Tools Flashcards
1
Q
Allows you to look up all available information about an IP address, hostname, or domain, including country, state or province, city, name of network provider, administrator or tech support contact. Automatically delivers information associated with an IP address no matter where it is registered geographically.
A
Smart Whois
2
Q
Buffer Overflows. A compiler that emits programs hardened against “stack smashing” attacks. Uses canaries.
A
StackGuard
3
Q
Buffer Overflows. A family of tools designed to enhance system integrity by hardening system components and platforms against security attacks. Secures a Linux OS and applications. Works by hardening existing software components and platforms so that attempts to exploit security vulnerabilities will fail safe, i.e. the compromised process halts instead of giving control to the attacker, and then is restarted. The software components are effectively “laminated” with technologies to harden them against attack.
A
Immunix
4
Q
Dos/DDoS. A free, open source tool that can tell a zombie system flooding packets to stop flooding. Works against Trinoo (including the Windows Trinoo agent), TFN, Stacheldraht, and Shaft. It does assume various defaults used by these attack tools are still in place, but allows you to put the zombies to sleep.
A
Zombie Zapper
5
Q
Dos/DDoS. A remote scanner for the most common Distributed Denial of Service programs (Zombies). Will detect Trinoo, Stacheldraht and Tribe Flood Network programs running with their default settings, although setup of each program type is possible from the configuration screen. Scanning is performed by sending the appropriate UDP and ICMP messages at a controlable rate to a user defined range of addresses.
A
DdoSPing
6
Q
Dos/DDoS. A third generation network security analysis tool that operates under Unix, Linux, MAC OS/X or Windows (through coLinux) OS’. Integrates the National Vulnerability Database (NVD). Can adapt to many firewalled environments. Supports remote self scan and API facilities. Based on the SATAN model
A
SARA (Security Auditor’s Research Assistant)
7
Q
Dos/DDoS. Became available in 1999. A network of this type looks conceptually similar to a trinoo; it is a packet flooding attack and the client controls the size of the flooding packets and duration of the attack. One interesting signature of this DDOS tool is that the sequence number for all TCP packets is 0x28374839.
A
Shaft
8
Q
Dos/DDoS. Designed to launch coordinated denial-of-service attacks from many sources against one or more targets simultaneously. Includes features designed specifically to make its traffic difficult to recognize and filter, to remotely execute commands, to obfuscate the true source of the traffic, to transport its traffic over multiple transport protocols including UDP, TCP, and ICMP, and features to confuse attempts to locate other nodes by sending “decoy” packets. Designed to work on various UNIX and UNIX-like systems and Windows NT. Obfuscates the true source of attacks by spoofing IP addresses. In networks that employ ingress filtering, it can forge packets that appear to come from neighboring machines. Can flood networks by sending large amounts of data to the victim machine. Includes attacks designed to crash or introduce instabilities in systems by sending malformed or invalid packets.
A
TFN2K
9
Q
Dos/DDoS. Made up of client and daemon programs, which implement a distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood, and Smurf style attacks, as well as providing an “on demand” root shell bound to a TCP port.
A
TFN
10
Q
Dos/DDoS. Not a virus, but an attack tool released in late December 1999 that performs a distributed Denial of Service attack.
A
Trinoo
11
Q
Dos/DDoS. Tool consists of a handler and an agent portion, much like previously known DDOS tools such as Trinoo. Handler can be controlled remotely by one or more intruders using a password-protected interactive login to a running handler. Simple commands issued to the handler cause instructions to be sent to agents deployed on compromised systems. The communications between intruder and handler, and the handler and agents, are configurable at compile time and have varied significantly from incident to incident. The default protocol and destination socket numbers in source code recently released to the public are 6723/tcp -> handler (intruder), 7983/udp -> agent (handler), and 9325/udp -> handler (agent).
A
Mstream
12
Q
Dos/DDoS. Uses intrusion fingerprints to track down compromised hosts. It is capable of remotely detecting Stacheldraht, TFN, and Trinoo if the attacker did not change the default ports.
A
RID Remote Intrusion Detector
13
Q
DOS/Ping of Death. A Denial of Service (DOS) attack that completely disables networking on many Win95 and WinNT machines.
