Thursday, August 7, 2014

Network Packet Capture / Protocol Analyzer Tools

Wireshark:
is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.Wireshark can capture traffic from many different network media types - and despite its name - including wireless LAN as well. Which media types are supported, depends on many things like the operating system you are using

Download Link : https://www.wireshark.org/download.html

Capsa:
is the name for a family of packet analyzer developed by Colasoft for network administrators to monitor, troubleshoot and analyze wired & wireless networks. Currently, there are three editions available: Capsa Enterprise Edition, Capsa Professional Edition, and Capsa Free .

Freeware Network Analyzer (Packet Sniffer) for students, teachers, computer geeks and other non-commercial purposes.

Download Link : http://www.colasoft.com/download/products/capsa_free.php

NetworkMiner:
is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. NetworkMiner can also extract transmitted files from network traffic.

Download Link : http://sourceforge.net/projects/networkminer/files/latest/download

SharpPcap:
is a cross-platform packet capture framework for the .NET environment, based on the famous pcap / WinPcap libraries. It provides an API for capturing, injecting, analyzing and building packets using any .NET language such as C# and VB.NET.

Download Link : http://sourceforge.net/projects/sharppcap/files/latest/download

PacketSquare (CapEdit):
is a free and open-source pcap-based network protocol testing tool.^[1] It is used for testing network devices (IDS/IPS, firewall, routers switches etc.,), network troubleshooting, analysis, software and communications protocol development, and education.

A GUI PCAP Based Network Protocol Testing Tool.

Download link : https://code.google.com/p/packetsquare-capedit/downloads/list

Wednesday, April 23, 2014

Mobile Device / Smartphone Forensic Analysis Investigation Tools

Mobile device forensics :
is directly connected to digital forensics and can be defined as being the recovery of digital information or data which is often used for criminal evidence. Mobile Device Forensics by definition applies only to mobile devices, e.g. tablets, cell phones etc, but it the term also includes any portable digital device that has both internal memory and communication abilities such as PDA devices and also GPS devices.

iPhone Analyzer:

allows you to forensically examine or recover date from in iOS device. It principally works by importing backups produced by iTunes or third party software, and providing you with a rich interface to explore, analyses and recover data in human readable formats. Because it works from the backup files everything is forensically safe, and no changes are made to the original data.

Features

Supports iOS 2, iOS 3, iOS 4 and iOS 5 devices
Multi-platform (Java based) product, supported on Linux, Windows and Mac
Fast, powerful search across device including regular expressions
Integrated mapping supports visualisation of geo-tagged information, including google maps searches, photos, and cell-sites and wifi locations observed by the device (the infamous "locationd" data)
Integrated support for text messages, voicemail, address book entries, photos (including metadata), call records and many many others
Recovery of "deleted" sqlite records (records that have been tagged as deleted, but have not yet been purged by the device can often be recovered),/li>
Integrated visualisation of plist and sqlite files
Includes support for off-line mapping, supporting mapping on computers not connected to the Internet
Support for KML export and direct export to Google Earth
Browse the device file structure, navigate directly to key files or explore the device using concepts such as "who", "when", "what" and "where".
Analyse jail broken device directly over SSH without need for backup (experimental)

Download Link : http://sourceforge.net/projects/iphoneanalyzer/

BitPim:
is a program that allows you to view and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers. This includes the PhoneBook, Calendar, WallPapers, RingTones (functionality varies by phone) and the Filesystem for most Qualcomm CDMA chipset based phones.

Download Link : http://sourceforge.net/projects/bitpim/files/

Mobile Internal Acquisition Tool (MIAT)

this tool which discusses a crucial aspect of Mobile Device Forensics, i.e. the recovery of deleted SMS Text Messages. We are not 100% sure if this tool is publically available and if anyone reading this can help us locate where to find it we’d been very grateful!.

In examining the MIAT dump of the phone's filesystem, I found the following interesting items of evidence (note that these are not intended to be comprehensive):

\Windows\Profiles\guest\ - Contained the Pocket IE cache, including Cookies, index.dat (which was not extracted due to the previously specified issue), and Temporary Internet Files
\Windows\Messaging - Contained various .mbp files which proved to hold the text of downloaded email messages. There is also an Attachments folder under this path that may hold downloaded attachments.
\Windows\ActiveSync - Contained various configuration and log files from Activesync
\Windows\Favorites - Contained Favorite links used by Pocket IE
\Application Data\GoogleMaps - Contained configuration and cache files used by the installed Google Maps application. These files are all binary, but one of them, prefsext.dat, contains a variety of strings which match searches that have been performed and results (street addresses) which have been returned. Somebody could probably reverse engineer the format and write a parser for this that would be really useful.
\*.vol these files contain Embedded databases, which include all of the phone-related information such as call logs, phone book, appointment list, etc. I haven't yet found a free application to parse them, but there's got to be something out there.
I also found a number of other empty Attachments folders, as well as additional empty Profiles and Temporary Internet Folders folders. This probably means that these various locations are implementation dependant.

