Top 100 Network Security Tools

January 11th, 2009 at 08:40am Under Enumeration+ Information Security+ Penetration Testing+ Scanning

#1 Nessus : Premier UNIX vulnerability assessment tool
Nessus was a popular free and open source vulnerability scanner until they closed the source code in 2005 and removed the free “registered feed” version in 2008. A limited “Home Feed” is still available, though it is only licensed for home network use. Some people avoid paying by violating the “Home Feed” license, or by avoiding feeds entirely and using just the plugins included with each release. But for most users, the cost has increased from free to $1200/year. Despite this, Nessus is still the best UNIX vulnerability scanner available and among the best to run on Windows. Nessus is constantly updated, with more than 20,000 plugins. Key features include remote and local (authenticated) security checks, a client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plugins or understanding the existing ones.

 The complete list >> http://sectools.org <<

By mohd Add comment

Cookies: what information they contain? can I block them ?

January 4th, 2008 at 09:48am Under Scanning

A very good tool to know the contents of your cookies is by using the shareware tool “Cookie Spy SE”. Cookie Spy SE is the complete manager for all those Cookies installed by web sites you visit.  An easy to use interface lets you delete and permanently block Spyware Cookies or allow the ones you want to keep such as those that remember who you are when you log in to a site.  Once a site is blocked you will never receive a Cookie from that site again.  The Filters Lists makes it easy to change and/or remove those you’ve blocked or allowed. 

Some Cookies are harmless and in fact helpful but more sites and programs are using them now to get your email address, shopping habits and other personal details.  It’s not uncommon for computers to have hundreds and even thousands of Spy Cookies installed and most often when you delete them they’re installed again when you revisit the site.  Cookie Spy SE allows you to permanently block those you don’t want.

Download  Cookie Spy SE

By guru Add comment

How strong is your password - Check it with Password checker

December 15th, 2007 at 06:20am Under Password Cracking

Test the strength of your passwords:  Enter a password in the text box to have Password Checker help determine its strength as you type.

Thanks to Microsoft, they’ve done a simple tool to check how strong is your password, so check it by clicking the link below:

http://www.microsoft.com/protect/yourself/password/checker.mspx

If the link above doesn’t work, copy & Paste it in your internet browser.

Note: Password Checker can help you to gauge the strength of your password. It is for personal reference only. Password Checker does not guarantee the security of the password itself.

Thanks..

Guru !

By guru Add comment

ICMPENUM 1.1

August 31st, 2007 at 04:04pm Under Enumeration

Description

Host enumeration is the act of determining the IP address of potential targets on a network. Icmpenum uses not only ICMP Echo packets to probe networks, but also ICMP Timestamp and ICMP Information packets as well. Furthermore, it supports spoofing and promiscuous listening for reply packets. Icmpenum is great for enumerating networks who block ICMP Echo packets but have failed to block Timestamp or Information packet, or for upstream sniffing of trusted addresses.

This is a proof-of-concept tool to demonstrate possible distributed attacking concepts, such as sending packets from one workstation and sniffing the reply packets on another.

Installation

1. Install the latest libpcap (libpcap 0.4, ftp://ftp.ee.lbl.gov/libpcap.tar.Z).

2. Install the latest Libnet (http://www.packetfactory.net/libnet/).

3. Compile icmpenum as follows:

gcc `libnet-config –defines` -o icmpenum icmpenum.c -lnet -lpcap

4. Copy icmpenum to your fave directory and (as root) start enumerating.

Usage

Running icmpenum -h gives you the following screen:

# ./icmpenum -h

USAGE: ./icmpenum [opts] [-c class C] [-d dev] [-i 1-3] [-s src] [-t sec] hosts

opts are h n p r v

-h this help screen

-n no sending of packets

-p promiscuous receive mode

-r receiving packets only (no

-v verbose

-c class C in x.x.x.0 form

-i icmp type to send/receive, types include the following:

1 echo/echo reply (default)

2 timestamp request/reply

3 info request/reply

-d device to grab local IP or sniff from, default is eth0

-s spoofed source address

-t time in seconds to wait for all replies (default 5)

host(s) are target hosts (ignored if using -c)

Examples

Here are some example uses of icmpenum to enumerate hosts.

Example 1:

[Host1]# icmpenum 192.168.1.1 192.168.1.2

This will use the default of Echo packets to try and determine if 192.168.1.1 and 192.168.1.2 are up and running.