A
Win Nuke
14
Q
DOS/Ping of Death. A program that can freeze any computer connected to the Internet or on a network running Windows 95, Windows NT, and older versions of the MacOS that are not behind a firewall that blocks ICMP (Internet Control Message Protocol) data packets.
A
SSPing
15
Q
DOS/Ping of Death. Attack uses a forged ICMP (InternetControl Message Protocol) echo request.
A
Smurf
16
Q
DOS/Ping of Death. DoS on Windows systems. Sends TCP packets with bad header. As a result, CPU graph stays over 90% in the kernel.
A
Bubonic
17
Q
DOS/Ping of Death. Freeware. It integrates bonk, jolt, land, nestea, netear, syndrop, teardrop, and winnuke into one multi-platform DoS attack.
A
Targa
18
Q
DOS/Ping of Death. Sending a packet to a machine with the source host/port the same as the destination host/port crashes a lot of boxes.
A
Land
19
Q
DOS/Ping of Death. Variant of the Ping-of-Death attack. It sends an IP fragment that beyond the maximum length of a legal IP packet.
A
Jolt2
20
Q
Enumeration. A security auditing program for Microsoft Windows® NT/XP/200x. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information.
A
DumpSec
21
Q
Enumeration. The intention of this package is to perform various security checks on remote servers running NetBIOS file sharing services. It is designed to explore the NETBIOS file-sharing services offered by the target system. It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client.
A
NAT (NetBIOS Auditing Tool)
22
Q
Enumeration/SNMP. A command line utility (included with Windows resource kits) that allows the querying of MIB information from a network device. While it supports GET/GETNEXT and WALK, most people use it to GET information and to WALK OID trees. Can access the SNMP OID and get the information you want from a command line.
A
SNMPUtil
23
Q
Enumeration/SNMP. SNMP enumeration and management tool
A
SolarWinds (IP Network Browser)
24
Q
Enumeration/Windows. A command line interface to a WIN32 function LookupAccountName.
A
User2SID
25
Enumeration/Windows. A command line interface to a WIN32 function LookupSidName.
SID2User
26
Enumeration/Windows. A small command line function that retrieves all available information about any know user from any NT/Win2k system that you can hit 139 on. Returns standard info like SID, Primary group, logon restrictions, etc., but it also dumps special group information, pw expiration info, pw age, smartcard requirements, and lots of other stuff. Works as a null user, even if the system has RA set to 1 to specifically deny anonymous enumeration.
UserInfo
27
Enumeration/Windows. Combines allmost all possible attacks against NETBIOS (users and computers - shares - password policy). It establishes a NETBIOS Null Session and keeps it open during the attack. Based on dictionaries or given values this tool will try to guess passwords.
Enum
28
Enumeration/Windows. Sidesteps "RestrictAnonymous=1" and acquires account information on Windows NT/2000 machines. Shows the information that leaks by opening an anonymous login and showing the following information: An enumeration of user IDs, account names and full names, Password age, User groups the user is a member of, Account type, Whether the account is disabled or locked, Password policies, Last logon time, Number of logons, Bad password count, Quotas
GetAcct
29
Footprinting. A free network query tool. Whois, DNS Query and ZT, traceroute, email header analysis, ping, website download, abuse address query, finger. Runs on Windows.
Sam Spade
30
Footprinting. An e-mail analysis tool that allows you to track Internet e-mails back to the sender.tp://www.visualware.com/emailtrackerpro/index.html)
eMailTracking Pro
31
Footprinting. An internet utility that returns information about the domain name and IP address.
Whois
32
Footprinting. Inherent in Windows command line. Enables you to query DNS and performe zone transfers.
NSLookup
33
Footprinting. Regional Internet Registries (RIR's) that manage, distribute, and register public IP's for regions. Online query tool enables users to find the address range of the network.
ARIN, APNIC, RIPE, LACNIC, (AFRINIC)
34
Footprinting. Reliably find out when your email gets opened, how long it gets read for, whether or not it gets forwarded to someone else or published on the internet, where the reader is located, and more.
MailTracking.com
35
Footprinting/Route Determination. Enhanced GUI-based Traceroute tool that provides more feedback regarding failed connections than typical traceroute programs. Features include printer and HTML output, a detailed whois display, continuous ping, instant browser access to nodes.
NeoTrace
36
Footprinting/Route Determination. Gui-based Traceroute tool. Tabbed GUI, traceroute, ping, reverse DNS query, IP Location reporting, network provider reporting, domain whois lookups, browser integration, email address tracing, ICMP traceroutes.
