Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Unsung Heros (the list)

Back in January I had this crazy idea to make a list of tools/scripts/programs that some people considered the best thing since slides bread, and others had never even heard of. Over the last couple of months I’ve received just over 30 entries from all areas of InfoSec… Not as much as I’d have liked, but still an few interesting gems in the mix.

As I said in the original post, I’ll be pulling a name out of the digital hat for a book from No starch… as I’ve just got finished reading the excellent “Tangled Web” I think it would make a great prize. I’ll be drawing and contacting the winner this week and will post their name on Twitter (unless they wish to remain anonymous).

I’ve created the following list in no particular oder, and tried my best to categorize them as best I can. Some things fall into multiple categories, but I’m sure, like many tools, you can use them for a lot of fun things 😉

Category: Monitoring

  • pastebin.py (link)
    • Written by Xavier Garcia, this small python script continuously monitors pastebin.com, looking for interesting keywords (based on regex)
  • PasteLert (link)
    • PasteLert is a simple system to search pastebin.com and set up alerts (like google alerts) for pastebin.com entries.
  • OSSIM (link)
    • OSSIM is the de facto standard Open Source SIEM
Category: Forensics / Incident-Response
  • Xmount (link)
    • xmount allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE
  • PhotoREC (link)
    • Specifically designed for digital photo recovery.  Due to its algorithms for reconstructing files, it is also able to strip encryption from data in some cases.
  • TestDisk (link)
    • Great portable tool for performing a deep search and recovery of deleted partitions and files on physical drives and image files.  It’s simple and scriptable.
  • TCPflow (link)
    • Very handy for quick recovery of *data* (payload without ip/tcp headers, etc) traversing a network interface as well as different data flows.
  • Network Miner (link)
    • A great tool for extracting information and transferred files from sniffed network traffic.
  • Chaos Reader (link)
    • A freeware tool to trace TCP/UDP/… sessions and fetch application data from snoop or tcpdump logs.
Category: Systems Administration
  • Deep Freeze (link)
    • Deep Freeze provides the ultimate workstation protection by creating a “frozen” snapshot of a workstation’s configuration and settings. Each time you restart your machine, Deep Freeze restores your computer to this desired “frozen” state.
  • splitcap (link)
    • Tool for splitting PCAP files
  • rawcap (link)
    • RawCap makes it possible to sniff network traffic on Windows machines without WinPcap.
  • Log Parser (link)
    • Log Parser 2.2 is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory.
  • WOL-E (link)
    • WOL-E is a suite of tools for the Wake on LAN feature of network attached computers.
Category: End-point detection
  • GMER (link)
    • Application that detects and removes rootkits
  • Fail2Ban (link)
    • fail2ban checks log files for information on brute forcing attempts and exploit probing, and then temporarily “bans” the offending IP.
  • Sigtool (link)
    • Sigtool (part of clamav) lets you create your own signatures next to the “known” malware signatures. So when virustotal says “0/42”, you still can block the files.
Category: Penetration Testing
  • Ebrute (link)
    • Why is this your unsung hero: Windows domain username enumeration via Kerberos
  • Arachni (link)
    • Web application scanner
  • Keimpx (link)
    • Covering the gap of MSF psexec spraying the domain with dumped credentials (pass the hash)
  • NfSpy (link)
    • Takes all the hard work out of spoofing one’s uid in order to gain access to all the files on an NFS share. Additionally, supports all sorts of shortcuts to get around “security measures” like firewalling port 111.
  • ratproxy (link)
    • A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
  • ThickNET (link)
    • Thicknet is a TCP session manipulation and take-over framework. it is a great tool for internal penetration testing. It is modular which allows users to develop and customize the tool for their particular target protocols.
  • Tachyon (link)
    • Tachyon is a dead file scanner, written in python. The main goal of tachyon is to help webadmins find leftover files in their site installation, permission problems and web server configuration errors
  • SWFscan (link)
    • SwfScan decompiles Flash into source and checks it for security issues. Even if it doesn’t find security problems, discovery of additional server URLs, viewing application logic, and the opportunity to manually view the source for issues are invaluable. All done in a pretty nice GUI.
  • Mona (link)
    • Mona is a PyCommand for Immunity Debugger that replaces pvefindaddr.
  • UAtester (link)
    • A tool for testing web-site reactions to a range of User Agent strings. Useful for ensuring wide coverage of web applications.
  • Evilgrade (link)
    • Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.
  • PMCMA [Post Memory Corruption Memory Analysis] (link)
    • Helps automating the process of finding a way to exploit a (known) memory arbitrary read/write vulnerabilities
  • MimiKatz (link)
    • Can recover clear text passwords of logged on users on a windows machine, by lsass injection.
  • OWTF (link)
    • The offensive Web Testing Framework – An awesome framework just recently developed to help better test passively and actively web applications.
  • Yeti (link)
    • A network foot printing tool from the Sensepost crew
  • Reaver-WPS (link)
    • A tool for exploiting WPA/WPA2 issues (in particular the WPS bug)
  • Dirfuzz (link)
    • Directory discovery and info gathering of web applications
  • MORF v0.3 — NINJA ENCODER (link)
    • Encoder with a wide range of supported encoding types (URL, HTTP, Base64, HEX, MD5, SHA1, UTF-7…)

Category: Miscellaneous

  • xdotool (link)
    • This tool lets you simulate keyboard input and mouse activity, move and resize windows, etc. It does this using X11’s XTEST extension and other Xlib functions.
  • Risu (link)
    • Risu is a Nessus parser, that converts the generated reports into a ActiveRecord database, this allows for easy report generation and vulnerability verification.
  • Thinkst – Infosec Conference Collector (link)
    • An online tool for searching prior and upcoming conference talks. Useful for  attribution, reference checking, and trend spotting. Doesn’t cover everything, but a good starting point.

I hope there’s at least 1 or 2 unsung heroes on the list for everybody… and if you have any additions, feel free to leave them in the comments, and I’ll update the post when I can! Thanks to all those who took part… this list if yours after all, not mine!

P.S: Thanks to the generous person who suggested UAtester… even if it was a joke 😉


5 responses to “Unsung Heros (the list)

  1. Gary Smith March 15, 2012 at 17:46

    Haven’t seen this linked many places, even in those places that have otherwise good information on Citrix and remote desktop environments. Allows file transfers using windows messages as the transfer mechanism.


  2. Pingback: Week 11 in Review – 2012 | Infosec Events

  3. Mrs. Y. (@MrsYisWhy) March 25, 2012 at 14:13

    Have you seen this list from Gordon Lyons?

  4. ChrisJohnRiley March 27, 2012 at 14:19

    Yep I referenced his Top list in my original post. I was trying to go a different route with this list however, and really find the tools people don’t know about, instead of the TOP X in any specific category.

  5. Oliver March 30, 2012 at 23:56

    Have a look at httpry. It’s based on libpcap and specifically decodes HTTP(S) traffic. Found it quite useful and way more manageable than tcpdump for simple tasks.

    And then of course there is hte for those moments when I don’t have a comp with IDA Pro or 010 Editor around.

%d bloggers like this: