Rdpscan – A Quick Scanner For The CVE-2019-0708 “BlueKeep” Vulnerability

This is a quick-and-dirty scanner for the CVE-2019-0708 vulnerability in Microsoft Remote Desktop. Right now, there are about 900,000 machines on the public Internet vulnerable to this vulnerability, so many are to expect a worm soon like WannaCry and notPetya. Therefore, scan your networks and patch (or at least, enable NLA) on vulnerable systems.This is a command-line tool. You can download the source and compile it yourself, or you can download one of the pre-compiled binaries for Windows or macOS from the link above.This tool is based entirely on the rdesktop patch from https://github.com/zerosum0x0/CVE-2019-0708.Primary useTo scan a network, run it like the following:rdpscan 192.168.1.1-192.168.1.255This produces one of 3 results for each address:SAFE – if target has determined bot be patched or at least require CredSSP/NLAVULNERABLE – if the target has been confirmed to be vulnerableUNKNOWN – if the target doesn’t respond or has some protocol failureWhen nothing exists at a target IP address, the older versions pritned the message “UNKNOWN – connection timed out". When scanning large networks, this produces an overload of too much information about systems you don’t care about. Therefore, the new version by default doesn’t produce this information unless you add -v (for verbose) on the command-line.You can increase the speed at which it scans large networks by increasing the number of workers:rdpscan –workers 10000 10.0.0.0/8However, on my computer, it only produces about 1500 workers, because of system limitations, no matter how high I configure this parameter.You can increase the speed even more by using this in conjunction with masscan, described in the second below.Interpreting the resultsThere are three general responses:SAFE – which means the target is probably patched or otherwise not vulnerable to the bug.VULNERABLE: which means we’ve confirmed the target is vulnerable to this bug, and that when the worm hits, will likely get infected.UNKNOWN: means we can’t confirm either way, usually because the target doesn’t respond or isn’t running RDP, which is the vast majority of responses. Also, when targets are out of resources or experiencing network problems, we’ll get a lot of these. Finally, protocol errors are responsble for a lot. While the three main responses are SAFE, VULNERABLE, and UNKNOWN, they contain additional text explaining the diagnosis. This section describes the various strings you’ll see.SAFEThere are three main reaons we think a target is safe:SAFE – Target appears patched This happens when the target doesn’t respond to the triggering request. This means it’s a Windows system that’s been patched, or a system that wasn’t vulnerable to begin with, like Windows 10 or Unix.SAFE – CredSSP/NLA required This means that the target first requires Network Level Authentication before the RDP connection can be established. The tool cannot pass this point, without leigitimate credentials, so cannot determine whether the target has been patched. However, hackers can’t continue past this point to exploit vulnerable systems, either, so you are likely "safe". However, when exploits appear, insiders with valid usernames/passwords will be able to exploit the system if it’s un-patched.SAFE – not RDP This means the system is not RDP, but has some other service that happens to use this same port, and produces a response that’s clearly not RDP. Common examples are HTTP and SSH. Note however that instead of an identifiable protocol, a server may respond with a RST or FIN packet. These are identified as UNKNOWN instead of SAFE/VULNERABLEThis means we’ve confirmed the system is vulnerable to the bug.VULNERABLE – got appid There is only one response when the system is vulnerable, this one.UNKNOWNThere are a zillion variations for unknownUNKNOWN – no connection – timeout This is by far the most common response, and happens when the target IP address makes no response whatsoever. In fact, it’s so common that when scanning large ranges of addresses, it’s usually ommited. You have to add the -v (verbose) flag in order to enable it.UNKNOWN – no connection – refused (RST) This is by far the second most common response, and happens when the target exists and responds to network traffic, but isn’t running RDP, so refuses the connection with a TCP RST packet.UNKNOWN – RDP protocol error – receive timeout This is the third most common response, and happens when we’ve successfully established an RDP connection, but then the server stops responding to us. This is due to network errors and when the target system is overloaded for some reason. It could also be network errors on this end, such as when you are behind a NAT and overloading it with too many connections.UNKNOWN – no connection – connection closed This means we’ve established a connection (TCP SYN-ACK), but then the connection is immediately closed (with a RST or FIN). There are many reasons this happen, which we cannot distinguish: It’s running RDP, but for some reason closes the connection, possibly because it’s out-of-resources.It’s not RDP, and doesn’t like the RDP request we send it, so instad of sending us a nice error