rtpbreak 1.3a Released - RTP Analysis and Hacking

Published at May 7, 2008 in Network Hacking and Hacking Tools. Comments

With rtpbreak you can detect, reconstruct and analyze any RTP session. It doesn’t require the presence of RTCP packets and works independently form the used signaling protocol (SIP, H.323, SCCP etc). The input is a sequence of packets, the output is a set of files you can use as input for other tools (wireshark/tshark, sox, grep/awk/cut/cat/sed and so on). It also supports wireless (AP_DLT_IEEE802_11) networks.

This is a list of scenarios where rtpbreak is a good choice:

  • reconstruct any RTP stream with an unknown or unsupported signaling protocol
  • reconstruct any RTP stream in wireless networks, while doing channel hopping (VoIP activity detector)
  • reconstruct and decode any RTP stream in batch mode (with sox, asterisk)
  • reconstruct any already existing RTP stream
  • reorder the packets of any RTP stream for later analysis (with tshark, wireshark, …)
  • build a tiny wireless VoIP tapping system in a single chip Linux unit
  • build a complete VoIP tapping system (rtpbreak would be just the RTP dissector module!)

This project is released under license GPL version 2.

You can download rtpbreak 1.3a here:

rtpbreak-1.3a.tgz

Or read more here.

Technorati Tags: , , , , , , , , ,

Sandman - Read the Windows Hibernation File

Published at May 7, 2008 in Windows Hacking and Hacking Tools. Comments

This is a pretty new tool and a very cool one, Hibernation is a fairly new feature for Windows so it’s good to see a new tool targeting that.

Microsoft provides a feature called Hibernation also know as suspend to disk that aims to save the system state into an undocumented file called hiberfil.sys. This file contains all the physical memory saved by the Operating System and aims to be restored by the user the next time the computer is powered on. Live forensics analysis is used to use physical memory dump to recover information on the targeted machine.

One of the main problems is to obtain a readable physical memory dump, hibernation is an efficient way to save and load physical memory. Hibernation analysis has notable advantages. System activity is totally frozen, therefore coherent data is acquired and no software tool is able to block the analysis. The system is left perfectly functional after analysis, with no side effects.

The hibernation file opens two valuable doors:

The first one is forensics analysis for defensive computing. Hibernation is an efficient and easy way to get a physical memory dump. But the main issue about it was: How to read the hiberfil.sys? This is why SandMan was born.

The second one is a new concept we will be introducing and called “offensics” which is a portmanteau from “offensive” and “forensics”. If we can read hiberfil.sys, can we rewrite it? The answer is: Yes, with SandMan you can.

Sandman is a C Library that aims to read the hibernation file, regardless of Windows version. Thus, it makes possible to do forensics live analysis on the dumped file.

For a good explanation and technical info I suggest you read the whitepaper:

SandMan Project, Whitepaper [PDF]

You can download Sandman here:

SandMan-1.0.080226.zip

Or read more here.

Technorati Tags: , , , , , , ,

CDPSnarf - CDP Packet Sniffer

Published at April 30, 2008 in Network Hacking and Hacking Tools. Comments

CDPSnarf if a network sniffer exclusively written to extract information from CDP packets. It provides all the information a “show cdp neighbors detail” command would return on a Cisco router and even more.

The application is written in C using the popular PCAP library.

Sample Output

Cisco AIR-AP1231G-E-K9 Access Point:

$ sudo ./cdpsnarf eth2
Waiting for a CDP packet...

[#0] Sniffed CDP advertisement with a size of 367 bytes.
——————————————————-
CDP Version: 2
TTL: 180 ms
Checksum: 0×7282

Device ID: cisco-ap.mydomain.net

Software version: Cisco IOS Software, C1200 Software (C1200-K9W7-M),
Version 12.3(8)JEA, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 23-Aug-06 16:42 by kellythw

Platform: cisco AIR-AP1231G-E-K9

Addresses: 1
Address #: 1
Protocol type: [1] NLPID format
Protocol: [0xCC] IP
IP Address: 157.228.87.1

Port ID: Dot11Radio0

Capabilities:
[0x02] Transparent bridge

You can download CDPSnarf here:

CDPSnarf 0.1.6

Or read more here.

Technorati Tags: , , , , , , , ,

Technitium MAC Address Changer v4.8 Released for Download - Free

Published at April 28, 2008 in Network Hacking, Hacking Tools, Hack and Applications. Comments

Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has a MAC address hard coded in its circuit by the manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Network (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address. Technitium MAC Address Changer is a must tool in every security professionals tool box. Technitium MAC Address Changer is coded in Visual Basic 6.0.

There are some famous, commercial tools available in the market for US$19.99 to as much as US$1500 (!), but Technitium MAC Address Changer is available for FREE. We don’t charge for just changing a registry value! Also knowing how this works doesn’t require extensive research as some commercial tool providers claim!

Features

  • Identifies the preset applied to currently selected Network Interface Card (NIC) automatically making it easy to identify settings.
  • Changes MAC address of Network Interface Card (NIC) including Wireless LAN Cards, irrespective of its manufacturer or its drivers.
  • Has latest list of all known manufacturers (with corporate addresses) to choose from. You can also enter any MAC address and know which manufacturer it belongs to.
  • Allows you to select random MAC address from the list of manufacturers by just clicking a button.
  • Restarts your NIC automatically to apply MAC address changes instantaneously.
  • Allows you to create Configuration Presets, which saves all your NIC settings and makes it very simple to switch between many settings in just a click and hence saves lot of time.
  • Allows you to Import or Export Configuration Presets to or from another file, which saves lot of time spent in reconfiguration.
  • Has command line interface which allows you to perform all the tasks from the command prompt or you can even create a DOS batch program to carry out regular tasks.

You can download Technitium MAC Address Changer v4.8 here:

Technitium-MAC-Address-Changer

Or read more here.

[tags]change mac address, change mac address windows, free-software, freeware mac changer, mac address changer, mac-changer, network-security, Security Software, technitium, technitium mac adress changer, tmac[tags]

Pass-The-Hash Toolkit v1.3

Published at April 27, 2008 in Windows Hacking, Hacking Tools, Applications and Articles. Comments

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions maintained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).

Pass-The-Hash Toolkit

Pass-The-Hash Toolkit is comprised of three tools: IAM.EXE, WHOSTHERE.EXE and GENHASH.EXE.

GENHASH.EXE
This is just a utility that uses some undocumented Windows functions to generate the LM and NT hash of a password. This tool is useful to test IAM.EXE and WHOSTHERE.EXE and perhaps to do some other things. Pretty simple and small tool.

IAM.EXE
This tools allows you to change your current NTLM credentials without having the cleartext password but the hashes of the password. The program receives a username, domain name and the LM and NT hashes of the password; using this it will change in memory the NTLM credentials associated with the current windows logon session. After the program performs this operation, all outbound network connections to services that use for authentication the NTLM credentials of the currently logged on user will utilize the credentials modified by IAM.EXE.

WHOSTHERE.EXE
This tools will list logon sessions with NTLM credentials (username,domain name, LM and NT hashes). Logon sessions are created by windows services that log in using specific users, remote desktop connections, etc. This tool has many uses, one that i think is interesting: Let’s say you compromised a Windows Server that is part of a Windows Domain (e.g.: Backup server) but is NOT the domain controller.

You can download Pass-The-Hash Toolkit v1.3 here:

Source Code

Latest stable release (1.3), updated on February 29, 2008.

Win32 binaries

Latest stable release (1.3), updated on February 29, 2008.

Or read more here.

Technorati Tags: , , , , , , , , , , ,