[Memoryze] Find Evil in Live Memory (Memory Forensic Software)

Mandiant’s Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.

Mandiant’s Memoryze features:

• image the full range of system memory (not reliant on API calls).
• image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps and stacks.
• image a specified driver or all drivers loaded in memory to disk.
• enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
• report all open handles in a process (for example, all files, registry keys, etc.).
• list the virtual address space of a given process including:
• displaying all loaded DLLs.
• displaying all allocated portions of the heap and execution stack.
• list all network sockets that the process has open, including any hidden by rootkits.
• specify the functions imported by the EXE and DLLs.
• specify the functions exported by the EXE and DLLs.
• hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256.  This is disk based.)
• hash the EXE and DLLs in the process address space. (This is a MemD5 of the binary in memory).
• verify the digital signatures of the EXE and DLLs. (This is disk based.)
• output all strings in memory on a per process basis.
• identify all drivers loaded in memory, including those hidden by rootkits. For each driver, Memoryze can:
• specify the functions the driver imports.
• specify the functions the driver exports.
• hash the driver. (MD5, SHA1, SHA256. this is disk based.)
• verify the digital signature of the driver (This is disk based.)
• output all strings in memory on a per driver base.
• report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
• identify all loaded kernel modules by walking a linked list.
• identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs) and driver function tables (IRP tables).

Mandiant’s Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.

Memoryze officially supports:

• Windows 2000 Service Pack 4 (32-bit)
• Windows XP Service Pack 2 and Service Pack 3 (32-bit)
• Windows Vista Service Pack 1 and Service Pack 2 (32-bit)
• *Windows Vista Service Pack 2 (64-bit)
• Windows 2003 Service Pack 2 (32-bit and 64-bit)
• Windows 7 Service Pack 0 (32-bit and 64-bit)
• *Windows 2008 Service Pack 1 and Service Pack 2 (32-bit)
• Windows 2008 R2 Service Pack 0 (64-bit)
• *Windows 8 Service Pack 0 (32-bit and 64-bit)
• *Windows Server 2012 Service Pack 0 (64-bit)

* means support for a new operating system without experience on millions of host

In order to visualize Memoryze’s output, please download Redline™ or use an XML viewer.  Redline is Mandiant’s premier free tool for investigating hosts for signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.

Download Memoryze

Read More

[Kali Linux 1.0.6] with LUKS Self-Destruction Feature

Offensive Security, the creator of the famous BackTrack Linux operating system, has announced on January 9 that a new maintenance release for its Kali Linux distribution is now available for download. 

Kali Linux 1.0.6 is the first release to introduce an amazing feature called "emergency self-destruction of LUKS," which allows users to quickly nuke the entire installation in case of an emergency.

Being powered by Linux kernel 3.12 kernel, Kali Linux 1.0.6 introduces the Offensive Security Trusted ARM image scripts, Kali Google Compute and AMAZON AMI image generation scripts, as well as numerous new tools, updates for existing ones, and many other interesting changes.

Keep in mind that Kali Linux is a rolling-release distro and you don’t have to download this new ISO in order to keep your installation up-to-date.

No Re-Downloading Required

root@kali:~# apt-get update
root@kali:~# apt-get dist-upgrade

Download Kali Linux 1.0.6

Read More

[THC-Hydra v7.6] Fast Parallel Network Logon Cracker

 Hydra is a parallelized network logon cracker which supports numerous protocols to attack, new modules are easy to add, beside that, it is flexible and very fast.

Features

• IPv6 Support
• Graphic User Interface
• Internationalized support (RFC 4013)
• HTTP proxy support
• SOCKS proxy support

The tool supports the following protocols:

Samba, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more.

Release 7.6
* Added a wizard script for hydra based on a script by Shivang Desai <shivang.ice.2010@gmail.com>
* Added module for Siemens S7-300 (submitted by Alexander Timorin and Sergey Gordeychik, thanks!)
* HTTP HEAD/GET: MD5 digest auth was not working, fixed (thanks to Paul Kenyon)
* SMTP Enum: HELO is now always sent, better 500 error detection
* hydra main:
   - fixed a bug in the IPv6 address parsing when a port was supplied
   - added info message for pop3, imap and smtp protocol usage
* hydra GTK: missed some services, added
* dpl4hydra.sh:
   - added Siemens S7-300 common passwords to default password list
   - more broad searching in the list
* Performed code indention on all C files :-)
* Makefile patch to ensure .../etc directory is there (thanks to vonnyfly)

Download THC-Hydra v7.6

Read More

[FirePasswordViewer v5.5] Firefox Sign-on Secrets Recovery Software

Like other browsers, Firefox also stores the login details such as username, password for every website visited by the user at the user consent. All these secret details are stored in Firefox sign-on database securely in an encrypted format.

