Sniffer

Spiderfoot

SpiderFoot
SpiderFoot is an open source intelligence automation tool. Its goal is to automate the process of gathering intelligence about a given target.

Purpose
There are three main areas where SpiderFoot can be useful:

If you are a pen-tester, SpiderFoot will automate the reconnaissance stage of the test, giving you a rich set of data to help you pin-point areas of focus for the test.

Understand what your network/organization is openly exposing to the outside world. Such information in the wrong hands could be a significant risk.

SpiderFoot can also be used to gather threat intelligence about suspected malicious IPs you might be seeing in your logs or have obtained via threat intelligence data feeds.

Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.

Kismet

WHAT IS KISMET?
Kismet is a wireless network detector, sniffer, and intrusion detection system. Kismet works predominately with Wi-Fi (IEEE 802.11) networks, but can be expanded via plug-ins to handle other network types.

FEATURES
802.11 sniffing
Standard PCAP logging (compatible with Wireshark, TCPDump, etc)
Client/Server modular architecture
Plug-in architecture to expand core features
Multiple capture source support
Live export of packets to other tools via tun/tap virtual interfaces
Distributed remote sniffing via light-weight remote capture
XML output for integration with other tools

WebSiteSniffer

WebSiteSniffer is a packet sniffer tool that captures all Web site files downloaded by your Web browser while browsing the Internet, and stores them on your hard drive under the base folder that you choose. WebSiteSniffer allows you to choose which type of Web site files will be captured: HTML Files, Text Files, XML Files, CSS Files, Video/Audio Files, Images, Scripts, and Flash (.swf) files.While capturing the Web site files, the main window of WebSiteSniffer displays general statistics about the downloaded files for every Web site / host name, including the total size of all files (compressed and uncompressed) and total number of files for every file type (HTML, Text, Images, and so on)

MFSniffer

Overview:
Script to capture unencrypted TSO login credentials

Penetration Testers Framework

Overview:
The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we've been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important.

PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It's all up to you.

The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It's super simple to configure and add them and only takes a few minute.

Cortana Scripts by Mudge

Overview:
Cortana is a scripting language for Armitage and Cobalt Strike. This is a collection of Cortana scripts that can be used with Cobalt Strike and Armitage.

Responder

Overview:
This tool is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option to 1 via command line if you want this tool to answer to the Workstation Service request name suffix.

Tutorials:
https://www.trustwave.com/Resources/SpiderLabs-Blog/Owning-Windows-Netwo...
https://www.trustedsec.com/july-2013/wpad-man-in-the-middle-clear-text-p...

Azazel

Azazel is a userland rootkit written in C based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection. Features include log cleaning, pcap subversion, and more.

Features:
Anti-debugging
Avoids unhide, lsof, ps, ldd detection
Hides files and directories
Hides remote connections
Hides processes
Hides logins
PCAP hooks avoid local sniffing
Two accept backdoors with full PTY shells.

Crypthook encrypted accept() backdoor
Plaintext accept() backdoor

PAM backdoor for local privesc and remote entry
Log cleanup for utmp/wtmp entries based on pty
Uses xor to obfuscate static strings

Installation:
Clone the sources
localhost:~ $ git clone https://github.com/chokepoint/azazel.git

Build the rootkit
localhost:~ $ make

Hooking Methods
Azazel utilizes the same hooking methods as Jynx/Jynx2. You can hook individual programs at the time of execution by taking advantage of the LD_PRELOAD variable. By default, Azazel installs itself as libselinux.so into /lib. An entry is then added to /etc/ld.so.preload in order to hook system wide dynamically compiled programs.

Example runtime hooking of bash.
localhost:~ $ LD_PRELOAD=/lib/libselinux.so bash -l

Instead of dlsym'ing direct libc functions by globally declaring old_syscall, Azazel has a new structure in azazel.h named syscall_list.
This allows all of the required functions to be linked upon initiation of the library.
Syscall function names are XORed by config.py and written to const.h
Original libc functions can be accessed by using the preprocessor definitions also in const.h
Each definition has a prefix of SYS_name_of_function_in_caps.
For example to call libc's version of fopen, you would use syscalls[SYS_FOPEN].syscall_func();
typedef struct struct_syscalls {

OpenFPC

OpenFPC is a set of scripts that combine to provide a lightweight full-packet network traffic recorder & buffering tool. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log tools.

OpenFPC is described as lightweight because it follows a different design model to other FPC/Network traffic forensic tools that I have seen. It doesn't provide a user with the ability to trigger automatic events (IDS-like functions), or watch for anomalous traffic changes (NBA-like functions) as it is assumed external open source, or comercial tools already provide this detection capability. OpenFPC fits in as a companion to provide extra (full packet/traffic stream) data as a bolt-on to these tools allowing deeper analysis of event data where required.

Simply give it a logfile entry in one of the supported formats, and it will provide you with the PCAP.

For more information, visit the OpenFPC project home at http://www.openfpc.org
Features and futures

Automated install on Debain and RH style distributions
Extraction of single streams based on event occurrence time, or start/end timestamps
Extracts stream data based on common logfile/alert formats

Distributed collection with central extraction Optional compression and extract checksums Ability to request data from external tools/user interfaces
TODO

Central web-based UI for stream/data extraction from distributed remote storage buffers
Automatic calculation of an optimal configuration for extraction speed based on available storage.

Syndicate content