Visual Route
37
Footprinting/Route Determination. Monitors connections to open ports and alerts you to suspicious activity. Allows specific ports, domain names or IP addresses to be singled out for scrutiny and tracking. Identifies which country the connection to your computer is coming from. A real-time "Netstat" that also provides history and a rich set of features to help locate unwelcome visitors.
Visual Lookout
38
Footprinting/Route Determination. Unix/Linux tool that enables user to trace hops or computers between source and target computer. Increments TTL value in packets.
Traceroute
39
Footprinting/Route Determination. Windows tool that enables user to trace hops or computers between source and target computer. Increments TTL value in packets.
Tracert
40
Hacking Web Servers. A Very stealthy CGI scanner that is scriptable.
Whisker
41
Hacking Web Servers. An interactive ASP page command prompt that will show you how vulnerable your IIS web server is to the IUSR_COMPUTER, IWAM_COMPUTER and SYSTEM user accounts. It runs in the context of the web server as a standard ASP page, and simulates a backdoor to any IIS web server.
cmdasp.asp
42
Hacking Web Servers. Backdoor allowing upload via http.
IISCrack.dll
43
Hacking Web Servers. Comprehensive and intuitive Web application scanner.
WebInspect
44
Hacking Web Servers. Designed to identify known and unknown vulnerabilities, suggest fixes to identified vulnerabilities, and report possible security holes within a network's internet, intranet, and extranet environments
Shadow Security Scanner
45
Hacking Web Servers. Exploit c code for hacking Win2K IIS servers
Jill32
46
Hacking Web Servers. HTTP security scanning tool.
N-Stealth Scanner
47
Hacking Web Servers. IIS 5.0 remote win32 exploit for the null.printer buffer overflow.
IIS5-Koei
48
Hacking Web Servers. IIS privilege escalation tool-- makes use of the IIS 5.0 + SP0 (SP1, SP2)
ispc.exe
49
Hacking Web Servers. Printer overflow exploit, like IIS-Koei.
IIS5Hack
50
Hacking Web Servers. Resource Kit Utility for changing permissions
Cacls utility
51
Hacking Web Servers. Unicode vulnerability exploit script
UnicodeUploader.pl
52
Hacking Web Servers. Used to view the SAM file on a server which is vulnerable to a certain IIS hole.
IISExploit
53
Hacking Web Servers. Web site traffic analysis software
LogAnalyzer
54
Hacking Web Servers. Windows software patch management tool that helps you secure your systems by remotely managing service packs and hotfixes.
UpdateExpert
55
IDS, Firewalls, and Honeypots. A network intrusion detection evasion toolkit. It implements most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. Was written in the hopes that a more precise testing methodology might be applied to the area of network intrusion detection, which is still a black art at best.
Fragrouter
56
IDS, Firewalls, and Honeypots. A network intrusion detection system test suite.
NIDSbench
57
IDS, Firewalls, and Honeypots. An IDS evasion tool.
SideStep
58
IDS, Firewalls, and Honeypots. An open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. The most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.
Snort
59
IDS, Firewalls, and Honeypots. API that can mask buffer overflow exploit signatures from Network IDS systems so that they are more difficult to detect.
ADMutate
60
IDS, Firewalls, and Honeypots. Tool to replay saved tcpdump or snoop files at arbitrary speeds.
TCPReplay
61
Linux Hacking. A set of scripts that scan a Un*x system looking for security problems.
TARA
62
Linux Hacking. A third-generation security analysis tool that is based on the SATAN model.
SARA (Security Auditor's Research Assistant)
63
Man In The Middle. A collection of tools for network auditing and penetration testing. Some modules passively monitor a network for interesting data (passwords, email, files, etc.) and others facilitate the interception of network traffic normally unavailable to an attacker(due to layer-2 switching). Others implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
Dsniff
64
Novell Hacking. Brute force cracker
NOVELBFH
65
Novell Hacking. Brute force cracker.
Kock
66
Novell Hacking. Checks for users that have no password. For both Netware 3.x and 4.x.
Chknull
67
Novell Hacking. Emulates a fake Novell file server.
Novelffs
68
Novell Hacking. Login spoofing utility for all versions of NetWare.
