Apr 20, 2011

RawCap - Network Sniffer for Windows

Tags: , , ,
RawCap (only 17kB)  is a free raw sockets network sniffer for Windows. It requires no external libraries or DLL, just standalone exe.

It can sniff any interface including loopback, WiFi, PPP interfaces.

Personally, I use it for 2 purposes: penetration testing and incident response:
  • Sniff additional credential after break into remote machine (admin) without Winpcap or NDIS driver.
  • Sniff loopback interface to detect data leakage via SSL tunnelling proxy.
  • Sniff WiFi (WPA2) for any suspicious TCP connections.

RawCap is provided for free and can be downloaded from here:
  • http://www.netresec.com/?page=RawCap

Apr 18, 2011

FindDomains

Tags: , ,
FindDomains is a multithreaded search engine discovery tool.

It retrieves domain names/web sites which are located on specified ip address/hostname. It can be very useful for penetration testers during reconnaissance domain names/web sites/virtual hosts/virtual IP.

Main highlights:
  • Uses Bing search engine. Works with first 1000 records.
  • Multithreaded on crawling and DNS resolution.
  • Performs DNS resolution for extracted domains to eleminate cached/old records.
  • Has a console interface.
  • Works with Mono (under Linux), but running under Windows is more efficient.
  • Requires .NET framework 3.5
Find it at http://code.google.com/p/finddomains/

Apr 14, 2011

Default Router Passwords

Tags: ,
Find or update a default router(and WiFi) password at http://www.routerpasswords.com/

Apr 11, 2011

Open Computing Project

Tags:
Under an initiative dubbed the Open Compute Project, Facebook released designs for the technology powering its new data center in Prineville, Ore., which Facebook says is 38 percent more efficient and 24 percent cheaper to run thanks to its custom engineering.

Apr 5, 2011

Network Forensic Analysis of SSL MITM Attacks

Tags: ,
SSL is not a panacea. If someone performs a man-in-the-middle (MITM) attack on HTTPS traffic (i.e. HTTP over SSL), he would be able to see all encrypted content in clear text format.

There are some legitimate reasons to eavesdrop the HTTPS traffic, such as your employer or your government.

If you suspect your network traffic is been monitor, how would you go about doing forensic analysis of captured network traffic from a suspected MITM attack?

Here's the summary of the articles that shows you how:


  • Extract the X.509 certificates (with *.cer) from the captured SSL traffic with NetworkMiner.
  • Inspect the extracted files.
  • Verify the IP and DNS
  • Look for any self-signed cert, revoked cert and non-trusted CA signing cert.
  • Verify MD5 fingerprint of an SSL cert with OpenSSL

$ openssl x509 -inform DER -in mail.google.com.cer -noout -fingerprint -md5
MD5 Fingerprint=52:12:A2:B1:27:E3:BB:CC:E5:F5:AA:BD:A1:A1:E6:F8

More references:



Subscribe to: Posts (Atom)