitter about new/updated EU legislation dealing with “cyber” attacks. Before I dig into some of the quoted content and some of the details I’d like to make it clear that I’m not a lawyer, I didn’t stay at a Holiday Inn last night, and I’m probably not smart enough to really understand how politicians think… also, as with everything in legal terms, there’s a whole other area of how people interpret these legislations. So, take what’s said here as a personal opinion!

The initial link I saw posted on Twitter (care of my good friend @wimremes) was to a new article on the European Parliament News site (article can be found HERE). I clicked through to see what all the fuss was about and was greeted with the FUDridden headline of:

Hacking IT systems to become a criminal offence

OMG, the sky is falling! Despite the fact that in most countries in the EU, “hacking” in the sense of illegally gaining entry to IT systems, has been a crime for a long time already! Moving past the large print, the thing that really seemed to be rattling people was the explicit legislation surrounding “hacking” tools.

The news article goes on to state:

Possessing or distributing hacking software and tools would also be an offence

and then further on gives a small paragraph detailing things:

Cyber-attack tools

The proposal also targets tools used to commit offences: the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offences.

Those reading this article without further context would have little choice but to think back to the poor decisions made in Germany (see 202(c) ) that resulted in many security researchers from upping sticks and moving out. The news article makes it very clear that “hacking” tools are seen as the problem, and anybody in possession of them is a criminal…

Digging deeper

Call me a cynic, but I’m not one to trust journalists much, at least without reason… so I dug a little deeper.

The new EU Legislation discussed in the news article is based on a draft report by Monika Hohlmeier originally written back in November 2011. For those that want to get the details, you can read a copy of the draft report HERE.

This version of the draft report includes not only the proposed amendments, but also justifications. So, lets have a quick search and see where the news article got it’s content.

Searching on the word “tools” provides only 5 results… none of which seem to state that writing, or possessing them is a crime.

Searching on the word “possession” however brings up some interesting information (Amendment 22).

The text on the left-hand side is the origin text proposed by the commission, and includes a clause for possession. As you can see from the amendment voted on and accepted this week, the word “possession” has been completely removed, and the wording slight altered to change “for the purpose of committing any offences” to ”for the clear purpose of committing any offences”.

The justification given in the amendment makes it plain that the goal of this legislation is not to target people working in security, but malicious attackers!

Justification

Given the possibility to use programmes in dual forms, i.e. for legal as well as criminal
purposes, the possession of a tool should as such not be punishable. In addition, the purpose
of the actions described in this article should only be punishable when it is clearly aimed at
committing an offence.

There are more than a number of clarifications present in these amendments that I think help to make the legislation clearer and more targeted towards criminal usage, without infringing on the InfoSec community. I won’t cover all the changes here, but if you’re interested I suggest reading through the 26 page draft report HERE.

So, were’s the problem! Well, this draft report seemingly never made it through… instead it was once again amended, and replaced in January this year by a draft report (PDF) that takes these changes, and deletes them.

Initially I thought this deletion was to remove the amendment, but instead the justification makes it clear that the deletion was mean to remove this section from the EU legislation completely! As I said, I’m no expert on these things

Justification
So-called ‘hacker tools’ are inherently dual-use, and they are crucially needed for security
testing. If we want to have the whistleblower protection, we also have to legalise their
possession and distribution. Passwords and access codes should not be regarded as hacker
tools. If they get lost, the operator should immediately improve his security measures and set
up new passwords, just as people do when they lose their keys

It’s nice to see that at least somebody understands that security testing is important, and that outlawing tools isn’t the way to go!

End-Game

Despite there being some good amendments suggested, ones that not only help clear up any misconceptions, but also help to clarify the use and possession of “hacking” tools… these clear minded and well-reasoned amendments ~~didn’t seem to make it into the final document delivered~~ to the 2010 committee proposal (PDF) I can#t seem to find anywhere that explains which were accepted and which were denied!

This ~~final version~~ 2010 committee proposal includes the following in regards to possession, creation and distribution of “hacking” tools.