Spooflog
69
Novell Hacking. NLM which will create supervisor account from server.
Burglar
70
Novell Hacking. Novell hacking and cracking tool.
Bindery/BinCrack
71
Novell Hacking. Popular Packet Sniffers for Ethernet networks.
Gobbler
72
Novell Hacking. Resets any user password, including that of supervisor.
SETPWD.NLM
73
Novell Hacking. Simple bruteforce hacker for Novell.
nwpcrack
74
Novell Hacking. Tools for the opening of Novell's Netware Directory Services.
Pandora
75
Novell Hacking. TSR program for recording typed passwords.
Getit
76
Novell Hacking. UserDump simply lists all users in the Bindery.
userdump
77
Port Monitoring. A Windows program that displays all active TCP and UDP endpoints on your system, indicating which process is associated with each local and remote IP address and relaying continuous, detailed real-time data on system's TCP/IP activity.
TCPView
78
Port Monitoring. Destructive virus affecting MS-DOS computers. This virus infects the boot sector, then hides itself by marking unused blocks on floppy or hard disks as bad.
Hard Disk Killer
79
Port Monitoring. Lists the current processes in your Windows system and which ports they listen on. Written to work on Windows NT and Windows 9x.
Inzider
80
Port Monitoring. Reports all open TCP/IP and UDP ports and maps them to the owning application. Same information you would see using the "netstat -an" command, but it also maps those ports to running processes with the PID, process name and path. Can be used to quickly identify unknown open ports and their associated applications.
FPort
81
Scanning. A free open source utility for network exploration or security auditing. Designed to rapidly scan large networks, although it works fine against single hosts. Uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Runs on most types of computers and both console and graphical versions are available. Free and open source.
Nmap
82
Scanning. A Network management tool for mapping and monitoring your network. It has host/network discovery functionality as well as OS detection of hosts. Has the ability to probe hosts to see what services they are running. On some services, it is actually able to see what program is running for a service and the version number of that program.
Cheops
83
Scanning. A program that allows to work with any Internet service through a chain of SOCKS or HTTP proxies to hide the real IP-address. Can function as a usual SOCKS-server that transmits queries through a chain of proxies. Can be used with client programs that do not support the SOCKS protocol, but work with one TCP-connection, such as TELNET, HTTP, IRC... (FTP uses 2 connections). And your IP-address will not be seen in the server's logs or mail headers;
SocksChain
84
Scanning. A project that monitors end-to-end performance of Internet links using ICMP Echo (Ping).
Pinger
85
Scanning. A W2k and XP TCP port scanner that can do SYN, FIN, Null and Xmas scans.
IPEye
86
Scanning. A Windows tool that can scan either a single IP address or a range of IP addresses looking for systems that are IPSec enabled.
IPSECSCAN
87
Scanning. Allows you to bypass an HTTP proxy to use e-mail, IRC, ICQ, news, FTP, AIM, any SOCKS capable software, etc.
HTTPort
88
Scanning. Allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. Arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. Can also update an existing mirrored site, and resume interrupted downloads.
HTTrack Web Copier
89
Scanning. Command-line oriented TCP/IP packet assembler/analyzer. Used to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. Supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel. Also, Firewall testing, Advanced port scanning, using different protocols, TOS, fragmentation, Manual path MTU discovery, Advanced traceroute, Remote OS fingerprinting, Remote uptime guessing, TCP/IP stacks auditing.
Hping2
90
Scanning. Commercial wardialer. Supports and identifies MS-Chap v2. A robust, multi-line scanner. Can operate in 3 modes, connect identify and penetrate.
PhoneSweep
91
Scanning. Host enumeration tool; uses ICMP Echo packets to probe networks, AND ICMP Timestamp and ICMP Information packets as well. Supports spoofing and promiscuous listening for reply packets.
Icmpenum
92
Scanning. Network diagnosis tool using SNMP, ICMP and other methods. DNS checking via Nslookup, advanced whois and rwhois query tool, ping sweep, netbios share detection, SNMPv1v2 tools, port scanner, DHCP server discovery, IP packet viewer, email address validation, subnet calculator.
Netscan Tools Pro 2000
93
Scanning. Network diagnosis tool using SNMP, ICMP and other methods. Verify connectivity to a specific device, quantitatively test data connections, trace path to network host, obtain information on hostnames/IP's, view summary info about a network host or device, including official hostname, IP address, and contact info. View SNMP values as well as Windows domains, hosts, and ws's, and search LDAP.