message (which would trigger SAFE – not RDP), it abruptly closes the connection.Some intervening device, like an IPS, firewall, or NAT closed the connection because it identified this as hostile, or ran out of resources.Some other reason I haven’t identified, there’s a lot of weird stuff happening when I scan the Internet.UNKNOWN – no connection – host unreachable (ICMP error) The remote network reports the host cannot be reached or is not running. Try again later if you think that host should be alive.UNKNOWN – no connection – network unreachable (ICMP error) There is a (transient) network error on the far end, try again later if you believe that network should be running.UNKNOWN – RDP protocol error This means some corruption happened in the RDP protocol, either because the remote side implents it wrong (not a Windows system), because it’s handling a transient network error badly, or something else.UNKNOWN – SSL protocol error Since Windows Vista, RDP uses the STARTTLS protocol to run over SSL. This layer has it’s own problems like above, which includes handling underlying network errors badly, or trying to communicate with systems that have some sort of incompatibility. If you get a very long error message here (like SSL3_GET_RECORD:wrong version), it’s because the other side has a bug in SSL, or your own SSL library that you are using has a bug.Using with masscanThis rdpscan tool is fairly slow, only scanning a few hundred targets per second. You can instead use masscan to speed things up. The masscan tool is roughly 1000 times faster, but only gives limited information on the target.The steps are:First scan the address ranges with masscan to quickly find hosts that respond on port 3389 (or whatever port you use).Second feed the output of masscan into rdpscan, so it only has to scan targets we know are active.The simple way to run this is just to combine them on the command-line:masscan 10.0.0.0/8 -p3389 | rdpscan –file -The way I do it is in two steps:masscan 10.0.0.0/8 -p3389 > ips.txtrdpscan –file ips.txt –workers 10000 >results.txtBuildingThe difficult part is getting the OpenSSL libraries installed, and not conflicting with other versions on the system. Some examples for versions of Linux I’ve tested on are the following, but they keep changing package names from one distribution to the next. Also, there are many options for an OpenSSL-compatible API, such as BoringSSL and LibreSSL.$ sudo apt install libssl-dev$ sudo yum install openssl-develOnce you’ve solved that problem, you just compile all the .c files together like this:$ gcc *.c -lssl -lcrypto -o rdpscanI’ve put a Makefile in the directory that does this, so you can likely do just:$ makeThe code is written in C, so needs a C compiler installed, such as doing the following:$ sudo apt install build-essentialCommon build errorsThis section describes the more obvious build errors.ssl.h:24:25: fatal error: openssl/rc4.h: No such file or directoryThis means you either don’t have the OpensSSL headers installed, or they aren’t in a path somewhere. Remember that even if you have OpenSSL binaries installed, this doesn’t mean you’ve got the development stuff installed. You need both the headers and libraries installed.To install these things on Debian, do:$ sudo apt install libssl-devTo fix the path issue, add a compilation flag -I/usr/local/include, or something similar.An example linker problem is the following:Undefined symbols for architecture x86_64:"_OPENSSL_init_ssl", referenced from: _tcp_tls_connect in tcp-fac73c.o"_RSA_get0_key", referenced from: _rdssl_rkey_get_exp_mod in ssl-d5fdf5.o"_SSL_CTX_set_options", referenced from: _tcp_tls_connect in tcp-fac73c.o"_X509_get_X509_PUBKEY", referenced from: _rdssl_cert_to_rkey in ssl-d5fdf5.oI get this on macOS because there’s multiple versions of OpenSSL. I fix this by hard-coding the paths:$ gcc *.c -lssl -lcrypto -I/usr/local/include -L/usr/local/lib -o rdpscanAccording to comments by others, the following command-line might work on macOS if you’ve used Homebrew to install things. I still get the linking errors above, though, because I’ve installed other OpenSSL components that are conflicting.gcc $(brew –prefix)/opt/openssl/lib/libssl.a $(brew –prefix)/opt/openssl/lib/libcrypto.a -o rdpscan *.cRunningThe section above gives quickstart tips for running the program. This section gives more in-depth help.To scan a single target, just pass the address of the target:./rdpscan 192.168.10.101You can pass in IPv6 addresses and DNS names. You can pass in multiple targets. An example of this would be:./rdpscan 192.168.10.101 exchange.example.com 2001:0db8:85a3::1You can also scan ranges of addresses, using either begin-end IPv4 addresses, or IPv4 CIDR spec. IPv6 ranges aren’t supported because they are so big../rdpscan 10.0.0.1-10.0.0.25 192.168.0.0/16By default, it scans only 100 targets at a time. You can increase this number with the –workers parameter. However, no matter how high you set this parameter, in practice you’ll get a max of around 500 to 1500 workers running at once, depending upon your system../rdpscan –workers 1000 10.0.0.0/24Instead of specifying targets on the command-line, you can load them from a file instead, using the well-named –file parameter:./rdpscan –file ips.txtThe format of the file is one address, name, or range per line. It can also consume the text generated by masscan. Extra whitespace is trimmed, blank lines ignored, any any comment lines are ignored. A comment is a line starting with the # character, or // characters.The output is sent to stdout giving the status of VULNERABLE, SAFE, or UNKNOWN. There could be additional reasons for each. These reasons are described above.211.101.37.250 – SAFE – CredSSP/NLA required185.11.124.79 – SAFE – not RDP – SSH response seen125.121.137.42 – UNKNOWN – no connection – refused (RST)40.117.191.215 – SAFE – CredSSP/NLA required121.204.186.182 – SAFE – CredSSP/NLA required99.8.11.148 – SAFE – CredSSP/NLA required121.204.186.114 – SAFE – CredSSP/NLA required49.50.145.236 – SAFE – CredSSP/NLA required106.12.74.155 – VULNERABLE – got appid222.84.253.26 – SAFE – CredSSP/NLA required144.35.133.109 – UNKNOWN – RDP protocol error – receive timeout199.212.226.196 – UNKNOWN – RDP protocol error – receive timeout183.134.58.152 – UNKNOWN – no connection – refused (RST)83.162.246.149 – VULNERABLE – got appidYou can process this with additional unix commands like grep and cut. To get a list of just vulnerable machines:./rdpscan 10.0.0.0/8 | grep ‘VULN’ | cut -f1 -d’-‘The parameter -dddd means diagnostic information, where the more ds you add, the more details are printed. This is sent to stderr instead of stdout so that you can separate the streams. Using bash this is done like this:./rdpscan –file myips.txt -ddd 2> diag.txt 1> results.txtDiagnostic infoAdding the -d parameter dumps diagnostic info on the connections to stderr../rdpscan 62.15.34.157 -d[+] [62.15.34.157]:3389 – connecting…[+] [62.15.34.157]:3389 – connected from [10.1.10.133]:49211[+] [62.15.34.157]:3389 – SSL connection[+] [62.15.34.157]:3389 – version = v4.8[+] [62.15.34.157]:3389 – Sending MS_T120 check packet[-] [62.15.34.157]:3389 – Max sends reached, waiting…62.15.34.157 – SAFE – Target appears patchedOn macOS/Linux, you can redirect stdout and stderr separately to different files in the usual manner:./rdpscan –file ips.txt 2> diag.txt 1> results.txtSOCKS5 and Tor lulzSo it includes SOCKS5 support:./rdpscan –file ips.txt –socks5 localhost –socks5port 9050It makes connection problems worse so you get a lot more "UNKNOWN" results.Statically link OpenSSLFor releasing the Windows and macOS binaries attached as releases to this project I statically link OpenSSL, so that it doesn’t need to be included separately, and the programs just work. This section describes some notes on how to do this, especially since the description on OpenSSL’s own page seems to be out of date.Both these steps start with downloading the OpenSSL source and putting it next to the rdpscan directory:git clone https://github.com/openssl/opensslWindowsFor Windows, you need to first install some version of Perl. I use the one from ActiveState.Next, you’ll need a special "assembler". I use the recommended one called NASM)Next, you’ll need a compiler. I use VisualStudio 2010. You can download the latest "Visual Studio Community Edition" (which is 2019) instead from Microsoft.Now you need to build the makefile. This is done by going into the OpenSSL directory and running the Configure Perl program:perl Configure VC-WIN32I chose 32-bit for Windows because there’s a lot of old Windows out there, and I want to make the program as compaitble as possible with old versions.I want a completely static build, including the C runtime. To do that, I opened the resulting makefile in an editor, and changed the C compilation flag from /MD (meaning use DLLs) to /MT. While I was there, I added the following to the CPPFLAGS -D_WIN32_WINNT=0x501, which restrict OpenSSL to features that work back on Windows XP and Server 2003. Otherwise, you get errors that bcrypt.dll was not found if your run on those older systems.Now you’ll need to make sure everything is in your path. I copied nasm.exe to the a directory in the PATH. For Visual Studio 2010, I ran the program vcvars32.bat to setup the path variables for the compiler.At this point on the command-line, I typed:nmakeThis makes the libraries. The static ones are libssl_static.lib and libcrypto_static.lib, which I use to link to in rdpscan.macOSFirst of all, you need to install a compiler. I use the Developer Tools from Apple, installing XCode and the compiler. I think you can use Homebrew to install gcc instead.Then go int othe source directory for OpenSSL and create a makefile:perl Configure darwin64-x86_64-ccNow simply make it:make dependmakeAt this point, it’s created both dynamic (.dylib) and static (.lib) libraries. I deleted the dynamic libraries so that it’ll catch the static ones by default.Now in rdpscan, just build the macOS makefile:make -f Makefile.macosThis will compile all the rdpscan source files, then link to the OpenSSL libraries in the directory ../openssl that you just built.This should produce a 3-megabyte exexeutable. If you instead only got a 200-kilobyte executable, then you made a mistake and linked to the dynamic libraries instead.Download Rdpscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/mCI0mRVoYKo/rdpscan-quick-scanner-for-cve-2019-0708.html