Example 2:

[Host1]# icmpenum -i 2 -v 192.168.100.100 192.168.100.200

This will enumerate the two hosts using Timestamp packets in verbose mode.

Example 3:

[Host1]# icmpenum -i 3 -s 10.10.10.10 -p -v 192.168.1.1 192.168.1.2

This will enumerate hosts 192.168.1.1 and 192.168.1.2 using Information packets with a spoofed address of 10.10.10.10, since our real address is 10.10.10.11 we use the -p option to listen for the replies.

Here are some more advanced uses of icmpenum.

Example 4:

Assuming Host1 is 6.6.6.6 and Host2 is 7.7.7.7, and that the network 1.1.1.0 has potential hosts to enumerate, we use the following two entries to enumerate with Information packets:

[Host2]# icmpenum -r -t 30 -i 3 -c 1.1.1.0

[Host1]# icmpenum -s 7.7.7.7 -i 3 -c 1.1.1.0

Host2 starts first in receive mode with a timeout of 30 seconds and starts listening for Information packets from the 1.1.1.0 network. Then Host1 starts sending spoofed packets with Host2 as the source address, sending exactly what Host2 is listening for. It should be noted that this is hardly stealthy, as logs at 1.1.1’s site could have 7.7.7.7’s address all over them, but the -r function is good for testing.

Example 5:

Assuming Host1 is 6.6.6.6 and Host2 is 7.7.7.7, and that Host2 can sniff traffic between 1.1.1.0 and 2.2.2.0, we use the following entries to enumerate the 1.1.1.0 network:

[Host2]# icmpenum -t 20 -n -p -i 2 -c 1.1.1.0

[Host1]# icmpenum -s 2.2.2.2 -i 2 -c 1.1.1.0

Host2 starts first with a timeout of 20 seconds, makes sure not to send the packets with the -n option, listens promiscuously for Timestamp packets from the 1.1.1.0 network. Host1 sends the exact packets Host2 is listening for with a 2.2.2.2 spoofed source address. Yes, one could simply replace the -n option in Host2’s command line with -s 2.2.2.2 and do the same thing from one workstation, but we’re demonstrating a distributed concept.

Additional Comments

As stated, this demonstrates distributed host enumeration. The code actually works, and can be used for both good and evil purposes. Both admins testing their networks and bad guys probing will find uses for icmpenum. For example, the verbose mode will not only report the total number of expected packets received (when in a receiving mode), but also “unexpected” ICMP packets going to the addresses being targeted. If countermeasures are in place to “probe the prober”, these packets could show up in the “unexpected” count. If you’re testing your countermeasures, you can determine if they are working. If you’re a black hat, you’ve possibly been detected. If fact, you get a couple of expected packets back the first volley yet no packets after that on repeated vollies to the same addresses, you might have tripped an intrusion detection system into shutting off your spoofed source address. Once again, admins can test their IDS, and bad guys can counterdetect the IDS in action. In fact, a really mean bad guy might start forging probes from the target’s business partners and big customers to start a “denial of service”.

Download

Download icmpenum-1.1.1tgz Tool

Mirror Download icmpenum-1.1.1tgz Tool 

Closing

Bugs and comments are welcome. Send them to me at thegnome@nmrc.org(at home) or at thegnome@razor.bindview.com (at work).

Shouts to my fellow BindView RAZOR team homies, for allowing me to bug them with annoying questions about ICMP and networking, and providing encouragement and pointers regarding coding.

Simple Nomad
RAZOR Sr. Security Analyst
BindView Corporation

Chief Gray Hat
Nomad Mobile Research Centre

By guru 1 comment

WarScan 0.7.2 - An Internet Scanner Dispatch

August 31st, 2007 at 03:58pm Under Scanning

Description

A vehicle for automating any test exploit in an efficient, timely, and large-scale manner.

Abstract

Using Warscan anyone can automate efficient large-scale security tests of any kind on entire networks at a time. Warscan is simply the front end that generates IPs and dispatches your testing script. It will take anything from a single hostname (which likely defeats its purpose) to a Class A domain IP, to reading in a file of predefined hosts (IP or domain).

Explanation

Warscan is not an exploit of any resource, by any means. It is simply a vehicle for automating any test exploit in an efficient, timely, and large-scale manner. Much in the same style of IPD, Warscan can retrieve its list of hosts from a flat text file, or instead you can ask it to generate the hosts for you. Once it has its hostlist, it will then call the script you specify (inside Warscan) with a single argument of the hostname to scan. So what does this mean? Basically, anyone with a security exploit can automate their exploit over large numbers of hosts in a relatively short amount of time.

