John the Ripper 1.7.3.1 password cracker

John the Ripper is a free password cracking software tool. It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker.

It can be run against various encrypted password formats hashes such as:

DES
MD5
Blowfish
Kerberos/AFS
Windows LM/NTLM
MD4 (LDAP, MySQL etc)

One of the modes JtR can use is the dictionary attack. It takes text strings from a wordlist, containing words found in a dictionary, encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string. It can also perform a variety of alterations to the dictionary words and use them in JtR's single attack mode, which modifies an associated plaintext (such as a username with an encrypted password) and checks the variations against the encrypted hashes.

JtR also offers a brute force mode. In this type of attack, the program goes through all the possible plaintexts, hashing each one and comparing it to the input hash. JtR uses character frequency tables to try plaintexts containing more frequently-used characters first. This method is useful for cracking passwords which do not appear in dictionary wordlists, but it does take a longer time to run.

Download John the Ripper here:
John the Ripper 1.7.3.1

Platforms supported: Linux, Mac, Windows

THC Hydra 5.4

THC-Hydra is a very fast network logon cracker which uses a dictionary attack to test for weak or simple passwords on remote hosts running a variety of different services. It was designed as a proof-of-concept utility to demonstrate the ease of cracking poorly chosen passwords.

Hydra supports a wide variety of services:

Samba
FTP
POP3
IMAP
Telnet
HTTP Auth
LDAP
NNTP
MySQL
VNC
Socks5
Cisco
and more

Download THC Hydra here:
THC Hydra 5.4 (all UNIX based platforms)

THC Hydra 5.4(windows port)

You can read more about THC Hydra here.

p0f 2.0.8 Passive OS Fingerprinting

P0f v2 is a versatile passive OS fingerprinting tool to an attacker to determine an operating system on:

machines that connect to your box (SYN)
machines you connect to (SYN/ACK)
machines you cannot connect to (RST)
machines whose communications you can observe (MiTM?)

P0f can also do many other tricks, and can detect or measure the following:

firewall presence, NAT use (useful for policy enforcement)
existence of a load balancer setup
the distance to the remote system and its uptime
target's network hookup (DSL, OC3, avian carriers) and its ISP

All this can be performed even when the device in question is behind an overzealous firewall or packet filters, when our usual active scanner such as nmap can't do much. P0f does not generate ANY additional network traffic, direct or indirect. No name lookups, no mysterious probes, no ARIN queries, nothing.

Download p0f here:
p0f 2.0.8

A windows port of p0f can be found here:
p0f 2.0.4 Windows Port

And you can find out more about p0f here.

How to Hide Your Nmap Scans

Network scans generate a lot of noise, and generally you may not want to get detected/caught while performing a network scan. Intrusion detection systems (IDS) such as Snort generally log the network activity and can therefore detect most network scans. The following guide suggests some of the possible methods used to reduce the noise generated by a network scan.


Option 1 - Use a Decoy Scan

This is generally the most effective method to hide your Nmap scans. Nmap has the -D option, which is known as decoy scan. With -D option it appears to the IDC on the remote target machine that there are several hosts scanning the target simultaneously. The target IDS might report 5-10 port scans from several unique IP addresses, but they won't know which is the IP that was actually scanning and which ones were decoys.

It is good practice to use actual IPs of existing machines for the decoys, not fictional and made-up ones, as it might result in a SYN flood due to the fact that the target machine will not get a RST.

However, a shortfall of this method is that it might generate large amounts of packets due to the decoys. Remember if we use 4 decoys, the traffic generating during the scan will be 4 times more compared to the usual SYN scan.

Use the following syntax to perform a Decoy scan, where IPs 192.168.1.1-4 are decoys and 127.0.0.1 is the target machine

nmap –sS –D 192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4 127.0.0.1

Option 2 - Changing the Time interval

Another possible method is to randomise the scan, which would involve changing the timing and scan interval. Nmap has a couple of timing options that controls the intervals between each packet sent. This way, the scans will be lost in all the other legitimate traffic and not as easily detected.