Download Link : http://www.dfrws.org/2008/proceedings/p121-distefano_pres.pdf

TULP2G:
is a .NET based forensic software framework for extracting and decoding data stored in electronic devices.

“TULP2G is a forensic software framework developed to make it easy to extract and decode data from digital devices.”

Download Link : http://sourceforge.net/projects/tulp2g/

Santoku Community Edition:
runs in the lightweight Lubuntu Linux distro. It can be run in VirtualBox (recommended) or VMWare Player, both available free and run on Linux, Mac or Windows. The Lubuntu download is large because it is a full .iso. We recommend you download on a fast connection.

Tools to acquire and analyze data

Firmware flashing tools for multiple manufacturers
Imaging tools for NAND, media cards, and RAM
Free versions of some commercial forensics tools
Useful scripts and utilities specifically designed for mobile forensics

Download Link : https://santoku-linux.com/download

UFED Physical Analyzer is the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more. - See more at: http://www.toolwar.com/2014/04/ufed-physical-analyzer-mobile-forensics.html#sthash.ipUOiqQB.dpuf

UFED Physical Analyzer :
is the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more.

Mobile Internal Acquisition Tool

Advanced capabilities for:

iOS ::

    Bypassing simple and complex passcode while performing physical and file system extraction on selected devices running iOS 3.0 or higher including iOS 6.
    Real-time decryption and decoding of data, applications, and keychain real-time decryption while revealing user passwords.
    Advanced decoding of applications.

BlackBerry ::

    Advanced decoding of BlackBerry Messenger (BBM), emails, locations, applications and more.
    Real-time decryption of protected content from selected BlackBerry devices running OS 4+ using a given password.

Android ::

    Advanced decoding of all physical extractions performed on devices running any Android versions.
    Advanced decoding of applications and application files.

GPS ::

    Portable GPS devices extraction and decoding.
    Exclusive – Physical extraction of Tom Tom trip-log files.

Download Link : http://go.cellebrite.com/30DayPhysicalAnalyzerTrial

Oxygen Forensic® Suite:

                           Oxygen Forensics Suite (Standard Edition) is a tool that will help you achieve this. Features include the ability to gather Device Information (Manufacturer, OS Platform, IMEI, Serial Number, etc.), Contacts, Messages (Emails, SMS, MMS, etc.) and recovery of deleted messages, Call Logs, and Calendar and Task information. It also comes with a file browser which allows you to access and analyse user photos, videos, documents and device databases.

Download Link : http://www.oxygen-forensic.com/en/download/freeware

Advanced capabilities for:

iOS ::

Bypassing simple and complex passcode while performing physical and file system extraction on selected devices running iOS 3.0 or higher including iOS 6.
Real-time decryption and decoding of data, applications, and keychain real-time decryption while revealing user passwords.
Advanced decoding of applications.

BlackBerry ::

Advanced decoding of BlackBerry Messenger (BBM), emails, locations, applications and more.
Real-time decryption of protected content from selected BlackBerry devices running OS 4+ using a given password.

Android ::

Advanced decoding of all physical extractions performed on devices running any Android versions.
Advanced decoding of applications and application files.

GPS ::

Portable GPS devices extraction and decoding.
Exclusive – Physical extraction of Tom Tom trip-log files.

- See more at: http://www.toolwar.com/2014/04/ufed-physical-analyzer-mobile-forensics.html#sthash.ipUOiqQB.dpuf

Tuesday, March 18, 2014

SSLAuditor- Version 4 : GUI Utility to audit SSL services

SSLAuditor- Version 4 : GUI Utility to audit SSL services

Advantages:

Check all issues on SSL including ciphers, certificates and configuration issues.
Cipher issues: sslv2 support, weak ciphers
Certificate issues: selfsigned, wildcard, expiration, weak certificate key,
Configuration issues: CRIME, , preferred cipher - BEAST, renegotiation, resumption
Flexible input - file, individual or range with multiple ports
Internal timer to adjust according to the response of the server.
Detailed and professional reporting with mitigation procedures for identified issues.