FirePasswordViewer can instantly decrypt and recover these secrets even if they are protected with master password.

Also it can be used to recover passwords from different profile (for other users on the same system) as well as from the different Operating system (such as Linux, Mac etc). This greatly helps Forensic Investigators who can copy the Firefox profile data from the target system to different machine and recover the passwords offline without affecting the target environment.

This mega version brings in major changes to support latest Firefox v25.0 and new GUI interface with cool banner.

Download FirePasswordViewer

Read More

[Haveged] A simple Entropy Daemon

The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers. Current development of haveged is directed towards improving overall reliablity and adaptability while minimizing the barriers to using haveged for other tasks.

The original HAVEGE research dates back to 2003 and much of the original haveged documentation is now quite dated. Recent work on haveged has included an effort to provide more recent information on the project and its applications.

The original research behind HAVEGE use was based upon studies of the behavior of processor caches from a hardware level. The 'Flutter' documents below attempt to provide a modern view of HAVEGE at software level through the use of a diagnostic build of haveged that captures the non deterministic inputs to haveged for analysis by external tools. 

Download Haveged

Read More

[Pinpoint] Enumerates WebPage Components to help identify the Infected Files

Pinpoint works like wget/curl in that it just fetches a webpage without rendering any script. Pinpoint will then try to determine which links are used to make up the webpage such as Javascript, CSS, frames, and iframes and downloads those files too (some Javascript content will produce incorrect links). The list of links it finds shows up in the document tree on the main window.

At the same time, a log file is created which shows the links and in which file the link resided in. It will also download the file and calculate the “entropy”; the higher the value, the more rubbish characters it found which may help identify obfuscated Javascript.

You can of course spoof the user-agent string and referer values to ilicit a malicious response from the website. There’s also a function to clear your cookies (see Options menu item) since many exploit packs check for the presence of cookies on repeated visits. Use Tor to get another IP address since it’ll get banned usually after the first visit.

Download Pinpoint

Read More

[Router Password Kracker] Router Password Recovery Software

Router Password Kracker is a free software to recover the lost password of your Router. It can also be used to recover password from your internet Modem or Web sites which are protected by HTTP BASIC Authentication.

Generally Routers or Modems control their access by using HTTP BASIC authentication mechanism. In simple words, when you connect to your Modem/Router from the browser (typically http://192.168.1.1) you will be asked to enter username & password. If you ever forget this password then you will not be able to access your Router/Modem configuration. Even some websites use this BASIC Authentication to allow only certain users to access their site. 

In these cases 'Router Password Kracker' can help you in quickly recovering your lost password. Also Penetration Testers and Forensic Investigators can find this tool very useful in cracking the Router/Modem/Website password.

Download Router Password Kracker

Read More

[MoonSols] Windows Memory Toolkit

MoonSols Windows Memory Toolkit is a powerful toolkit containing all the utilities needed to perform any kind of memory acquisition or conversion during an incident response, or a forensic analysis for Windows desktops, servers or virtualized environment. The version 2.0 is a refresh and updated version of our software to reply to the evolving needs of our clients and assist them to deliver in a strategic and professional way.

MoonSols Windows Memory Toolkit had been designed to deal with Microsoft Windows hibernation file (from Microsoft Windows XP to Microsoft Windows 8 in both 32-bits and 64-bits (x64) Editions), Microsoft full memory crashdump (in both 32-bits and 64-bits (x64) Editions), and raw memory dump files (from memory acquisition tools like DumpIt or Virtualization application like VMWare). Moreover, MoonSols Windows Memory Toolkit also contains new version of DumpIt.

MoonSols Windows Memory Toolkit main point is that Microsoft full memory crashdump had been designed by Microsoft as the “physical memory format” which aims at being analyzed by Microsoft Windows Debugger (the most powerful utility to troubleshoot problems, analyze physical memory etc.). The goal of MoonSols Windows Memory Toolkit is to make possible to convert all Windows physical memory dumps into Microsoft Crash dump compliant with Microsoft Windows Debugger (WinDbg).

With MoonSols Windows Memory Toolkit you can convert any Windows memory dump file in a Microsoft crash dump file readable by Microsoft Windows Debugger. Moreover, you can also decompress complex memory dumps such as Windows XP x64 hibernation file as well as Windows 7 x64 Hibernation file.