General Context

…. Developments in information technology have exacerbated these problems by making it easier to produce and distribute tools (‘malware’ and ‘botnets’), while offering offenders anonymity and dispersing responsibility across jurisdictions…

At least they make a clear distinction here that they refer to “tools” as a shortcut for “malware” and “botnets”. Still, this is where the good news seems to end!

Summary of the proposed action

A: Penalises the production, sale, procurement for use, import, distribution or otherwise making available of devices/tools used for committing the offence

…

…this Directive shall refer to ’tools’ that can be used in order to commit the crimes listed in this Directive. Tools refer to, for example, malicious software, including botnets, used to commit cyber attacks.

So it seems that “hacking” tools aren’t welcome, at least in the original committee proposal. The text describing what those tools are is open to interpretation and as a result could easily be applied to people producing anything from scanners through to example exploit code for penetration testing and vulnerability analysis purposes. As with everything, it’s not set in stone until somebody takes it to court and defines it!

Article 7
Tools used for committing offences

Member States shall take the necessary measure to ensure that the production, sale, procurement for use, import, possession, distribution or otherwise making available of the following is punishable as a criminal offence when committed intentionally and without right for the purpose of committing any of the offences referred to in Articles 3 to 6:

(a) device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences referred to in Articles 3 to 6;

(b) a computer password, access code, or similar data by which the whole or any part of an information system is capable of being accessed.

The only saving grace here is the inclusion of the phrase “when committed intentionally and without right for the purpose of committing”. This still doesn’t save things from being a total car wreck however.

Conclusion

I started this write-up based on the amendments I saw from Monika Hohlmeier in the belief that things had been altered for the better… however after taking time to dig through the various proposals, amendments and finally reviewing the all the available documentation it’s unclear what changes will be made. Without a clear list of amendments that were accepted, and that were either withdrawn or denied, it’s very hard to tell where this is heading.

I’ll fall short of saying what I really think… but the future doesn’t look good if the only people offering sane advice are ignored in favour of such poorly thought out legislation. Is there anywhere left were you can ply your honest trade anymore? Hopefully these proposals will become clearer once documentation is released.

Hopefully somebody with a little more legal background will take a look at this and post their opinions. Until then, I hope people keep doing what they’re doing. Without sharing of tools, techniques and knowledge, we’ve already lost!

Update: I’ve also posted some follow up comments/thoughts HERE

Update 2: A commenter has drawn my attention to a flaw in my review. I’ve attempted to rework some of the thought and information to reflect this flaw… apologies for any confusion. I’ve sent an email to Monika Hohlmeier requesting further information on what was and was not accepted. Hopefully this will clear up some confusion.

Links:

Hacking IT Systems to become a criminal offence (Europarl article)
Draft Report / Amendments – Monika Hohlmeier (PDF)
Draft Report / Amendments – 34 – 128 (PDF)
Final commission proposal 2010 - Attacks against information systems (PDF)
Draft Agenda of the LIBE Meeting of 26-27 March 2012 (PDF)
Meeting notes and links LIBE Meeting (Europarl site)
Monika Hohlmeier (MEP Information Page)
Jan Philipp Albrech (MEP Information Page)

Tagged: EU Legislation, EuroParl, Possession of Tools

Commandline Kung-fu – Solution

ChrisJohnRiley — Tue, 20 Mar 2012 12:00:44 +0000

So yesterday, in a fit of Winrage I posted a cry for help… (see original Commandline Kung-fu needed! Apply within).

The basics of it were, I needed to resolve a group SID to its name and then use it in a later command. Simple you’d think, but not so! The resolution is simple using wmic, but the way it’s returned and the limitations of Windows command line tools really started to be a pain.

Once you add in the limitation that it had to be a one-liner and not a script, you really started to have issues. You couldn’t set a variable or use substring as once you set an environment variable it didn’t seem to be available until the one-liner had finished and Windows had refreshed the env list…. and that was just the start of the hair pulling (not that I have much to pull out anymore).

So, after a bit more playing I realised that one of my earlier solutions might just have worked if I’d have set the delimiter right… so, here you have it… a working one-liner to find the local administrators group (no matter what it’s called, spaces and all) and add a newly created user to that group.

