- Speed-up http modules auth mechanism detection
- Fixed -C colonfile mode when empty login/passwords were used (thanks to will(at)configitnow(dot)com for reporting)
- The -f switch was not working for postgres, afp, socks5,
- firebird and ncp, thanks to Richard Whitcroft for reporting!
- Fixed NTLM auth in http-proxy/http-proxy-url module
- Fixed URL when being redirected in http-form module, thanks to gash(at)chaostreff(dot)at
- Fix MSSQL success login condition, thanks to whistle_master(at)live(dot)com
- Fix http form module: optional headers and 3xx status redirect, thx to Gash
- Fix in configure script for –prefix option, thanks to dazzlepod
- Update of the dpl4hydra script by Roland Kessler, thanks!
- Small fix for hydra man page, thanks to brad(at)comstyle(dot)com
Download THC-Hydra v7.2
Before writing about Ping sweep, i would like to introduce Ping. Ping is a network based utility which is used to know if a host is alive or dead on the network. Suppose i want to check for hackingtricks.in
if we get the response it means website is live. You can check for a system by its IP address or a website by its domain name. We can use this program to detect host like website, computer system, printer, network or any device.
Ping Sweep:Ping Sweep also known as ICMP sweep is a network scanning technique which is used to determine which of a range of IP addresses map to live hosts. As we have seen in Ping, which is used for single computer. This is used for a renge of IP address for various computers. ping sweep consists of ICMP (Internet Control Message Protocol) ECHO requests sent to multiple hosts. If a system (HOST) is live, it will reply with ICMP ECHO reply.
There are a various tools available that can be used to do a ping sweep, such as fping, gping, and nmap.
Download Fping here: http://fping.sourceforge.net/
NetworkMiner v.1.1 Released
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
The new version supports features such as:
- Extraction of Google Analytics data
- Better parsing of SMB data
- Support for PPP frames
- Even more stable than the 1.0 release
NetSecL v.3.2 Released
NetSecL 3.2 comes with a brand new XFCE which increased dramatically the performance experience, we closed many bugs and also gained more compatibility to OpenSuse 11.4 – most packages are 11.4 compatible.GrSecurity kernel is updated to 220.127.116.11
Ncrack - High-speed network authentication cracker
Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.
Ncrack's features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap's and many more.
Ncrack was started as a "Google Summer of Code" Project in 2009. While it is already useful for some purposes, it is still unfinished, alpha quality software. It is released as a standalone tool and can be downloaded from below.
Intrusion Detection for your Network
The Security Onion LiveDVD is a bootable DVD that contains software used for installing, configuring, and testing Intrusion Detection Systems. It is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Xplico, nmap, metasploit, Armitage, scapy, hping, netcat, tcpreplay, and many other security tools.
All Xubuntu 10.04 updates as of release date.
Snort updated to 18.104.22.168.
Suricata updated to 1.1beta1.
Barnyard2 updated to 1.9 Stable.
Vortex updated to 2.9.0.
Installed OSSEC for host-based intrusion detection.
Installed Squert web interface for Sguil.
Installed Armitage GUI interface for Metasploit.
Many improvements to Setup script for user-friendliness and capability
pytbull – Intrusion Detection/Prevention System (IDS/IPS) Testing Framework
pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort, Suricata and any IDS/IPS that generates an alert file. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.
The framework is shipped with about 300 tests grouped in 9 testing modules:
clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks.
testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.
badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.
fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.
multipleFailedLogins: tests the ability of the server to track multiple failed logins (e.g. FTP). Makes use of custom rules on Snort and Suricata.
evasionTechniques: various evasion techniques are used to check if the IDS/IPS can detect them.
shellCodes: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.
denialOfService: tests the ability of the IDS/IPS to protect against DoS attempts
pcapReplay: enables to replay pcap files
It is easily configurable and could integrate new modules in the future.
There are basically 6 types of tests:
socket: open a socket on a given port and send the payloads to the remote target on that port.
command: send command to the remote target with the subprocess.call() python function.
scapy: send special crafted payloads based on the Scapy syntax
multiple failed logins: open a socket on port 21/tcp (FTP) and attempt to login 5 times with bad credentials.
client side attacks: use a reverse shell on the remote target and send commands to it to make them processed by the server (typically wget commands).
pcap replay: enables to replay traffic based on pcap files
The official documentations is available here: pytbull documentation.
Yersinia | a network exploitation tool
Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
Currently, there are some network protocols implemented, but others are coming (tell us which one is your preferred). Attacks for the following network protocols are implemented (but of course you are free for implementing new ones):
- Spanning Tree Protocol (STP)
- Cisco Discovery Protocol (CDP)
- Dynamic Trunking Protocol (DTP)
- Dynamic Host Configuration Protocol (DHCP)
- Hot Standby Router Protocol (HSRP)
- IEEE 802.1Q
- IEEE 802.1X
- Inter-Switch Link Protocol (ISL)
- VLAN Trunking Protocol (VTP)
Spanning Tree Protocol
- Sending RAW Configuration BPDU
- Sending RAW TCN BPDU
- DoS sending RAW Configuration BPDU
- DoS sending RAW TCN BPDU
- Claiming Root Role
- Claiming Other Role
- Claiming Root Role dual home (MITM)
Cisco Discovery Protocol
- Sending RAW CDP packet
- DoS flooding CDP neighbors table
- Setting up a virtual device
Dynamic Host Configuration Protocol
- Sending RAW DHCP packet
- DoS sending DISCOVER packet (exhausting ip pool)
- Setting up rogue DHCP server
- DoS sending RELEASE packet (releasing assigned ip)
Hot Standby Router Protocol
- Sending RAW HSRP packet
- Becoming active router
- Becoming active router (MITM)
Dynamic Trunking Protocol
- Sending RAW DTP packet
- Enabling trunking
- Sending RAW 802.1Q packet
- Sending double encapsulated 802.1Q packet
- Sending 802.1Q ARP Poisoning
- Sending RAW 802.1X packet
- Mitm 802.1X with 2 interfaces
VLAN Trunking Protocol
- Sending RAW VTP packet
- Deleting ALL VLANs
- Deleting selected VLAN
- Adding one VLAN
- Catalyst crash