The MoonSols Windows Memory Toolkit 2.0 works on every Microsoft Windows version, from Microsoft Windows XP to Microsoft Windows 8 (both x86 and x64 Edition).

The MoonSols Windows Memory Toolkit 2.0 contains an improved version of win32dd and win64dd called DumpIt, which can be used from the external paths and and can be called from scripts to make your life easier. Moreover, an interactive command-live version is provided to users.

The toolkit contains several utilities such as DumpIt for live acquisition on a local disk file or to a remote target, or like hibr2dmp/bin2dmp to create a synergetic ecosystem within all the different file formats used by memory snapshots files such as Windows hibernation file and Microsoft crash memory dumps analysable by Microsoft WinDbg.

MoonSols Windows Memory Toolkit contains:

• MoonSols DumpIt 2.0
• MoonSols Hibr2Bin 2.0
• MoonSols Hibr2Dmp 2.0
• MoonSols Dmp2Bin 2.0
• MoonSols Bin2Dmp 2.0

MoonSols DumpIt replaces MoonSols Win32dd and Win64dd, the utility also has full 32-bits and 64-bits Windows 8 support and new features such as LZNT1 compression and RC4 encryption.

The utilities Hibr2Bin and Hibr2Dmp also have 32-bits and 64-bits Windows 8 support.

Download MoonSols

Read More

[Network Password Decryptor v6.5] Windows Network Password Recovery Tool

Network Password Decryptor is the free tool to instantly recover network authentication passwords.

In addition to the network authentication passwords it can also recover passwords stored by other windows apps such as Outlook, Windows Live Messenger, Remote Destktop etc.

These network passwords are stored in encrypted format and even administrator cannot view these passwords. Also some type of passwords cannot be decrypted even by administrators as they require special privileges. Network Password Decryptor automatically detect and decrypt all these stored network passwords.

Download Network Password Decryptor v6.5

Read More

[DAVOSET] Tool for conducting DDoS attacks

DAVOSET – it is console (command line) tool for conducting DDoS attacks on the sites via Abuse of Functionality vulnerabilities at other sites.

Changelog v1.1.5

• Added error handler in GetCookie().
• Added new services into lists of zombies.
• Removed non-working services from lists of zombies.

Usage
1. Start the program: davoset.pl
2. Enter URL of the site to attack: Site: http://site
3. Get the site attacked via your list of zombie-servers.
Or from command line:

perl davoset.pl u=http://site
perl davoset.pl u=http://site l=list.txt m=1 c=100

Download DAVOSET v1.1.5

Read More

[Creepy] Geolocation information Gathering through Social Networking Platforms

Creepy is a geolocation OSINT tool. Gathers geolocation related information from online sources, and allows for presentation on map, search filtering based on exact location and/or date, export in csv format or kml for further analysis in Google Maps.

What's new in v1.0.x ?

• Creepy now uses Qt 4, via it's PyQt4 bindings for the user interface.
• Analysis in based on projects, you can work with multiple targets simultaneously without having to re-analyze them.
• Creepy is extensible via plugins for online services that might hold geolocation information. See Creepy Plugins Repository
• Plugins for twitter, instagram and flickr are included in this release
• Easy plugin configuration with wizards, where applicable
• After analysis, the retrieved locations can be filtered based on the date that they were created or the proximity to a certain location
• Google maps is used as a maps provider ( Street view included within Creepy ! )

Quick Start Instructions

• Download creepy ( source code or the installers provided here for your platform )
• Configure twitter and instagram plugins. Edit -> Plugins Configuration -> Twitter / Instagram and run the wizards, following the instructions
• Create a new project : Creepy -> New Project -> Person Based Project . Search for the target selecting the available plugins.
• Right click on the project -> Analyze Current Project
• Wait :)
• The locations will be drawn on the map, once the analysis is complete.
• Filter locations, export locations, view them on the map.

Download Creepy

Read More

[FoxAnalysis] Firefox Internet History Analysis Software

FoxAnalysis Plus is a software tool for extracting, viewing and analysing internet history from the Mozilla Firefox web browser. The main features are described below:

  

Extract History  ::
Extract history regarding bookmarks, cookies, downloads, favicons, form entries, logins, saved sessions and website visits.   

Case Files  ::
Each Firefox profile analysed can be saved to a Case file for further analysis at a later date.   

Supports Firefox versions 3 to 24  ::
Extract history generated from Firefox versions 3 to 24 (new versions are added regularly). 

Cache ::
The built-in image viewer can be used to view images from the cache. Images, web pages and other files from the cache can also be extracted.