FOR /F "usebackq tokens=2* skip=1 delims==" %G IN (`wmic group where sid^='S-1-5-32-544' get name /Value`); do FOR /F "usebackq tokens=1 delims==" %X IN (`echo %G`); do net user username password /ADD && net localgroup "%X" username /ADD

Simple you say… well I guess hindsight is 20/20!

Some more useful SID values for testing:

S-1-5-32-555 –> Remote Desktop Users
S-1-5-32-551 –> Backup Operators
S-1-5-32-549 –> Server Operators
Well-known security identifiers in Windows operating systems (here)

Tagged: for loop, solution, windows, wmi

{Quick Post} Commandline Kung-fu needed! Apply within

ChrisJohnRiley — Mon, 19 Mar 2012 10:10:11 +0000

Edit:

After some more playing, and some headache tablets, it seems I’ve found a solution (or should I say, found the bug in a solution I thought didn’t work)… I won’t post a spoiler just yet incase people are playing… but I will post the answer I found tomorrow once I have time!

In the meantime happy hunting…. and remember, Windows sucks sometimes!

—- —- —-

So, I’ve been fighting with the following command for a while and can’t quite get it working (due to whitespace or linefeeds at the end of the string). So I’m putting it out there and asking for help!

Goals:

Create a single Windows command-line (not a script) that runs on all modern versions of Windows (no powershell here) that resolves a localgroup name from its SID, and feeds this group name (including any spaces!) into a “net localgroup” command… It seems easy, but due to the spaces present in some group names, it’s a bit tricky to solve without using some mystical command-line kung-fu that I certainly don’t seem to posses!

Example (not working):

For /F “usebackq Tokens=1* Delims==” %I In (`wmic group where sid^=’S-1-5-32-551′ get name /Value ^| Find “=”`); do net user username password /ADD && net localgroup %J username /ADD

The above example uses the SID for “Backup Operators” as it contains a space… which meets the criteria! It also fails…

Example (working for group names w/o spaces only):

FOR /F “usebackq skip=1″ %g IN (`wmic group where sid^=’S-1-5-32-544′ get name`); do net user username password /ADD && net localgroup %g username /ADD

This example works for group names like “administrators”, but if you alter the SID to S-1-5-32-551 then it will only take “backup” from the “backup operators” group name and therefore fail. It’s simple enough to fix if you known beforehand that the group has a space, but that’s not the point… we don’t know for all cases.

Anybody got the smarts to solve this? I hate batch scripting!!!

Tagged: for loop, windows, wmi

Unsung Heros (the list)

ChrisJohnRiley — Mon, 12 Mar 2012 13:45:17 +0000

Back in January I had this crazy idea to make a list of tools/scripts/programs that some people considered the best thing since slides bread, and others had never even heard of. Over the last couple of months I’ve received just over 30 entries from all areas of InfoSec… Not as much as I’d have liked, but still an few interesting gems in the mix.

As I said in the original post, I’ll be pulling a name out of the digital hat for a book from No starch… as I’ve just got finished reading the excellent “Tangled Web” I think it would make a great prize. I’ll be drawing and contacting the winner this week and will post their name on Twitter (unless they wish to remain anonymous).

I’ve created the following list in no particular oder, and tried my best to categorize them as best I can. Some things fall into multiple categories, but I’m sure, like many tools, you can use them for a lot of fun things

Category: Monitoring

pastebin.py (link)
- Written by Xavier Garcia, this small python script continuously monitors pastebin.com, looking for interesting keywords (based on regex)
PasteLert (link)
- PasteLert is a simple system to search pastebin.com and set up alerts (like google alerts) for pastebin.com entries.
OSSIM (link)
- OSSIM is the de facto standard Open Source SIEM

Category: Forensics / Incident-Response

Xmount (link)
- xmount allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE
PhotoREC (link)
- Specifically designed for digital photo recovery. Due to its algorithms for reconstructing files, it is also able to strip encryption from data in some cases.
TestDisk (link)
- Great portable tool for performing a deep search and recovery of deleted partitions and files on physical drives and image files. It’s simple and scriptable.
TCPflow (link)
- Very handy for quick recovery of *data* (payload without ip/tcp headers, etc) traversing a network interface as well as different data flows.
Network Miner (link)
- A great tool for extracting information and transferred files from sniffed network traffic.
Chaos Reader (link)
- A freeware tool to trace TCP/UDP/… sessions and fetch application data from snoop or tcpdump logs.