Features

• Can create and work in different directories unique to the scan (’- d’).
• Load hostnames from a file, or generate hostnames (IP) for you (Class A-C).
• Using the ‘%’ operator, you can construct enumerated DNS’s, ‘dial%.isp.com’.
• Warscan generates ‘%’s when you specify incomplete IP addresses, such as a Class A, B, or C specification. See the EXAMPLES file for a better idea of what this means.
• Save final list of hosts (if generated) for later use (’-o’). Default is ’servers’, in the current directory. If the file in the working directory cannot be opened, a last ditch effort at ‘/tmp/servers’ is made.
• Mass Parallel Ping $MaxPing (’-P’) hosts at a time, and weed out non- responsive ips from the target server list. It is recommended that the Ping Timeout (’-t’) be raised gradually if ‘-P’ is increased past 25.
• Mass Parallel Scan $MaxScan hosts at a time recursively (IPD).
• Ping scan only (’-p’). Does an ‘fping’ of specified hosts/networks. The number of hosts to ping in parallel can be manipulated with the ‘-P’ switch.
• Ability to call specified script (’-s’) with arguments. ‘-A’ specifies arguments After, ‘-B’ specifies arguments Before. Enclose multiple arguments in quotes. See the EXAMPLES file for ideas on how to use this.
• Interrupted scans will attempt to save any worthy information already retrieved. This means if you break in the middle of the Verify phase, the verified servers will still be saved to file. If you break out of the Probe phase, the list of unscanned servers will be dumped to file.

Requirements

• PERL 5.004 or greater
• Standard PERL library (POSIX::, Getopt::Std, Socket, Cwd)
• *NIX environment

(NOTE: An attempt to port Warscan to Win32 Perl has been made, and failed. Win32 Perl does not support fork(), which is the basis of multiple scans. If anyone tries to make use of Win32 Threads, please let me know.)
Parameters

The following is just a simply explanation/discussion of the various switches that Warscan understands.

The ‘%’ Meta Character

Quite simply, wherever a ‘%’ is encountered in the host template specification, it will be replaced with 1 to $IPLimit (set by ‘-L’) in the host list. You can specify as many as you want.

-f <servers>

Read in targets from file, 1 per line. If specified, the host template is not required, and will be ignored.

-s <script>

Run script with host list. Default script to run is ’scan’. Warscan will search your $PATH envariable and the working directory for the script you specify.

-P <num>

Number of pings to run in parallel. Default is 10. More is generally better, but not always. Use in good measure; you need good bandwidth to really make any intelligent use of more Pings. You should consider increasing the Ping Timeout (’-t’) gradually along with -P, to give Warscan more time to receive responses from hosts.

. -S <num>

Number of scans to run concurrently. The default is 20, and is based on a Pentium 100Mhz CPU running with 64MB of RAM. NOTE: Also note the login shell’s process limits. Some shells, for instance, limit the number of dispatchable, concurrent user processes to 256. Warscan will dispatch as fast as it can, but if your system is slow, the previously dispatched processes will zombie and linger for up to a minute or longer until the system has an opportunity to clean them up. This means that you could potentially hit your upper limit of allowable CPU processes if you play around with ‘-S’ too much. Warscan will continue to plod along, warning you that you are out of processes, until more free up. It will wait one second for every fork() error, in case the problem is that the system is overwhelmed and doesn’t have time to clean up. To be clear, however, the host scans that fail as a result of fork() failures are exactly that, failed — scans were not executed on them.

-L <num>

Upper limit for IP/DNS generation. The default is 254. Why is it useful to change this value? Well, the immediate reason is for the DNS hostname generation feature of Warscan. For instance, you could specify:
% warscan dial%.some-isp.com
and Warscan would generate addresses “dial1.some-isp.com” to “dial254.some-isp.com”. Well, using ‘-L’ you could set that limit higher,if desired. In other situations, you don’t want to scan an entire network,maybe just the first 100 hosts. Well, ‘-L 100′ will do just that.

-t <num>

Ping timeout. Default is 2 (seconds). As discussed before, if you set ‘-P’ to a high number, you want to gradually increase ‘-t’ along with it.

-d <dir>

Put results/run in directory ‘dir’. Warscan will create <dir> if it does not exist, and then change to that directory. This is useful for scriptsthat have file output.