CocoaDebug – iOS Debugging Tool

 iOS Debugging ToolShake to hide or show the black bubble. (support both device and simulator) Long press the black bubble to show UIDebuggingInformationOverlay. (Apple’s Private API, support iOS 10/11/12) Application memory usage and FPS. List all print() and NSLog() messages which have been written by developer in Xcode. (optional) List of all the network requests sent by the application. (optional) List crash errors. (optional) Share network details via email or copy to clipboard when you are in the Network Details page. Copy logs. (long press the text, then select all or select copy) Search logs by keyword. List application and device informations, including: version, build, bundle name, bundle id, screen resolution, device, iOS version List all sandbox folders and files, supporting to preview and edit. List HTML logs, including console.log(),console.debug(),console.warn(),console.error(),console. info(). (support both WKWebView and UIWebView). (optional) Support JSON and Google’s Protocol buffersInstallationCocoaPodsplatform :ios, ‘8.0’use_frameworks!target ‘YourTargetName’ do pod ‘CocoaDebug’, :configurations => [‘Debug’]endCarthagegithub “CocoaDebug/CocoaDebug" WARNING: Don’t submit .ipa to AppStore which has been linked with the CocoaDebug.framework. This Integration Guide outline a way to use build configurations to isolate linking the framework to Debug builds only.UsageSwift//Step 1. (AppDelegate.swift)#if DEBUG import CocoaDebug#endif//Step 2. (AppDelegate.swift)#if DEBUG CocoaDebug.enable()#endif//Step 3. (AppDelegate.swift)public func printObjective-C//Step 1. (AppDelegate.m)#ifdef DEBUG @import CocoaDebug;#endif//Step 2. (AppDelegate.m)#ifdef DEBUG [CocoaDebug enable];#endif//Step 3. (PrefixHeader.pch)#ifdef DEBUG #import "_ObjcLog.h" //#import Parameters When you initialize CocoaDebug, you can customize the following parameter values before CocoaDebug.enable().serverURL – If the crawled URLs contain server URL ,set these URLs bold font to be marked. not mark when this value is nil. default value is nil. ignoredURLs – Set the URLs which should not crawled, ignoring case, crawl all URLs when the value is nil. default value is nil. onlyURLs – Set the URLs which are only crawled, ignoring case, crawl all URLs when the value is nil. default value is nil. tabBarControllers – Set controllers to be added as child controllers of UITabBarController. default value is nil. logMaxCount – The maximum count of logs which CocoaDebug display. default value is 1000. emailToRecipients – Set the initial recipients to include in the email’s “To” field when share via email. default value is nil. emailCcRecipients – Set the initial recipients to include in the email’s “Cc” field when share via email. default value is nil. mainColor – Set the main color with hexadecimal format. default value is #42d459. Download CocoaDebug

