Network Defense

IDS/IPS/etc

miranda

Miranda is a Python-based Universal Plug-N-Play client application designed to discover, query and interact with UPNP devices, particularly Internet Gateway Devices (aka, routers). It can be used to audit UPNP-enabled devices on a network for possible vulnerabilities. Some of its features include:

Interactive shell with tab completion and command history
Passive and active discovery of UPNP devices
Customizable MSEARCH queries (query for specific devices/services)
Full control over application settings such as IP addresses, ports and headers
Simple enumeration of UPNP devices, services, actions and variables
Correlation of input/output state variables with service actions
Ability to send actions to UPNP services/devices
Ability to save data to file for later analysis and collaboration
Command logging

Miranda v1.3
The interactive UPnP client
Craig Heffner, http://www.devttys0.com

Command line usage: miranda.py [OPTIONS]

-s Load previous host data from struct file
-l Log user-supplied commands to log file
-i Specify the name of the interface to use (Linux
only, requires root)
-b Process commands from a file
-u Disable show-uniq-hosts-only option
-d Enable debug mode
-v Enable verbose mode
-h Show help

Alucard

Alucard is a UPnP port redirection application that allows a user to open ports on a UPnP enabled router.

To build first install MiniUpnpc from http://miniupnp.tuxfamily.org/
Then type "make"
Then run "./alucard 192.168.1.200 1044" to redirect all traffic from port 1044/TCP outside the NAT to port 1044/TCP on 192.168.1.200

Wi-fEye

Wi-fEye is an automated wirelress penetration testing tool written in python , its designed to simplify common attacks that can be performed on wifi networks so that they can be executed quickly and easily.

Wifi has three main menus :
Cracking menu: contains attacks that could allow us to crack wifi passwords weather is WEP , WPA or WPA2:
Enable monitor mode
View avalale Wireless Networks
Launch Airodump-ng on a specific AP
WEP cracking: here you can perform a number of attacks to crack WEP passwords :
Interactive packet replay.
Fake Authentication Attack.
Korek Chopchop Attack.
Fragmentation Attack.
Hirte Attack (cfrag attack).
Wesside-ng.

WPA Cracking: here you can perform a number of attacks to crack WPA passwords , this menu is devided into two sections:
launch a brute force attack against a WPS-enabled network to crack WPA/WPA2 without a dictionary.
Obtain handshake: This will automatically attempt to obtain the handshake
Cracking: After obtaining the handshake or if you have the handshake ready then you can attempt to crack it in this section , you can choose to use you wordlist straight away with aircrack-ng or you can add to a table and then crack the password.

MITM: this menu will allow you to do the following Automatically:
Enable IP forwarding.
ARP Spoof.
Launch ettercap (Text mode).
Sniff SSL/HTTPS traffic.
Sniff URLs and send them to browser.
Sniff images.
DNS Spoof.
HTTP Session Hijacking (using Hamster).

Others: this menu will allow you to o the following automatically:
Change MAC Address.
Create a fake access point.
Hijack software updates (using Evilgrade).

Web-Spa

Web-Spa is a Java web knocking tool for sending a single HTTP/S request to your web server, in order to authorize the execution of a premeditated Operating System (O/S) command on it.

This is equivalent to port-knocking on the web layer, but with much more control: All O/S commands must be pre-defined and have a time-window of execution. Also, all users have to be registered and authorized to run any given action.

In running the standalone jar file (i.e.
webspa-{xx}.jar, you have to select one of the
following four (4) options:

-client : Run the client, generate requests
-help : Print this usage message
-server : Run the server
-version : 0.6

If no option is selected, the help message
detailing the above options will be displayed.

With each download of the standalone jar file
(i.e. webspa-{xx}.zip, see section above)
there is a rather basic shell script available,
named 'web-spa.sh'.

This script performs a `which java` and sets
the initial and maximum Java heap size.

This script needs to be chmod-ed to have execute
permissions. If you have followed the
instructions above and placed web-spa in /opt
issue the following:

bash-3.00# chmod 744 /opt/web-spa-0.6/web-spa.sh

You can test the web-spa script, by issuing:
bash-3.00# ./web-spa.sh -version
0.6
bash-3.00#

You will be required to have a java 1.6 JRE or
JDK installed. For more information see the
INSTALL file.