The timing options to be appended after the –T option :

1. Paranoid – one packet sent every 5 minutes
2. Sneaky – one packet sent every 15 seconds
3. Polite – one packet sent every 0.4 seconds
4. Normal – as quickly as possible
5. Aggressive – waits 1.25 seconds for a response
6. Insane – waits 0.3 seconds for a response

The syntax below highlights the example of a nmap scan which sends out a packet every 15 seconds when the Sneaky option is used:

nmap –sS –T Sneaky 127.0.0.1

Option 3 - Randomise Hosts

The –-randomize-hosts option rearranges the group of hosts in an nmap scan. Groups of 2,048 hosts at a time are randomly chosen, making the entire scan less conspicuous when examining traffic patterns. This can make the scans less obvious to various network monitoring systems and IDS, especially used in combination with slow timing options. But do note that this method only works if you are scanning several hosts at once.

The syntax below highlights a combination usage of random hosts and change of time interval between scans:

nmap -sS -T Sneaky --randomize-hosts 127.0.0.1-20

Option 4 - Using a Zombie

This method is also known as the "idle scan" method. This tells Nmap to do a ping sweep and show all hosts that are up in the given IP range. Once a zombie is found, nmap uses port 1234 on the IP 192.168.1.1 as a zombie to scan the target machine 127.0.0.1

nmap -P0 -sS 192.168.1.1:1234 127.0.0.1

Read more on idle scanning here


Note: IP Spoofing is another approach widely used in the network security industry, but it will not work in Nmap, ( even though nmap has the spoof IP function), due to the fact that the SYN/ACK reply packets from the target machine will not be sent to your machine, instead it will be sent to the spoof-ed IP address.

Icesword 1.18 Anti Rootkit Tool

IceSword is a tool to detect and remove the presence of rootkits on a host computer. It does a pretty good job of breaking the protection of a potent rootkit over processes, files, and register maps. For example, if a rootkit uses a filter driver to disable writing and deleting files, IceSword can detect this and clean it up.

Some of Icesword's features:

Process Viewer
Open Ports List
Kernel Module
Startup List
Win32 Services
SPI
Browser Helper Object (BHO)

Download Icesword here:
Icesword 1.18 (English)
The website is in Chinese, but downloading should be straightforward enough.

Platforms supported: Windows only.

Honeyd 1.5c

Honeyd is an open source computer program that allows a user to set up and run multiple virtual hosts on a computer network. These virtual hosts can be configured to mimic several different types of servers, allowing the user to simulate an infinite number of computer network configurations.

The primary purpose of Honeyd is detection, specifically to detect unauthorized activity within your organization by monitoring all unused IPs in the network. Any attempted connection (port scans, vulnerability scans etc) to an unused IP address is assumed to be unauthorized or malicious activity.

In addition to detection, Honeyd can also create emulated services which interact with the attacker. It is used to create multiple virtual honeypots on a single machine. Therefore entire networks can be simulated using honeyd. Honeyd can be configured to run a range of services like FTP, HTTP, or SMTP. Furthermore, a personality can be configured to simulate behaviour of a certain operating system. Honeyd allows a single host to claim as many as 65536 IP addresses.

Download Honeyd here
Honeyd 1.5c

A Windows port of Honeyd, developed by netVigilance Inc, can be found here:
winHoneyd

Nessus 4.0.1 released

Tenable Network Security has released version 4.0.1 of Nessus, which is a comprehensive vulnerability scanning software. It is able to scan and detect multiple vulnerabilities in the network and subsequently outputs them in a report. This point release includes a variety of minor bug fixes as well as support for additional authentication schemes.

Here's a summary of some of the fixes and improvements:

Fixed memory & register leaks in NASL
nessus-fetch now supports Basic, Digest, and NTLM proxy authentication schemes
The timeout for NessusClient TCP socket was too low and has been increased
The 'nessus' cmd line tool would sometimes leave temporary files on the filesystem
Improved performance for reverse DNS lookups
Pinging a remote host would sometimes fail if the ARP address of the gateway was not in the local cache

Download Nessus here:

Nessus 4.0.1

Supported OS: Linux, Mac, Windows

Read more about Nessus here