Link: http://feedproxy.google.com/~r/PentestTools/~3/W4cz0F4blB4/cocoadebug-ios-debugging-tool.html

FFM (Freedom Fighting Mode) – Open Source Hacking Harness

FFM is a hacking harness that you can use during the post-exploitation phase of a red-teaming engagement. The idea of the tool was derived from a 2007 conference from @thegrugq.It was presented at SSTIC 2018 and the accompanying slide deck is available at this url. If you’re not familiar with this class of tools, it is strongly advised to have a look at them to understand what a hacking harness’ purpose is. All the comments are included in the slides.UsageThe goal of a hacking harness is to act as a helper that automates common tasks during the post-exploitation phase, but also safeguards the user against mistakes they may make.It is an instrumentation of the shell. Run ./ffm.py to activate it and you can start working immediately. There are two commands you need to know about:Type !list to display the commands provided by the harness.Type SHIFT+TAB to perform tab completion on the local machine. This may be useful if you’re ssh’d into a remote computer but need to reference a file that’s located on your box.List of featuresThis hacking harness provides a few features that are described below. As they are described, the design philosophy behind the tool will also be introduced. It is not expected that all the commands implemented in FFM will suit you. Everyone has their own way of doing things, and tuning the harness to your specific need is likely to require you to modify some of the code and/or write a few plugins. A lot of effort went into making sure this is a painless task.Commands!os is an extremely simple command that just runs cat /etc/*release* to show what OS the current machine is running. It is probably most valuable as a demonstration that in the context of a hacking harness, you can define aliases that work across machine boundaries. SSH into any computer, type !os and the command will be run. This plugin is located in commands/replacement_commands.py and is a good place to start when you want to learn about writing plugins.!download [remote file] [local path] gets a file from the remote machine and copies it locally through the terminal. This command is a little more complex because more stringent error checking is required but it’s another plugin you can easily read to get started. You can find it in commands/download_file.py. Note that it requires xxd or od on the remote machine to function properly.!upload [local file] [remote path] works exactly the same as the previous command, except that a local file is put on the remote machine.!pty spawns a TTY, which is something you don’t want in most cases because it tends to leave forensics evidence. However, some commands (sudo) or exploits require a TTY to run in so this is provided as a convenience. UNSET HISTFILE is passed to it as soon as it spawns.!py [local script] executes a local Python script on the remote machine, and does so entirely in memory. Check out my other repository for scripts you might want to use. This commands uses a multiline syntax with <<, which means that pseudo-shells that don't support it (Weevely is a good example of that) will break this command quite badly.Plugins can be further configured by editing ffm.conf.ProcessorsConceptually, commands (as described above) are used to generate some bash which is forwarded to the shell. They can perform more complex operations by capturing the shell's output and generating additional instructions based on what is returned. Processors are a little different as they are rather used to rewrite data circulating between the user and the underlying bash process. While it is true that any processor could be rewritten as a command, it seemed a little cleaner to separate the two. Input processors work on whatever is typed by the user once they press the ENTER key, and output processors can modify anything returned by the shell.A good processor example can be found in processors/ssh_command_line.py. All it does is add the -T option to any SSH command it sees if it is missing. Be sure to check out its simple code if you are interested in writing a processor.Another input processor present in the framework, processors/assert_torify.py, contains a blacklist of networking commands (ssh, nc) and blocks them if they don't seem to be proxied through a tool such as torify. The harness does its best to only bother the user if it seems like the command is being run on the local machine. Obviously this should not be your only safeguard against leaking your home IP address.Finally, processors/sample_output_processor.py is a very simple output processor that highlights in red any occurrence of the word "password". As it's quite useless, it's not enabled in the framework but you can still use it as a starting point if you want to do something more sophisticated.Known issuesCTRL+R is not implemented yet and we all miss it dearly.There is currently no way to run ELFs in memory on a remote machine. This is high on the ToDo list.More problematic is the fact that the framework hangs from time to time. In 99% of the cases, this happens when it fails to detect that a command it launched has finished running. Usually, this means that the command prompt of the machine you're logged into could not be recognized as such. In that case, you can try improving the regular expression located at the very beginning of the file ffm.py, or log into that same machine with ssh -T as there won't be any problematic prompt anymore. By default, FFM will give up on trying to read the output of a command after 5 minutes (some plugins may implement different timeouts); so if the framework hangs, you'll need to wait until you see an error message (though if the underlying process is still running, you may still not be able to type in commands).Closing statementI think I've covered everything about this tool. Again, it's a little different from what I usually release as most people will probably need to modify it before it can be valuable to them.Many plugins have yet to be written, so be sure to share back any improvements you make to FFM. Feel free to open issues not only for bugs, but also if you're trying to do something and can't figure out how; this way I'll be able to improve the documentation for everyone.Download FFM