Category: Systems Administration

Deep Freeze (link)
- Deep Freeze provides the ultimate workstation protection by creating a “frozen” snapshot of a workstation’s configuration and settings. Each time you restart your machine, Deep Freeze restores your computer to this desired “frozen” state.
splitcap (link)
- Tool for splitting PCAP files
rawcap (link)
- RawCap makes it possible to sniff network traffic on Windows machines without WinPcap.
Log Parser (link)
- Log Parser 2.2 is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory.
WOL-E (link)
- WOL-E is a suite of tools for the Wake on LAN feature of network attached computers.

Category: End-point detection

GMER (link)
- Application that detects and removes rootkits
Fail2Ban (link)
- fail2ban checks log files for information on brute forcing attempts and exploit probing, and then temporarily “bans” the offending IP.
Sigtool (link)
- Sigtool (part of clamav) lets you create your own signatures next to the “known” malware signatures. So when virustotal says “0/42″, you still can block the files.

Category: Penetration Testing

Ebrute (link)
- Why is this your unsung hero: Windows domain username enumeration via Kerberos
Arachni (link)
- Web application scanner
Keimpx (link)
- Covering the gap of MSF psexec spraying the domain with dumped credentials (pass the hash)
NfSpy (link)
- Takes all the hard work out of spoofing one’s uid in order to gain access to all the files on an NFS share. Additionally, supports all sorts of shortcuts to get around “security measures” like firewalling port 111.
ratproxy (link)
- A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
ThickNET (link)
- Thicknet is a TCP session manipulation and take-over framework. it is a great tool for internal penetration testing. It is modular which allows users to develop and customize the tool for their particular target protocols.
Tachyon (link)
- Tachyon is a dead file scanner, written in python. The main goal of tachyon is to help webadmins find leftover files in their site installation, permission problems and web server configuration errors
SWFscan (link)
- SwfScan decompiles Flash into source and checks it for security issues. Even if it doesn’t find security problems, discovery of additional server URLs, viewing application logic, and the opportunity to manually view the source for issues are invaluable. All done in a pretty nice GUI.
Mona (link)
- Mona is a PyCommand for Immunity Debugger that replaces pvefindaddr.
UAtester (link)
- A tool for testing web-site reactions to a range of User Agent strings. Useful for ensuring wide coverage of web applications.
Evilgrade (link)
- Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.
PMCMA [Post Memory Corruption Memory Analysis] (link)
- Helps automating the process of finding a way to exploit a (known) memory arbitrary read/write vulnerabilities
MimiKatz (link)
- Can recover clear text passwords of logged on users on a windows machine, by lsass injection.
OWTF (link)
- The offensive Web Testing Framework – An awesome framework just recently developed to help better test passively and actively web applications.
Yeti (link)
- A network foot printing tool from the Sensepost crew
Reaver-WPS (link)
- A tool for exploiting WPA/WPA2 issues (in particular the WPS bug)
Dirfuzz (link)
- Directory discovery and info gathering of web applications
MORF v0.3 — NINJA ENCODER (link)
- Encoder with a wide range of supported encoding types (URL, HTTP, Base64, HEX, MD5, SHA1, UTF-7…)

Category: Miscellaneous

xdotool (link)
- This tool lets you simulate keyboard input and mouse activity, move and resize windows, etc. It does this using X11′s XTEST extension and other Xlib functions.
Risu (link)
- Risu is a Nessus parser, that converts the generated reports into a ActiveRecord database, this allows for easy report generation and vulnerability verification.
Thinkst – Infosec Conference Collector (link)
- An online tool for searching prior and upcoming conference talks. Useful for attribution, reference checking, and trend spotting. Doesn’t cover everything, but a good starting point.

I hope there’s at least 1 or 2 unsung heroes on the list for everybody… and if you have any additions, feel free to leave them in the comments, and I’ll update the post when I can! Thanks to all those who took part… this list if yours after all, not mine!

P.S: Thanks to the generous person who suggested UAtester… even if it was a joke

Tagged: tools, unsung heroes