-A <str>

Argument(s) to pass to the script after the hostname. If specifying multiple arguments, enclose them in quotes. See the EXAMPLES file for a better idea of what is meant.

-B <str>

Arguments to pass to the script before the hostname. If specifying multiple arguments, enclose them in quotes. Again, see the EXAMPLES file for a better idea of what is meant.

-o <file>

File to dump verified servers to. Default is “servers”. If the file cannot be opened in the working directory, a last ditch effort to open the file in the ‘/tmp’ directory will be made.

-n

No server dump file. Do not attempt to save any information to file.

-p

Ping scan only. Don’t dispatch a script on the host list, just ping them.

-D

Turn on debugging. Increases verbosity.

-V

Turn off verification. This means that we won’t bother to ping hosts.

-e

Extra output. Wait for and print output from scripts. By default Warscan ignores any stdout output from the scripts it dispatches (you will still see stderr output); the key point is to use a little time as possible in scanning the host(s) you specify. This will cause Warscan to wait until the dispatched scripts close their end of the pipe. This is NOT a recommended switch, as processes will seemingly hang while waiting to complete.

-v

Version information. Output version information and exit.

-h

Print out brief help message detailing options.

Future

Planned improvements to Warscan include parallel ping code for UDP and TCP sockets, width modifiers for % evaluation (dial002.some-isp.com) and the possible merging of pmap (port scanner under development).
Final Note

Please understand the driving nature behind Warscan — Speed and Quantity. This program is intended to maximize your system’s resources as much as possible. Be careful when tweaking switches like ‘-S’ and ‘-P’; you could quite possibly kill your system and bring it to a grinding halt.
Personal Warranty

No warranty is given by the author, express or implied, for this program, or the programs that this software runs. The author may not be held responsible or liable for the uses, express or implied, of this software and other software included, explained, or developed specifically for this software. Possession of this software constitutes consent to agreement of these terms.

See the COPYING file for full licensing and warranty information.
Acknowledgements

Thanks to balif and desslok for creating IPD; their idea for recursing over scans was a good one. Thanks to fyodor for knowing everything about port scanning and writing nmap, by far the world’s best (free) Internet Port Scanner. Thanks to friends who have helped debug and suggest improvements. Also, thanks to all the #perl gurus on EFnet.

Download

Download warscan Tool

Mirror Download warscan Tool

Contact

The author can be reached at nocarrier@darkridge.com, or can be found lurking on various IRC channels (#perl, ..) on EFnet.
by nocarrier

By guru Add comment

Despoof Tool

August 31st, 2007 at 03:39pm Under Enumeration

Description

Despoof is a free, open source tool that measures the TTL to determine if a packet has been spoofed or not.

What It Is

A command-line anti-spoofing detection utility. The idea is simple — if you receive a packet that you suspect is spoofed, try to determine the real TTL of the packet and compare it to the TTL of the packet you received.

Installation and Usage

Make sure you have libpcap 0.4 and libnet 1.0 (later versions of these programs may work, ymmv).

 tar xvzf despoof*tgz

 cd despoof*

 gcc `libnet-config --defines` -o despoof despoof.c -lnet -lpcap

 cp despoof /fave/dir/in/root's/path

Running despoof requires root access.

# ./despoof -h

USAGE:

./despoof [opts] [-d dev] [-i 0-3] [-l|p num ] [-s src] [-t sec] [-T TTL] target

   opts are a h v

     -a set ACK flag on TCP packets (does nothing on ICMP)

     -h this help screen

     -v verbose

  -d device to grab local IP or sniff from, default is eth0

  -l local port to bind to, default is 80

  -p target port to send to, default is 80

  -i inquery packet type to send/receive, types include the following:

	1  tcp (default)

	2  icmp echo

	3  icmp timestamp

  -s spoofed source address

  -t time in seconds to wait for all replies (default 10)

  -T TTL to test (required)

   target (IP address or hostname)

While a lot of the options are self-explanatory, the rest of this README covers most of the features and why they might be used.

Background

When an IP packet is sent on its merry way towards its destination, it is assigned a Time To Live (TTL) value. This TTL number gets decremented at each router or “hop” on the network along the way. If the number reachs zero, the packet is discarded. This is a way to prevent packets from staying out on the network lost in a routing loop looking for a destination and wasting bandwidth.