AIEngine

AIEngine is a packet inspection engine with capabilities of learning without any human intervention. It helps network/security professionals to identify traffic and develop signatures for use them on NIDS, Firewalls, Traffic classifiers and so on.

Compile:
$ git clone git://bitbucket.com/camp0/aiengine
$ ./autogen.sh
$ ./configure
$ make

Usage:
username@computer:~/code/c++/aiengine/src$ ./aiengine -h
iaengine 0.1
Mandatory arguments:
-I [ --interface ] arg Sets the network interface.
-P [ --pcapfile ] arg Sets the pcap file.

Link Layer optional arguments:
-q [ --tag ] arg Selects the tag type of the ethernet layer (vlan,mpls).

TCP optional arguments:
-t [ --tcp-flows ] arg (=32768) Sets the number of TCP flows on the pool.

UDP optional arguments:
-u [ --udp-flows ] arg (=16384) Sets the number of UDP flows on the pool.

Signature optional arguments:
-R [ --enable-signatures ] Enables the Signature engine.
-r [ --regex ] arg (=.*) Sets the regex for evaluate agains the flows.
-c [ --flow-class ] arg (=all) Uses tcp, udp or all for matches the signature
on the flows.

Frequencies optional arguments:
-F [ --enable-frequencies ] Enables the Frequency engine.
-g [ --group-by ] arg (=dst-port) Groups frequencies by src-ip,dst-ip,src-por
t and dst-port.
-f [ --flow-type ] arg (=tcp) Uses tcp or udp flows.
-L [ --enable-learner ] Enables the Learner engine.
-k [ --key-learner ] arg (=80) Sets the key for the Learner engine.

Optional arguments:
-k [ --stack ] arg (=lan) Sets the network stack (lan,mobile).
-d [ --dumpflows ] Dump the flows to stdout.
-s [ --statistics ] arg (=0) Show statistics of the network stack.
-p [ --pstatistics ] Show statistics of the process.
-h [ --help ] Show help.
-v [ --version ] Show version string.

SkyJack

SkyJack (available from github) is primarily a perl application which runs off of a Linux machine, runs aircrack-ng in order to get its wifi card into monitor mode, detects all wireless networks and clients around, deactivates any clients connected to Parrot AR.drones, connects to the now free Parrot AR.Drone as its owner, then uses node.js with node-ar-drone to control zombie drones.

I (the author, Samy Kamkar) detect drones by seeking out any wireless connections from MAC addresses owned by the Parrot company, which you can find defined in the Registration Authority OUI.

aircrack-ng
I use aircrack-ng to put our wireless device into monitor mode to find our drones and drone owners. I then use aireplay-ng to deauthenticate the true owner of the drone I'm targeting. Once deauthenticated, I can connect as the drone is waiting for its owner to reconnect.

node-ar-drone
I use node-ar-drone to control the newly enslaved drone via Javascript and node.js.

Hardware
Parrot AR.Drone 2
The Parrot AR.Drone 2 is the drone that flies around seeking other drones, controlled from an iPhone, iPad or Android, and is also the type of drone SkyJack seeks out in order to control. SkyJack is also capable of seeking out Parrot AR.Drone version 1.

The Parrots actually launch their own wireless network which is how the owner of the drone connects. We take over by deauthenticating the owner, then connecting now that the drone is waiting for its owner to connect back in, exploiting the fact that we destroyed their wireless connection temporarily.

Raspberry Pi
I use a Raspberry Pi to drive the project as it's inexpensive, reasonably light, has USB, and runs Linux.

Alfa AWUS036H wireless adapter
I use the Alfa AWUS036H wireless card which supports raw packet injection and monitor mode which allow me to deauthenticate users who are legitimately connected to their drones.