No installer; unzip and click opabinia.exe to start the program.

Only requirement is vc++ 12 runtime.
http://www.amanhardikar.com/temp/vcredist_x64.exe
If the executable is not opening, then please install vc++ libraries
and try again.

Beta version for testing:
http://www.amanhardikar.com/temp/SSLAuditor4.zip

Please let me know your feedback/bugs/features missing on the same.

Friday, March 14, 2014

Tortilla - Anonymous Security Research through Tor

Tortilla:
is an open source tool that allows users to securely, anonymously, and transparently route all TCP/IP and DNS traffic through Tor, regardless of the client software, and without relying on VPNs or additional hardware or virtual machines.

Supported Operating Systems: The tool runs on 32 bit and 64 bit versions of Windows from XP and above

Download Link : Click Here

SHA256 150eb477cd8a48daa792fbb610345e9c0aa981597106a02db03b06e71f56b586

Thursday, March 13, 2014

Free Toolkit For Incident Response - Crowd Response

CrowdResponse:
is a community-based platform that may eventually support as many as 25 software modules, each serving a different aspect of the incident response process, Kurtz says. This week's release includes three modules: @dirtlist, @pslist, and @yara.

@dirlist

This is the directory-listing module. This sounds quite simple, but it is actually extremely powerful.
The CrowdResponse DirList module enables the following features:

Verify and display digital signature information
Utilize a path exclusion/inclusion regular expression filter that acts on the full path name
Use a file wildcard mask to limit processing to specific file name components
SHA256 and MD5 file hashing
Perform "quick" hash of only the first 512 bytes of the file
Option to not hash files greater than a given size
Display application resource information
Select recursive listings and control recursion depth
Display creation, modification and access times for files
Optionally process only Windows executable (PE) files

@pslist

This is the active running process listing module.
The CrowdResponse PSList module enables the following features:

Verify the digital signature of the process executable
Obtain process command line
Obtain detailed PE file information for each process executable
Perform SHA256 and MD5 hashes of process executables
Enumerate loaded modules for each process
Control PE output detail level of function names for imports and exports
Control PE output detail level of resource information
Control format (nested or flat) for PE file resource information
Check for process thread injection

@yara

The YARA processing module is the one I am most excited about. YARA will be familiar to many as an incredibly useful tool aimed at helping malware researchers identify and classify malware. It can act on files on disk or in-memory process images and runs a set of pattern matching rules against the target of investigation.
While we have incorporated a fully functional version of YARA into CrowdResponse, we have made it very simple to use for analyzing all active process binaries and memory. Along with the regular ability to target a specific single-process ID or one or more files, we can automatically enumerate all running processes and launch YARA rules against them all by simply specifying a single tool option. This enables quick and easy evaluation of a system without resorting to cumbersome scripting. This functionality greatly speeds the scan time and aids a responder in quickly pinpointing adversary activity on a suspect system.
The CrowdResponse YARA module enables the following features:

Scan memory of all currently active running processes
Scan on-disk files of all currently active running processes
Download YARA rule files from a provided URL
Control target path recursion depth
Utilize a target path exclusion/inclusion regular expression filter that acts on the full path name
Use a file target wildcard mask to limit processing to specific file name components
Option to only show positive hits
Option to specify YARA rule file name mask
Utilize a YARA file inclusion regular expression filter that acts on the full path name
Scan all loaded module files of active processes
Operate on a single process ID
Optional recursion into provided YARA rules directory

Crowd Response is a lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. The application contains numerous modules, each of them invoked by providing specific command line parameters to the main application. Modules are all built into the main application in C++ language utilizing the Win32 API to achieve their functionality.
Crowd Response results may be viewed in a variety of ways, particularly when leveraging CrowdStrike’s CRconvert. By default, output from Crowd Response is provided in an XML file. CRconvert will flatten this XML to CSV, TSV or HTML, if desired. The various format options were created to support the different needs and analysis preferences of the end user.
Supported Operating Systems: The tool runs on 32 bit and 64 bit versions of Windows from XP and above.

Download Link : Click Here

MD5 87b58fb3da849cedff3a107bfe600e9b
SHA1 08e5bed8e7ba7316e6ff23610561b14057a58d4c
SHA256 c5ab1006f47bba30fe23bccf9eebedf824efa3bc6212989c748aa147221b5103

Sunday, January 5, 2014

SpiderFoot 2.1.0 - Open Source Footprinting Tool

SpiderFoot:

simple web-based interface enables you to kick off a scan immediately after install - just give your scan a name, the domain name of your target and select which modules to enable.