Saved Sessions ::
Analyse current and last session data such as open windows and tabs, cookies and text typed into forms. Session data not displayed within a table can be analysed using the tree viewer. 

Web History Timeline ::
Website visits can be viewed in a navigable timeline structure for easily viewing the time and order that websites were visited. 

Web Page Reconstruction ::
Web pages stored in the cache can be reconstructed using other resource files from the cache. This allows the web page to be viewed in the state it was originally accessed. A report is also provided summarising how the web page was reconstructed. 

Filtering ::
Analyse the extracted data with filtering by keyword, date range, download status, website visit or selection. Lists of keyword filters can also be saved and loaded. 

Reporting ::
Generate reports in HTML, CSV and XML format. 

Time Zone and DST Settings ::
Convert UTC timestamps to any time zone and apply custom daylight saving settings.  

Download FoxAnalysis

Read More

[Arachni v0.4.6 - Web User Interface v0.4.3] Open Source Web Application Security Scanner Framework

Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

Arachni is smart, it trains itself by learning from the HTTP responses it receives during the audit process.

Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while travelling

through the paths of a web application’s cyclomatic complexity.

This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.

Changelog

Framework v0.4.6

• Massively decreased RAM consumption.
• Amount of performed requests cut down by 1/3 — and thus 1/3 decrease in scan times.
• Overhauled timing attack and boolean/differential analysis algorithms to fix SQLi false-positives with misbehaving webapps/servers.
• Vulnerability coverage optimizations with 100% scores on WAVSEP’s tests for:
  • SQL injection
  • Local File Inclusion
  • Remote File Inclusion
  • Non-DOM XSS — DOM XSS not supported until Arachni v0.5.

WebUI v0.4.3

• Implemented Scan Scheduler with support for recurring scans.
• Redesigned Issue table during the Scan progress screen, to group and filter issues by type and severity.

Download Arachni v0.4.6

Read More

[Xelenium] Security Testing with Selenium

Xelenium is a security testing tool that can be used to identify the security vulnerabilities present in the web application. Xelenium uses the open source functional test automation tool 'Selenium' as its engine and has been built using Java swing.

Xelenium has been designed considering that it should obtain very few inputs from users in the process of discovering the bugs.

Selenium – Webdriver is an open source functional testing tool and is very powerful and flexible. More details on Selenium can be found here: http://seleniumhq.org/

Download Xelenium

Read More

[Social Password Dump] Command-line Tool to Recover Social Network Password from Browsers and Messengers

Social Password Dump is the free command-line based all-in-one tool to recover your lost password for all social networks like Facebook, Twitter, Pinterest etc.

Currently it can recover passwords for following popular Social Networks,

• Facebook
• Twitter
• Google Plus
• Linkedin
• Pinterest
• Myspace
• Badoo

It can instantly find and decrypt your stored password from all the popular web browsers and messengers.
Here is the complete list of supported applications,

• Firefox
• Internet Explorer (v6.x - v10.x)
• Google Chrome
• Chrome Canary/SXS
• CoolNovo Browser
• Opera Browser
• Apple Safari
• Flock Browser
• SeaMonkey Browser
• Comodo Dragon Browser
• Paltalk Messenger
• Miranda Messenger

It automatically discovers all these installed applications on your system and recovers all the stored social network login passwords within seconds.

Download Social Password Dump

Read More

[Orbot] Mobile Anonymity + Circumvention

Orbot is a free proxy app that empowers other apps to use the internet more securely. Orbot uses Tor to encrypt your Internet traffic and then hides it by bouncing through a series of computers around the world. Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

Orbot is the only app that creates a truly private internet connection. As the New York Times writes, “when a communication arrives from Tor, you can never know where or whom it’s from.” Tor won the 2012 Electronic Frontier Foundation (EFF) Pioneer Award.

Download Orbot

Read More

[RDG Packer Detector 2014] Detector de Packers,Cryptors,Compiladores, Packers Scrambler,Joiners,Installers

RDG Packer Detector es un detector de packers,Cryptors,Compiladores, Packers Scrambler,Joiners,Installers.