WS_Ping_Pro
94
Scanning. Remote OS detector. Sends obscure TCP packets to determine remote OS. Fully configurable. Runs on Linux, Solaris and probably any OS with libpcap support.
Queso
95
Scanning. The act of using a modem to dial every telephone number in a local area to find out where computers are available, then attempting to access them by guessing passwords.
War Dialing
96
Scanning. Uses a modem to dial a range of telephone numbers to find carriers, PBX's, voice mail boxes, and so on. Although this program is a DOS program, it can be successfully run on a range of UNIX-based systems, using a DOS emulator such as Dosemu.
THC-Scan
97
Scanning. Website that reports a site's OS, web server, and netblock owner and, if available, a graphical view of the time since last reboot for each of the computers serving the site.
netcraft.com
98
Session Hijacking. A network sniffer that can also be used to hijack TCP sessions.
Juggernaut
99
Session Hijacking. A network tool that can control any login session on a network by performing session hijacking
IP Watcher
100
Session Hijacking. A utility program that monitors and controls users on a single system. The program can share an existing, in-use tty so that when the user types something into the monitored window, the information will also appear on the
TTYWatcher
101
Session Hijacking. Advanced intrusion investigation and response tool to monitor network connections in real-time. Real time monitoring, reporting and graphing, active countermeasures, alarms, and filters.
T-Sight
102
Session Hijacking. Sniffer/Session Hijacker that includes a handy ARP cache poisoning feature specifically designed to disable the isolation normally provided by Ethernet switches
Hunt
103
Sniffers. A protocol analyzer. Has all of the standard features of a protocol analyzer. Functionality is very similar to tcpdump, but it has a GUI front-end, and many more information sorting and filtering options. Allows user to see all traffic being passed over the network (usually an Ethernet network but support is being added for others) by putting the network card into promiscuous mode. Runs on most Unix and Unix-compatible systems, including Linux, Solaris, FreeBSD, NetBSD, OpenBSD, Mac OS X and Windows.
Ethereal
104
Sniffers. A simple DNS ID Spoofer for Windows 9x/2K
WinDNSSpoof
105
Sniffers. A suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
Ettercap
106
Sniffers. A TCP connection killer for Windows 9x/2K.; requires the ability to use a sniffer to sniff incoming/outgoing traffic of the target. If you are in a switched network you can to bypass the switching capabilities by using an ARP Cache Poisoning tool like winarp_sk or winarp_mim
WinTCPKill
107
Sniffers. Allows you to 'sniff' and record network traffic, then completely reconstruct the data into its original format.
IRIS
108
Sniffers. An open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods.
Snort
109
Sniffers. An OpenSource implementation of a set of tests for remote sniffers detection in TCP/IP network environments. Implements various tests for the detection of machines running in promiscuous mode or with a sniffer. Also provides ICMP test, ARP test, DNS test, LATENCY test.
SniffDet
110
Sniffers. Captures whole packets (not just headers), and archives that traffic for future analysis. Reconstructs sessions, and uses heuristic traffic analysis to detect spoofing and non-standard port usage, unwraps compressed files, reconstructs files sent over the network, and searches for key words and phrases. Maintains a database of session data, powerful search tools for investigation and analysis, graphs and reports, and access to all the reconstructed files. Raw packet-by-packet data available as well.
NetIntercept
111
Sniffers. Easy to use password sniffer for Windos 95/98/NT/2000. Allows network administrators to capture passwords of any network user. Monitors incoming and outgoing network traffic and decodes FTP, POP3, HTTP, ICQ, SMTP, Telnet, IMAP, and NNTP usernames and passwords. Has advanced, integrated technology that allows it to reconstruct network traffic in a format that is simple to use and understand. Will reconstruct each of those packets individually. Thus, capturing a clear and concise image of the integrity of an organizations entire network.
WinSniffer
112
Sniffers. Floods a switched network with Ethernet frames with random hardware addresses. The effect on some switches is that they start sending all traffic out on all ports so you can sniff all traffic on the network.
EtherFlood
113
Sniffers. Freeware program for reporting the URLs loaded by both Internet Explorer and Netscape Navigator in real time.