In most implementations of TCP/IP, this number starts out fairly high, and will typically have anywhere from a few hops (local network, or at least to the ISP’s gateway to the Internet) to two or three dozen hops to reach the destination. Therefore there is usually an ample TTL number assigned to handle possible routing changes between the source and destination.

When an attacker is spoofing packets, the attacker is usually at a different location than the address being spoofed, so it makes sense that an attacker’s TTL will be different from the spoofed address’ real TTL. If you check *immediately* after receiving the suspected spoofed packet, odds are pretty good that the route between the source address and your destination address have not changed, so it is a pretty good indication that the packet has been spoofed if the TTL doesn’t match.

Deployment

How would you go about deployment of despoof? If you have a firewall, router, or Intrusion Detection System (IDS) that is capable of spawning processes or issuing commands based upon certain events (and can trigger off of the TTL), you can have it launch despoof. If your firewall, router, or IDS can log information to a file with the TTL, you could have a log watcher such as Swatch launch despoof to determine if a packet is spoofed or not.

Most modern firewall, router, and IDS systems allow for fairly flexible logging, and certainly any open-source system could be altered to ensure that logs contain the proper info, such as the TTL.

While it is possible to use despoof for network forensics, the results could be unreliable if enough time has past since you received the packets.

Since despoof supports full IP spoofing itself (ironic but hey) it is possible to send a packet to query the suspected spoofed address with the original destination address as the source, and to match up the proper source and destination ports. Optionally you can also set the ACK flag (with a random sequence number).

Could a battle between IDS-triggered despoofs on different sites happen? It is possible, but this is always a danger when implementing any automated trigger response to a probe or attack. The best advice I could give is to try and limit the amount of counterprobes to one per suspect address.

Working with Scripts

Try running despoof manually to get a feel for the output. To ease in integration into scripts, regular stdout will spit out messages with one of three keywords — NORMAL, WARNING, and ERROR. NORMAL means that the TTL matched, WARNING means that the TTL did not match, and ERROR means some error occurred trying to determine the TTL (such as a timeout).

Spoofing Despoof

While I did try to make a fairly useful tool, despoof can be defeated in a number of ways. For starters, a clever attacker could perhaps determine the proper TTL for a site being spoofed, probably by sniffing near the target or the forged source address. An attacker could also probe the address being spoofed, and other addresses along the way, and perhaps determine the TTL needed to make the final TTL at the target seem legit. This would of course require a lot more networking skill than your average script kid could muster, but is certainly not impossible.

An attacker could also *not* spoof the packets but adjust the TTL for the attack packets only. Despoof would return a false positive.

Spoofing an address that is behind a firewall is another method that would thwart despoof, if the firewall is blocking what we are sending, which brings us to the next topic.

Firewalls, Routers, and Caveats

Despoof supports ICMP Echo, ICMP Timestamp, and TCP. Most scans and floods will fall into the ICMP or TCP arena (I wish I could support UDP, more on that in a minute). The reason both ICMP Echo and ICMP Timestamp are both supported is because of firewalls and routers. While it is common for ICMP Echo to be blocked, often ICMP Timestamp is not. Therefore I included support for it for checking ICMP since both will return the same TTL.

TCP packets can have both source and destination addresses as well as port numbers adjusted, so filtering routers and some firewalls can be bypassed if the proper parameters are set. It is recommended that if you use full spoofing you set the ACK flag. Incoming SYN packets from a port scan will get a false positive if you respond fast enough, but it might be enough to get through a firewall on the remote end.

I wish I could add UDP support, but unsure how. The trick is to get a UDP service on the target to send a packet, but since UDP is one-way, how do you manage that? The typical scanning method for UDP is to send a TCP ping to establish a RTT then send a UDP packet — if you get an ICMP UNREACH before the RTT expires then the port is closed. This in itself is unreliable (hence the U in UDP, eh?) so getting the exact service we need to cough up the goods is even harder. Firewalls and routers complicate this issue as it is common to block most UDP ports. Granted, if the TCP ping gets through it seems possible that a UDP port *might*, but still.

TTL implementation is interesting. Typically a normal TCP session starts with a TCP packet with a TTL of 64 (the same for UDP). If the target TCP port is closed, the returned TCP RST packet will have a TTL of 255. This means that using despoof without regards to the ports being used could lead to some false positives.