+Nuevas signaturas+Windows 7 Compatible
+Windows 8 Compatible
+Menos Falsos Positivos
+Mayor Estabilidad
+Deteccion 32/64 bits PE

-Posee sistema de detección Rápida.
-Posee sistema de detección Potente Analizando el archivo completo, permitiendo la muli-detección de packers en varios casos.
-Permite crear signaturas tus propias signaturas de detección.
-Posee Analizador Crypto-Grafico.
-Permite calcular el checksum de un archivo.
-Permite calcular el Entropy, informando si el programa analizado esta comprimido, encriptado o no.
-Detector de OEP (Punto de entrada Original) de un programa.
-Puedes Chequear y descargar signaturas.Así siempre tú RDG Packer Detector estará Actualizado.
-Loader de Plug-ins..
-Convertidor de Signaturas.
-Detector de Falseadores de Entry Point.
-De-Binder un extractor de archivos adjuntos.
-Sistema Heuristico Mejorado.

Descargar RDG Packer Detector

Read More

[Sandcat Browser 4.4] The fastest web browser combined with the fastest scripting language packed with features for pen-testers

Sandcat Browser is the fastest web browser combined with the fastest scripting language packed with features for pen-testers. Sandcat Browser is a freeware portable pen-test oriented multi-tabbed web browser with extensions support developed by the Syhunt team. The Sandcat Browser is built on top of Chromium, the same engine that powers the Google Chrome browser, and uses the Lua programming language to provide extensions and scripting support.

Some of its unique features include:

• Live HTTP Headers — built-in live headers with a dedicated cache per tab and support for preview extensions
• Sandcat Console — an extensible command line console; Allows you to easily run custom commands and scripts in a loaded page
• Resources tab — allows you to view the page resources, such as JavaScript files and other web files.
• Page Menu extensions — allows you to view details about a page and more.
• Pen-Tester Tools — Sandcat comes with a multitude of pen-test oriented extensions. This includes a Fuzzer, a Script Runner, HTTP & XHR Editors, Request Loader, Request Replay capabilities and more.

Features inherited from Chromium include:

• Multi-Process Architecture — each tab is its own process
• Developer Tools — in addition to the Chromium Developer Tools, Sandcat comes with a Source Code Editor and its own JavaScript and Lua consoles.

Download Sandcat Browser 4.4

Read More

[DirBuster] Brute Force Directories and Files Names on Web/Application Servers

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.

However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide! If you have the time ;)

Download DirBuster

Read More

[Binwalk] Firmware Analysis Tool

Binwalk is a firmware analysis tool designed to assist in the analysis, extraction, and reverse engineering of firmware images and other binary blobs. It is simple to use, fully scriptable, and can be easily extended via custom signatures, extraction rules, and plugin modules.

Binwalk supports various types of analysis useful for inspecting and reverse engineering firmware, including:

• Embedded file identification and extraction
• Executable code identification
• Type casting
• Entropy analysis and graphing
• Heuristic data analysis
• "Smart" strings analysis

Binwalk's file signatures are (mostly) compatible with the magic signatures used by the Unix file utility, and include customized/improved signatures for files that are commonly found in firmware images such as compressed/archived files, firmware headers, kernels, bootloaders, filesystems, etc.

Features

Binwalk is:

• Fast
• Flexible
• Extendable
• Easy to use

Binwalk can:

• Find and extract interesting files / data from binary images
• Find and extract raw compression streams
• Identify opcodes for a variety of architectures
• Perform data entropy analysis
• Heuristically analyze unknown compression / encryption
• Visualize binary data
• Diff an arbitrary number of files

Download Binwalk

Read More

[dotDefender] Web Application Security

dotDefender is the market-leading software Web Application Firewall (WAF). dotDefender boasts enterprise-class security, advanced integration capabilities, easy maintenance and low total cost of ownership (TCO).

dotDefender is the perfect choice for protecting your web site and web applications today.

Robust Security for Any Web Application

dotDefender protects any web site or web service on your server, and continues to as you update, change, and expand your code. The dotDefender WAF reduces the costs of code scanning, and enables you to focus on business, not web application security. dotDefender can handle .NET Security issues.

PCI DSS Compliance

dotDefender helps you achieve Compliance with the Payment Card Industry Data Security Standard (PCI DSS Compliance).

Robust Security for Any Web Application

dotDefender protects any web site or web service on your server, and continues to as you update, change, and expand your code. The dotDefender WAF reduces the costs of code scanning, and enables you to focus on business, not web application security. dotDefender can handle .NET Security issues.

PCI DSS Compliance

dotDefender helps you achieve Compliance with the Payment Card Industry Data Security Standard (PCI DSS Compliance).

Why Application Security?

If you thought that network security and other "traditional security measures" were enough - think again. Web Application Firewalls deal with security attacks aimed squarely at your website, and these attacks are on the rise. Read more on Web Application Firewalls and the dotDefender security solution. Able to handle .NET Security issues.

Download dotDefender

Read More