Webspy
114
Sniffers. Performs traffic monitoring and packet capture. Can decode over 1,000 protocols, but support is limited to Ethernet networks. Packet information can be viewed without stopping the capture, and statistics are updated in real time. Traffic capture can be customized with triggers, alarms, and filters. Triggers can be set off by a time event or by network traffic. Alarms warn you of abnormalities in LAN activity, such as bottlenecks, when traffic deviates from a specified limit.
EtherPeek
115
Sniffers. The Windows version of tcpdump, the command line network analyzer for UNIX. Fully compatible with tcpdump and can be used to watch, diagnose and save to disk network traffic according to various complex rules. It can run under Windows 95, 98, ME, NT, 2000, XP, 2003 and Vista.
WinDump
116
Sniffers. Utility for viewing/manipulating the MAC addresses of network interfaces
MAC Changer
117
Sniffers. Windows MAC Address Modifying Utility
SMAC
118
SQL Injection. A dictionary attack tool for SQL Server
SQLDict
119
SQL Injection. A password guesser, designed to try to break through a password system by guessing millions of passwords until it gets the correct one. Can set up the password guesser directly on the machine to try to log in to the network, and let it run until it does. That way, admin traces attempts back to legitimate machine.
SQLbf
120
SQL Injection. A UNIX Based Remote Command Execution for MSSQL.
SQLSmack
121
SQL Injection. MSSQL Server 2000 SP0 - SP2 remote exploit which uses UDP to overflow a buffer and send a shell to tcp port 53. Windows binary, C++ source code.
SQL2.exe
122
SQL Injection. SQL Server password brute force tool.
SQLExec
123
Steganography. Conceals messages in ASCII text by appending whitespace to the end of lines.
Snow
124
Steganography. Detects data at the end of image files hidden with tools like appendX or camouflage.
StegDetect
125
Steganography. Hide loads of text in images; Simple encrypt and decrypt of data
ImageHide
126
Steganography. Hides information in MP3 files during the compression process.
MP3Stego
127
Steganography. Lists the users who have ordinary decryption keys or recovery keys for an EFS encrypted file.
EFSView
128
Steganography. Sector editor for Windows 2000. Allows a user with local Administrator rights to directly edit, save, and copy data on the physical hard drive that is not accessible in any other way.
Dskprobe
129
System Hacking. A password auditing and recovery application. used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, and hybrid attacks. It was one of the crackers' tools of choice, although most use old versions because of its price and low availability.
L0phtCrack
130
System Hacking. Allows you to scan an NT machine for information concerning its configuration, including ftp services, telnet services, web services, system account information, file systems and permissions.
NTInfoScan
131
System Hacking. Consists of two programs. The sniffer listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a brute force attack or a dictionary attack.
KerbCrack
132
System Hacking. NetBIOS scanner which can enumerate NetBIOS file shares across large ranges of IP addresses. Also provides a brute force password cracking component which can be directed against a single NetBIOS file share.
Legion
133
System Hacking. Provides insight into the NT event logs to assess the activity of a distributed network more accurately and efficiently
VisualLast
134
System Hacking/Buffer Overflows. Exploit for Outlook / Outlook Express GMT Field Buffer Overflow Vulnerability
Outoutlook
135
System Hacking/Checksum. Checksum utility that automatically verifies data and file integrity against a known good source file stored in a database and quickly notifies you of changes.
Tripwire
136
System Hacking/Covering Tracks. A command-line tool that enables the user to modify the audit policy of the local computer or of any remote computer. To run it, the user must have administrator privileges on the target computer.
Auditpol
137
System Hacking/Covering Tracks. Allows data to be stored in hidden files that are linked to a normal visible file. Streams are not limited in size and there can be more than one stream linked to a normal file. Streams are almost completely hidden and represent possibly the closest thing to a perfect hiding spot on a file system - something trojans can and will take advantage of. Streams can easily be created/written to/read from, allowing any trojan or virus author to take advantage of a hidden file area. Streams are easily be used, and only found with specialized software.
NTFS File Streaming
138
System Hacking/Covering Tracks. Deletes all the logs in the nt/2k machine so any audits taken are removed from the machine.
Elslave
139
System Hacking/Covering Tracks. Lets you erase event records selectively from the Security Log in Windows NT 4.0 and Windows 2000.