Edimax EW-7811Un wireless adapter

ripdc.sh

#!/bin/sh
################################################################################
#                ____                     _ __                                 #
#     ___  __ __/ / /__ ___ ______ ______(_) /___ __                           #
#    / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /                           #
#   /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /                            #
#                                            /___/ team                        #
#                                                                              #
# ripdc.sh - reverse ip domain checker                                         #
#                                                                              #
# FILE                                                                         #
# ripdc.sh                                                                     #
#                                                                              #
# DATE                                                                         #
# 2013-06-05                                                                   #
#                                                                              #
# DESCRIPTION                                                                  #
# A script which maps domains related to an given ip address or domainname.    #
#                                                                              #
# AUTHOR                                                                       #
# noptrix                                                                      #
#                                                                              #
################################################################################

ftp-fuzz.py

#!/usr/bin/env python
# -*- coding: latin-1 -*- # ###################################################
#                                                                             #
#         ~    .__ °.__   0       o                    ^   .__ °__  `´        #
#  °____) __ __|  | | °|   ______°____ 0 ____  __ _________|__|/  |_ ___.__.  #
#  /    \|  | °\  |°|  | °/  ___// __ \_/ ___\|  | °\_  __ \ o\   __<   |  |  #
# | o°|  \  |  /  |_|  |__\___ \\  ___/\ °\___| o|  /|  | \/  ||  |° \___ O|  #
# |___|  /____/|____/____/____ °>\___  >\___  >____/ |__|° |__||__|  / ____|  #
# `´´`´\/´`nullsecurity team`´\/`´´`´\/`´``´\/  ``´```´```´´´´`´``0_o\/´´`´´  #
#                                                                             #
# ftp-fuzzer.py - Master FTP fuzzer                                           #
#                                                                             #
# DATE                                                                        #
# 01/27/2012                                                                  #
#                                                                             #
# DESCRIPTION                                                                 #
# The master of all master fuzzing scripts specifically targeted towards      #
# FTP server sofware                                                          #
#                                                                             #
# AUTHOR                                                                      #
# TheXero - <a href="http://www.nullsecurity.net/" title="http://www.nullsecurity.net/">http://www.nullsecurity.net/</a>                                      #
#                                                                             #
###############################################################################

Dnsdrdos

/*******************************************************************************
 *                                                                             *
 *         ~    .__ °.__   0       o                    ^   .__ °__  `´        *
 *  °____) __ __|  | | °|   ______°____ 0 ____  __ _________|__|/  |_ ___.__.  *
 *  /    \|  | °\  |°|  | °/  ___// __ \_/ ___\|  | °\_  __ \ o\   __<   |  |  *
 * | o°|  \  |  /  |_|  |__\___ \\  ___/\ °\___| o|  /|  | \/  ||  |° \___ O|  *
 * |___|  /____/|____/____/____ °>\___  >\___  >____/ |__|° |__||__|  / ____|  *
 * `´´`´\/´`nullsecurity team`´\/`´´`´\/`´``´\/  ``´```´```´´´´`´``0_o\/´´`´´  *
 *                                                                             *
 * dnsdrdos.c - DNS distributed reflection DoS                                 *
 *                                                                             *
 * DATE                                                                        *
 * xx/xx/2010                                                                  *
 *                                                                             *
 * DESCRIPTION                                                                 *
 * dnsdrdos - Proof of concept code for distributed DNS reflection DoS.        *
 * All you need is only a list of authorative nameservers. This technique is   *
 * well-known and can be used against much more protocols.                     *
 *                                                                             *
 * AUTHOR                                                                      *
 * noptrix - <a href="http://www.nullsecurity.net/" title="http://www.nullsecurity.net/">http://www.nullsecurity.net/</a>                                      *
 *                                                                             *
 * NOTES                                                                       *
 * - quick'n'dirty code                                                        *

hwk

hwk is an easy-to-use wireless authentication and deauthentication tool. Furthermore, it also supports probe response fuzzing, beacon injection flooding, antenna alignment and various injection testing modes. Information gathering is selected by default and shows the incoming traffic indicating the packet types.

/*******************************************************************************
 *                ____                     _ __                                *
 *     ___  __ __/ / /__ ___ ______ ______(_) /___ __                          *
 *    / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /                          *
 *   /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /                           *
 *                                            /___/ team                       *
 *                                                                             *
 * README                                                                      *
 *                                                                             *
 * DATE                                                                        *
 * 8/03/2013                                                                   *
 *                                                                             *
 * AUTHOR                                                                      *
 * atzeton - <a href="http://www.nullsecurity.net/" title="http://www.nullsecurity.net/">http://www.nullsecurity.net/</a>                                      *
 *                                                                             *
 * LICENSE                                                                     *
 * GNU GPLv2, see COPYING                                                      *
 *                                                                             *
 ******************************************************************************/

What is hwk?
===============
hwk is a collection of packet crafting/network flooding tools:

Syndicate content