Link: http://www.kitploit.com/2019/03/ffm-freedom-fighting-mode-open-source.html

Netsniff-Ng – A Swiss Army Knife For Your Daily Linux Network Plumbing

netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will.Its gain of performance is reached by zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa.Our toolkit can be used for network development and analysis, debugging, auditing or network reconnaissance.The netsniff-ng toolkit consists of the following utilities:netsniff-ng, a fast zero-copy analyzer, pcap capturing and replaying tooltrafgen, a multithreaded low-level zero-copy network packet generatormausezahn, high-level packet generator for HW/SW appliances with Cisco-CLI*bpfc, a Berkeley Packet Filter compiler, Linux BPF JIT disassemblerifpps, a top-like kernel networking statistics toolflowtop, a top-like netfilter connection tracking toolcurvetun, a lightweight curve25519-based IP tunnelastraceroute, an autonomous system (AS) trace route utilityGet it via Git:   git clone git://github.com/netsniff-ng/netsniff-ng.gitToolsnetsniff-ng is a fast network analyzer based on packet mmap(2) mechanisms. It can record pcap files to disc, replay them and also do an offline and online analysis. Capturing, analysis or replay of raw 802.11 frames are supported as well. pcap files are also compatible with tcpdump or Wireshark traces. netsniff-ng processes those pcap traces either in scatter-gather I/O or by mmap(2) I/O.trafgen is a multi-threaded network traffic generator based on packet mmap(2) mechanisms. It has its own flexible, macro-based low-level packet configuration language. Injection of raw 802.11 frames are supported as well. trafgen has a significantly higher speed than mausezahn and comes very close to pktgen, but runs from user space. pcap traces can also be converted into a trafgen packet configuration.mausezahn is a high-level packet generator that can run on a hardware-software appliance and comes with a Cisco-like CLI. It can craft nearly every possible or impossible packet. Thus, it can be used, for example, to test network behaviour under strange circumstances (stress test, malformed packets) or to test hardware-software appliances for several kind of attacks.bpfc is a Berkeley Packet Filter (BPF) compiler that understands the original BPF language developed by McCanne and Jacobson. It accepts BPF mnemonics and converts them into kernel/netsniff-ng readable BPF “opcodes”. It also supports undocumented Linux filter extensions. This can especially be useful for more complicated filters, that high-level filters fail to support.ifpps is a tool which periodically provides top-like networking and system statistics from the Linux kernel. It gathers statistical data directly from procfs files and does not apply any user space traffic monitoring that would falsify statistics on high packet rates. For wireless, data about link connectivity is provided as well.flowtop is a top-like connection tracking tool that can run on an end host or router. It is able to present TCP or UDP flows that have been collected by the kernel’s netfilter framework. GeoIP and TCP state machine information is displayed. Also, on end hosts flowtop can show PIDs and application names that flows relate to. No user space traffic monitoring is done, thus all data is gathered by the kernel.curvetun is a lightweight, high-speed ECDH multiuser tunnel for Linux. curvetun uses the Linux TUN/TAP interface and supports {IPv4,IPv6} over {IPv4,IPv6} with UDP or TCP as carrier protocols. Packets are encrypted end-to-end by a symmetric stream cipher (Salsa20) and authenticated by a MAC (Poly1305), where keys have previously been computed with the ECDH key agreement protocol (Curve25519).astraceroute is an autonomous system (AS) trace route utility. Unlike traceroute or tcptraceroute, it not only display hops, but also their AS information they belong to as well as GeoIP information and other interesting things. On default, it uses a TCP probe packet and falls back to ICMP probes in case no ICMP answer has been received.Concluding, the toolkit is split into small, useful utilities that are or are not necessarily related to each other. Each program for itself fills a gap as a helper in your daily network debugging, development or audit.  Download Netsniff-Ng

