Packet Manipulation

Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.

Kismet

WHAT IS KISMET?
Kismet is a wireless network detector, sniffer, and intrusion detection system. Kismet works predominately with Wi-Fi (IEEE 802.11) networks, but can be expanded via plug-ins to handle other network types.

FEATURES
802.11 sniffing
Standard PCAP logging (compatible with Wireshark, TCPDump, etc)
Client/Server modular architecture
Plug-in architecture to expand core features
Multiple capture source support
Live export of packets to other tools via tun/tap virtual interfaces
Distributed remote sniffing via light-weight remote capture
XML output for integration with other tools

NetCommander

NetCommander 1.3 - An easy to use arp spoofing tool.
Copyleft Simone Margaritelli
http://www.evilsocket.net
http://www.backbox.org

Usage: netcmd.py [options]

Options:
  -h, --help            show this help message and exit
  -I IFACE, --iface=IFACE
                        Network interface to use if different from the default
                        one.
  -N NETWORK, --network=NETWORK
                        Network to work on.
  -G GATEWAY, --gateway=GATEWAY
                        Gateway to use.
  -K, --kill            Kill targets connections instead of forwarding them.
  -D DELAY, --delay=DELAY
                        Delay in seconds between one arp packet and another,
                        default is 5.
  -A, --all             Keep spoofing and spoof all connected and later
                        connected interfaces.

Ipdecap

Ipdecap can decapsulate traffic encapsulated within GRE, IPIP, 6in4, ESP (ipsec) protocols, and can also remove IEEE 802.1Q (virtual lan) header.
It reads packets from an pcap file, removes the encapsulation protocol, and writes them to another pcap file.

Goals are:
Extract encapsulated tcp flow to analyze them with conventional tcp tools (tcptrace, tcpflow, …)
Reduce pcap files size by removing encapsulation protocol

Ipdecap was first written to analyze a strange tcp behavior encapsulated by ESP, without intervention on vpn endpoints.

Installation:
Dependances
Openssl
Libpcap

Compilation
wget https://github.com/lpefferkorn/ipdecap/archive/v0.7.tar.gz
tar xvzf v0.7.tar.gz
cd ipdecap-0.7
sh autogen.sh
./configure
make
make install

Use
Command line:
A source pcap file
An output pcap file
A configuration file to decrypt ESP packets
Maybe a bpf filter to limit packets to process.

Ipdecap 0.5, decapsulate GRE, IPIP, 6in4, ESP packets, remove 802.1Q header - Loic Pefferkorn

Supported encapsulation protocols
GRE
IPIP
6in4 (IPv6 encapsulated within IPv4)
ESP (ipsec, tunnel mode)

ESP algorithms
(crypt) des-cbc 3des-cbc aes128-cbc aes128-ctr null_enc
(auth) hmac_md5-96 hmac_sha1-96 aes_xcbc_mac-96 null_auth any96 any128 any160 any192 any256 any384 any512

Usage
ipdecap [-v] [-l] [-V] -i input.cap -o output.cap [-c esp.conf] [-f ]
Options:
-c, --conf configuration file for ESP parameters (IP addresses, algorithms, ... (see man ipdecap)
-h, --help this help message
-i, --input pcap file to process
-o, --output pcap file with decapsulated data
-f, --filter only process packets matching the bpf filter
-l, --list list availables ESP encryption and authentication algorithms
-V, --version print version
-v, --verbose verbose

GoldenEye

GoldenEye is an python app for SECURITY TESTING PURPOSES ONLY!
GoldenEye is a HTTP DoS Test Tool.
Attack Vector exploited: HTTP Keep Alive + NoCache

GoldenEye is an HTTP/S Layer 7 denial of service testing tool. It uses KeepAlive (and Connection: keep-alive) paired with Cache-Control options to persist socket connection busting through caching (when possible) until it consumes all available sockets on the HTTP/S server.

Changes: Referer strings from search engines now only domain part hardcoded. Referer generation function now generates even more random referers. Evades Juniper Netscreen signature. Various other updates and improvements.

OLD:
Usage
USAGE: ./goldeneye.py [OPTIONS]
OPTIONS:
Flag Description Default
-t, --threads Number of concurrent threads (default: 500)
-m, --method HTTP Method to use 'get' or 'post' or 'random' (default: get)
-d, --debug Enable Debug Mode [more verbose output] (default: False)
-h, --help Shows this help

NEW:
USAGE: ./goldeneye.py [OPTIONS]

OPTIONS:
Flag Description Default
-u, --useragents File with user-agents to use (default: randomly generated)
-w, --workers Number of concurrent workers (default: 50)
-s, --sockets Number of concurrent sockets (default: 30)
-m, --method HTTP Method to use 'get' or 'post' or 'random' (default: get)
-d, --debug Enable Debug Mode [more verbose output] (default: False)
-h, --help Shows this help

Utilities
util/getuas.py - Fetchs user-agent lists from http://www.useragentstring.com/pages/useragentstring.php subpages (ex: ./getuas.py http://www.useragentstring.com/pages/Browserlist/) REQUIRES BEAUTIFULSOUP4

wifite

wifite is a tool to attack multiple WEP, WPA, and WPS encrypted networks in a row. This tool is customizable to be automated with only a few arguments. Wifite aims to be the "set it and forget it" wireless auditing tool.