You will quickly obtain information such as: URLs handling passwords, network ranges (netblocks), web servers, open ports, information about SSL certificates, and much more.

                       "Footprinting" is the process of understanding as much as possible about a given target in order to perform a more complete security penetration test. Particularly for large networks, this can be a daunting task.

                         The main objective of SpiderFoot is to automate this process to the greatest extent possible, freeing up a penetration tester's time to focus their efforts on the security testing itself.

                        SpiderFoot is designed from the ground-up to be modular. This means you can easily add your own modules that consume data from other modules to perform whatever task you desire.

                         As a simple example, you could create a module that automatically attempts to brute-force usernames and passwords any time a password-handling webpage is identified by the spidering module.

SpiderFoot 2.1.0 is now available, a major update over 2.0.5 which was released back in September.

Major improvements are as follows:

- Identifies sites co-hosted on IPs of your target.
- Checks whether your target, affiliates or co-hosts have a bad reputation (PhishTank, Google
SafeBrowsing, McAfee SiteAdvisor, abuse.ch and many more.)
- Identifies the ISPs and BGP AS of your target.
- Smarter at identifying owned netblocks.
- UI enhancements, including some data visualizations.
- More comprehensive searches across other Internet TLDs.
- Identifies the use of non-standard HTTP headers.
- Bing searches.
- Many tweaks, improvements and bug fixes.

Website & Download: http://www.spiderfoot.net
GitHub: https://github.com/smicallef/spiderfoot/tree/2.1
Source Forge : http://sourceforge.net/projects/spiderfoot/

Thursday, January 2, 2014

Arachni v0.4.6-0.4.3 (Open Source Web Application Security Scanner Framework)

Arachni v0.4.6-0.4.3 has been released :

(Open Source Web Application Security Scanner Framework)

There's a new version of Arachni, an Open Source, modular and
high-performance Web Application Security Scanner Framework written in Ruby.

Brief list of changes:

Framework
----------
* Massively decreased RAM consumption.
* Amount of performed requests cut down by 1/3 -- and thus 1/3 decrease in scan times.
* Overhauled timing attack and boolean/differential analysis algorithms to fix
SQLi false-positives with misbehaving webapps/servers.
* Vulnerability coverage optimizations with 100% scores on WAVSEP's tests for:
* SQL injection
* Local File Inclusion
* Remote File Inclusion
* Non-DOM XSS -- DOM XSS not supported until Arachni v0.5.

WebUI
-----
* Implemented Scan Scheduler with support for recurring scans.
* Redesigned Issue table during the Scan progress screen, to group
and filter issues by type and severity.

Issues table

The issues table has been massively redesigned to provide more context at a glance and help you prioritize and focus on the issues that interest you most.

While the scan is running and new issues appear, High and Medium severity type groups will, by default, be displayed as expanded, to show each logged issue, while Low and Informational severity ones will be displayed as collapsed. This way your attention will be drawn to where it’s most needed.
Of course, you can change the visibility settings to suit your preferences, using the controls on the left of the table, as well as reset them to their default configuration.

Scan scheduling

The major change for the web interface is the addition of the much awaited Scheduler, which combined with the existing incremental/revisioned scans provides quite a powerful feature. In essence, it allows you to schedule a scan to run at a later time and optionally configure it to be a recurring one.

What’s interesting here is the recurring bit, each scan occurrence is not a separate entity but a revision of the previous scan, this way you’ll be able to track changes in your website’s security with ease. It also allows you to speed things up by providing you with the ability to feed the sitemaps of previous revisions to the next one (either to extend or restrict the scope), thus making the crawl process much faster (or skipping it altogether).

For more details about the new release please visit:
http://www.arachni-scanner.com/blog/arachni-0-4-6-0-4-3-release/

Download page: http://www.arachni-scanner.com/download/

Homepage - http://www.arachni-scanner.com
Blog    - http://www.arachni-scanner.com/blog
Documentation    - https://github.com/Arachni/arachni/wiki
Support    - http://support.arachni-scanner.com
GitHub page    - http://github.com/Arachni/arachni
Code Documentation     - http://rubydoc.info/github/Arachni/arachni
Copyright - 2010-2014
License    - Apache License v2