Link: http://feedproxy.google.com/~r/PentestTools/~3/i86oZPByzMQ/netsniff-ng-swiss-army-knife-for-your.html

3 Best DNS Benchmarking Tools

DNS server is responsible for forwarding your domain requests to IP address of the website. There are several DNS servers around the globe. Your ISP also provides a default DNS server that your internet connection uses. But you can use any publicly available DNS server for faster access to Internet. We have already made a […]
The post 3 Best DNS Benchmarking Tools appeared first on UseThisTip.

Link: http://feedproxy.google.com/~r/blogspot/csAFg/~3/-FtBp9g9veY/best-dns-benchmarking-tools.html

3 Best Wireshark Alternatives for Android

Wireshark is the most popular network packet analyser that lets you see network traffic going out and coming in to all computers in the network. So, you can see anything on your network that’s not encrypted. The only problem is that Wireshark is not available for Android. While most of the people now prefer Android […]
The post 3 Best Wireshark Alternatives for Android appeared first on UseThisTip.

Link: http://feedproxy.google.com/~r/blogspot/csAFg/~3/zFUke8qjSGY/best-wireshark-alternatives-for-android.html

Metta – An Information Security Preparedness Tool To Do Adversarial Simulation

Metta is an information security preparedness tool.This project uses Redis/Celery, python, and vagrant with virtualbox to do adversarial simulation. This allows you to test (mostly) your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants.The project parses yaml files with actions and uses celery to queue these actions up and run them one at a time without interaction.Installationsee setup.mdThere is also a wikiRunning actionsThe various actions live in the MITRE folder sorted by MITRE ATT&CK phases and also in Adversarial_SimulationJust run the python and yaml file of your choice$ python run_simulation_yaml.py -f MITRE/Discovery/discovery_win_account.ymlYAML FILE: MITRE/Discovery/discovery_account.yamlOS matched windows…sending to the windows vagrantRunning: cmd.exe /c net group \”Domain Admins\" /domainRunning: cmd.exe /c net user /addRunning: cmd.exe /c net user /domainRunning: cmd.exe /c net localgroup administratorsRunning: cmd.exe /c net shareRunning: cmd.exe /c net useRunning: cmd.exe /c net accountsRunning: cmd.exe /c net config workstationRunning: cmd.exe /c dsquery serverRunning: cmd.exe /c dsquery user -name smith* | dsget user -dn -descRunning: cmd.exe /c wmic useraccount list /format:listRunning: cmd.exe /c wmic ntdomainRunning: cmd.exe /c wmic group list /format:listRunning: cmd.exe /c wmic sysaccount list /format:listMaking actionsThe actions and scenarios live in the MITRE folder sorted by MITRE ATT&CK phases and also in Adversarial_Simulation The most important parts are the OS field and the purple_actionsos: will tell the tool which vagrant to send the command to, obviously *nix commands on windows wont work out so wellpurple_actions: an array of commands to run sequentiallyMaking scenariosScenarios are a list of paths to actions.The code will be looking for a scenario: True field and scenario_actions list. Example below: GotchasThe tool takes the string from purple_actions and encapsulates it in quotes. Therefore you need to escape any other quotes, ticks, weird shell characters in your command.Use the output of the vagrant/celery piece to make sure things are working like they shouldWhy Metta?Metta (Pali) Loving kindness, gentle friendship; a practice for generating loving kindness said to be first taught by the Buddha as an antidote to fear. It helps cultivate our natural capacity for an open and loving heart and is traditionally offered along with other Brahma-vihara meditations that enrich compassion, joy in the happiness of others and equanimity. These practices lead to the development of concentration, fearlessness, happiness and a greater ability to love. Download Metta

Link: http://feedproxy.google.com/~r/PentestTools/~3/bd9ufgk8P0Y/metta-information-security-preparedness.html