Winzapper
140
System Hacking/Covering Tracks. Moves data from a commandline-specified file into a hidden Alternate Data Stream attached to the original.
makestrm
141
System Hacking/Covering Tracks. Purges local sensitive info from system; covers tracks typically accessible through EnCase-type Forensics analysis.
Evidence Eliminator
142
System Hacking/Keystroke Loggers. A desktop activity logger that is powered by a kernel mode driver. This driver enables it to run silently at the lowest level of windows 2000/XP operating systems. Extremely difficult to detect, primarily because of it's steath surveillance methods.
IKS Software Logger
143
System Hacking/Keystroke Loggers. Keylogger software that allows you to remotely control/monitor your PC via a web browser. Allows you to view system activity and user actions in real time, shutdown/restart, lockdown/freeze, and browse the file system of a remote PC.
SpyAnywhere
144
System Hacking/Keystroke Loggers. Keylogger software. Captures emails and immediately forwards them to you. Also captures both sides of chat conversations, IM's, keystrokes typed, applications launched, and websites visited - then sends you a detailed activity report every hour.
EBlaster
145
System Hacking/Keystroke Loggers. Keylogger software. Records emails, chats, IM, web sites visited, keystrokes, programs launched, PTP file sharing, screen snapshots, and passwords.
Spector
146
System Hacking/Keystroke Loggers. Small tool which detects and removes the installed surveillance tool Spector.
AntiSpector
147
System Hacking/Privilege Escalation. A fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.
John the Ripper
148
System Hacking/Privilege Escalation. Allows any normal user to join the administrator group.
GetAdmin
149
System Hacking/Privilege Escalation. Attempts to determine a user password by actually trying to log on to a computer remotely using SAMBA (the SMB protocol).
SMBGrinder
150
System Hacking/Privilege Escalation. Decodes and displays all NetBIOS name packets it receives on UDP port 137.
Nbname
151
System Hacking/Privilege Escalation. Rregisters a NetBIOS computer name on the network and is ready to respond to NetBT name-query requests. Works nicely with SMBRelay. Helps to resolve IP address from NetBIOS computer name. Similar to Proxy ARP.
NBTDeputy
152
System Hacking/Privilege Escalation. Takes advantage of the Server Message Block (SMB) file sharing protocol. It collects NTLM password hashes and writes them to hashes.txt in a format usable by L0phtcrack so the passwords can be cracked later. It is an SMB man-in-the-middle attack.
SMBRelay/SMBRelay2
153
System Hacking/Privilege Escalation. Tool that crashes Windows machines with Netbios enabled by sending a specially crafted SMB request. Tested against Windows NT/2k/XP/.NET RC1.
SMBDie
154
Trojans and Backdoors. 3 kilobyte trojan written in Assembly. It uses telnet as its client. Uses cmd.exe to run commands received on port 7777.
Tini
155
Trojans and Backdoors. A powerful remote control system for workstations running Windows 95, 98 or NT 4.0. Implemented to replace well-known trojans, and to be invisible for existing antiviruses. File system - full access: browse, create, remove directories; erase, rename, copy, upload, download files; set date/time of file. Processes and threads: browse, terminate; run programs; additionally for processes - set priority; for threads - suspend, resume. Registry - full access: browse, create, remove keys and values; set values. System: get/set system time (you can perform Y2K compliance test ;) ); shutdown/logoff/reboot/power off; query system info, query/set system parameters. Windows: get list of windows; query and set system colors; get screenshot or the shot for particular window; send messages to window.
Donald Dick
156
Trojans and Backdoors. Allows a remote user to access and control your machine by way of its Internet link.
NetBus
157
Trojans and Backdoors. An .exe wrapper to facilitate remote installation of Back Orifice server and execution of specified applications. Binds a BO installer with any program to create a single file.
Silk Rope 2000
158
Trojans and Backdoors. Backdoor working through any firewall which has got the security policy to allow users to surf the WWW.
Reverse WWW Shell:
159
Trojans and Backdoors. BackOrifice trojan detecter that is a trojan itself. Distributed as a cure for Back Orifice infections.
BoSniffer
160
Trojans and Backdoors. Goes beyond NetBus, including: File controls, Monitoring, Network control.
SubSeven
161
Trojans and Backdoors. Increases the Trojan qualities of Netbus and others, by giving the user an incentive to run the program.