Features
sorts targets by signal strength (in dB); cracks closest access points first
automatically de-authenticates clients of hidden networks to reveal SSIDs
numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
customizable settings (timeouts, packets/sec, etc)
"anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete
all captured WPA handshakes are backed up to wifite.py's current directory
smart WPA de-authentication; cycles between all clients and broadcast deauths
stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
displays session summary at exit; shows any cracked keys
all passwords saved to cracked.txt
built-in updater: ./wifite.py -upgrade

Requirements
linux operating system (confirmed working on Backtrack 5, BackBox, BlackBuntu, Pentoo, Ubuntu 8.10 (BT4R1), Ubuntu 10.04, Debian 6, Fedora 16)
tested working with python 2.6.x, and python 2.7.x,
wireless drivers patched for monitor mode and injection. Most security distributions (Backtrack, BlackBuntu, etc) come with wireless drivers pre-patched,
aircrack-ng (v1.1) suite

Execution
download the latest version:
wget -O wifite.py http://wifite.googlecode.com/svn/trunk/wifite.py

change permissions to executable:
chmod +x wifite.py

execute:
python wifite.py

or, to see a list of commands with info:
./wifite.py -help

Simple Packet Sender

A Linux packet crafting tool. Supports IPv4, IPv6 including extension headers, and tunneling IPv6 over IPv4. Written in C on Linux with GUI built using GTK+ and released under GPLv3. Does not require pcap.

Features:
1) Packet crafting and sending one, multiple, or flooding IPv4 and IPv6 packets of type TCP, ICMP, or UDP (or cycle through all three). All values within ethernet frame can be modified arbitrarily. Supports IPv4 header options, TCP header options, and TCP, ICMP and UDP data as well, input from either: keyboard as UTF-8/ASCII, keyboard as hexadecimal, or from file.
2) IPv6 support includes: hop-by-hop, "first" and "last" destination, routing, authentication, and encapsulating security payload (ESP) extension headers. For those without access to a native IPv6 network, IPv6 packets can be transmitted over IPv4 (6to4).
3) Packet fragmentation for IPv4, IPv6, and 6to4. Assumed maximum transmission unit (MTU) can be changed if unusual fragment sizes are needed.
4) IP addresses and port numbers can be randomized.
5) A configurable traceroute function, which supports TCP, ICMP, and UDP packets with all the features mentioned above.
6) View packets in hexadecimal/ASCII representation, in both unfragmented and fragmented forms.
7) All packet settings can be saved to and loaded from file.
Cool IP and ASN delegation functions, including: country name/code search and reverse-search, autonomous system (AS) number search by country and reverse-search, IPv4 and IPv6 address delegation search and reverse-search.
9) ARP (IPv4) and Neighbor Discovery (IPv6) for querying a LAN for MAC addresses of local nodes.
10) Retrieve MAC address and current MTU setting of any attached network interface.
11) Domain name resolution and reverse resolution.

OpenFPC

OpenFPC is a set of scripts that combine to provide a lightweight full-packet network traffic recorder & buffering tool. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log tools.

OpenFPC is described as lightweight because it follows a different design model to other FPC/Network traffic forensic tools that I have seen. It doesn't provide a user with the ability to trigger automatic events (IDS-like functions), or watch for anomalous traffic changes (NBA-like functions) as it is assumed external open source, or comercial tools already provide this detection capability. OpenFPC fits in as a companion to provide extra (full packet/traffic stream) data as a bolt-on to these tools allowing deeper analysis of event data where required.

Simply give it a logfile entry in one of the supported formats, and it will provide you with the PCAP.

For more information, visit the OpenFPC project home at http://www.openfpc.org
Features and futures

Automated install on Debain and RH style distributions
Extraction of single streams based on event occurrence time, or start/end timestamps
Extracts stream data based on common logfile/alert formats

Distributed collection with central extraction Optional compression and extract checksums Ability to request data from external tools/user interfaces
TODO

Central web-based UI for stream/data extraction from distributed remote storage buffers
Automatic calculation of an optimal configuration for extraction speed based on available storage.

Alucard

Alucard is a UPnP port redirection application that allows a user to open ports on a UPnP enabled router.

To build first install MiniUpnpc from http://miniupnp.tuxfamily.org/
Then type "make"
Then run "./alucard 192.168.1.200 1044" to redirect all traffic from port 1044/TCP outside the NAT to port 1044/TCP on 192.168.1.200

Tunna

Tunna is a tool designed to bypass firewall restrictions on remote webservers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP).

Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments. The web application file must be uploaded on the remote server. It will be used to make a local connection with services running on the remote web server or any other server in the DMZ. The local application communicates with the webshell over the HTTP protocol. It also exposes a local port for the client application to connect to.
Since all external communication is done over HTTP it is possible to bypass the filtering rules and connect to any service behind the firewall using the webserver on the other end.

Tunna framework
Tunna framework comes witht he following functionality:
SECFORCE - penetration testing Ruby client - proxy bind: Ruby client proxy to perform the tunnel to the remote web application and tunnel TCP traffic.
SECFORCE - penetration testing Python client - proxy bind: Python client proxy to perform the tunnel to the remote web application and tunnel TCP traffic.
SECFORCE - penetration testing Metasploit integration module, which allows transparent execution of metasploit payloads on the server
SECFORCE - penetration testing ASP.NET remote script
SECFORCE - penetration testing Java remote script
SECFORCE - penetration testing PHP remote script

Author
Tunna has been developed by Nikos Vassakis.

Syndicate content