Whack a Mole
162
Trojans and Backdoors. IRC backdoor
IconPlus
163
Trojans and Backdoors. Malicious code spreads within a network of shared computer systems, infecting the Notepad.exe file.
QAZ
164
Trojans and Backdoors. Malware that disables AV and software firewalls.
FireKiller 2000
165
Trojans and Backdoors. Trojan, whose communication port is 31337.
BackOrifice 2000
166
Trojans and Backdoors. Used to pack various Trojan files together into a single executable.
EliteWrap
167
Trojans and Backdoors. Utility that is able to write and read data across TCP and UDP network connections.
Netcat
168
Web App Vulnerabilties. A common name used for rogue Java applets available in the WWW.
Black Widow
169
Web App Vulnerabilties. A free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols.
Wget
170
Web App Vulnerabilties. A text browser for the World Wide Web. Rruns on Un*x, VMS, Windows 95/98/NT, DOS386+ but not 3.1, 3.11, or OS/2 EMX.
Lynx
171
Web App Vulnerabilties. Remotely controls Internet Explorer using DCOM. Captures data sent and received using Internet Explorer. Even on SSL encrypted websites (e.g. Hotmail), it can capture user ID and password in plain text.
IEEN
172
Web App Vulnerabilties. Taking over a session via stealing a session cookie.
Cookie Stealing
173
Web App Vulnerabilties. Web application security auditing tool. It is not just one application, it is a complete toolbox of applications that come together to let you do some unique things. Focuses only on trying to give auditors the tools they need to manually disassemble the web application by hand and to efficiently test it in any manner they can conceive.
WebSleuth
174
Web Based Password Cracking. A custom explorer bar. This extension was created for the monitoring of cookie activity and for the possibility to add and edit cookies.
CookieSpy
175
Web Based Password Cracking. A tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP. Supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, kerberos, HTTP form based upload, proxies, cookies, user+password authentication, file transfer resume, http proxy tunneling and a busload of other useful tricks.
CURL
176
Web Based Password Cracking. A utility utilizing the HTTP protocol to brute force into any login mechanism/system that requires a username and password, on a web page (or HTML form).
Munga Bunga
177
Web Based Password Cracking. An HTTPS Man in the Middle attacking tool. It includes FakeCert, a tool to make fake certificates (like the DCA of sslmim found in Phrack 57). It can be used to exploit the Certificate Chain vulnerability in Internet Explorer. The tool works under Windows 9x/2000.
WinSSLMiM
178
Web Based Password Cracking. Brute force authentication attack against Webserver with authentication requests.
ObiWan
179
Web Based Password Cracking. Displays cookie information.
ReadCookies
180
Web Based Password Cracking. Flexible remote password cracker.
Brutus
181
Web Based Password Cracking. Pulls passwords from cookies.
SnadBoy
182
Web Based Password Cracking. Taking over a session via stealing a session cookie.
Stealing Cookies
183
Web Based Password Cracking. This program exploits a rather large hole in web site authentication methods. Password protected websites can be easily brute-force hacked, because there is no set limit on the number of time an incorrect password or User ID can be tried.
WebCracker
184
Wireless Hacking. A Linux utility (using GTK+) for decrypting WEP encryption. A Windows port also exists.
AirSnort
185
Wireless Hacking. A PASSIVE network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Will work with any wireless card which supports raw monitoring mode, and can sniff 802.11b, 802.11a and 802.11g traffic. The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X. The client can also run on Windows, although a drone is the only compatible packet source.
Kismet
186
Wireless Hacking. A tool for Windows that facilitates detection of Wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards. A trimmed-down version is available for Windows CE. Used for wardriving, verifying network configurations, finding locations with poor coverage in one's WLAN, detecting causes of wireless inteference, detecting unauthorized ("rogue") access points, and aiming directional antennas for long-haul WLAN links.
NetStumbler
187
Wireless Hacking. IDS system for 802.11 that guards an AP(s) and Monitors local frequencies for potentially malevolent activity. It detects scans, association floods, and bogus/Rogue AP's. It can easily be integrated with SNORT or RealSecure.
WIDZ- Wireless IDS
188
Wireless Hacking. Performs packet analysis of IEEE 802.11 wireless LANs in support of security audits, site surveys, network management, and troubleshooting. Rich security auditing features, broad protocol support, and flexible packet filtering.
AiroPeek