In theory it should be possible to determine the delta hop count, and adjust for the different between normal TCP and port closed TCP (or even simply use ICMP). This is the next logical step for despoof, although it will require more research. If UDP support gets added, this is how it will be done. However there may be all kinds of ‘in the wild’ nuances that will have to be uncovered, *and* it assumes every vendor implements TTL the same.

Credits

Based on an idea first proposed by Donald McLachlan [don@mainframe.dgrc.crc.ca]. His idea involved building a TTL map of addresses around himself (network-wise), which could lead to some interesting data in itself (similar to Bill Cheswick’s mapping work). Hopefully Don will publish a paper or put up a web page that explains what he has in mind — I’m not explaining it as fully as I probably should.

Todo

Add icmp unreachable support.
Add TCP sequence number support.
Add support for more TCP flags (such as SYN/ACK, ACK/FIN, etc).
Determine if a delta hop count can be used to check TTL.

Download

Download Despoof 0.9 Tool

Mirror Download Despoof 0.9 Tool

Simple Nomad
thegnome@razor.bindview.com
thegnome@nmrc.org

By guru Add comment

Network ngrep 1.40

August 31st, 2007 at 03:05pm Under Enumeration

Goal

To create a program that mimicks as much functionality of GNU grep as possible, applied at the network layer.

Description

ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

Parameters

ngrep <-hXViwqpevxlDtT> <-IO pcap_dump> <-n num>

	<-d dev> 	<-A num>	<-s snaplen>

	<match expression> <bpf filter>

-h  is help/usage

-X  is interpret match expression as hexadecimal

-V  is version information

-i  is ignore case

-w  is word-regex (expression must match as a word)

-q  is be quiet

-p  is don't go into promiscuous mode

-e  is show empty packets

-v  is invert match

-x  is print in alternate hexdump format

-l  is make stdout line buffered

-D  is replay pcap_dumps with their recorded time intervals

-t  is print timestamp every time a packet is matched

-T  is print delta timestamp every time a packet is matched

-s  is set the bpf caplen

-I  is dump matched packets in pcap format to pcap_dump

-O  is read packet stream from pcap format file pcap_dump

-n  is look at only num packets

-d  is use a device different from the default (pcap)

-A  is dump num packets after a match    <match expression>   is

	either an extended regular expression or a

	hexadecimal string.  see the man page for more

	information.

<bpf filter>         is any bpf filter statement.

Known Working Platforms

• Linux 2.0 - 2.4
  • (RH6+, SuSE, TurboLinux, Debian)/x86
  • RedHat/alpha
  • Debian/powerpc
  • Cobalt (Qube2) Linux/MIPS
• Solaris 2.5.1, 2.6/SPARC, Solaris 7/x86, Solaris 8/SPARC
• FreeBSD 2.2.5, 3.1, 3.2, 3.4-RC, 3.4-RELEASE, 4.0
• OpenBSD 2.4 (after upgrading pcap from 0.2)
• NetBSD 1.5/SPARC
• Digital Unix V4.0D (OSF/1)
• Windows 95, Windows 98, Windows NT 4.0, Windows 2000
• HPUX 11
• IRIX
• AIX 4.3.3.0/PowerPC

Examples

ngrep  -qd eth1 'www' tcp port 80

ngrep  -qd le0  in-addr  port 53

ngrep  'USER|PASS'  tcp port 21

ngrep  -wi  'user|pass'  tcp port 21

ngrep -wiA 2   'user|pass'  tcp port 21

Download ngrep 1.40 (6.6.2001)

Source:  ngrep-1.40.tar.gz(646KB)

Man page:  ngrep.8.htm (14KB)

Unix Binary:  ngrep-1.40-linux-elf-static.gz (196KB)

Mirror Unix Binary: ngrep-1.40-linux-elf-static.gz (196KB)

RPM:  ngrep-1.40-1.i386.rpm (68.7KB)

Windows Source:  ngrep-1.40-win32-source.zip (130KB - Microsoft Visual C++ project)

Windows Binary:  ngrep-1.40-win32-full.zip (197KB - Source + Win32 binary)

Mirror Windows Binary: ngrep-1.40-win32-full.zip (197KB - Source + Win32 binary)

by Jordan Ritter

By guru 1 comment

enum tool

August 31st, 2007 at 09:55am Under Enumeration

Purpose

A tool to enumerate, using null and user sessions, Win32 (NT) information.

Description

enum is a console-based Win32 information enumeration utility. Using null sessions, enum can retrieve userlists, machine lists, sharelists, namelists, group and member lists, password and LSA policy information. enum is also capable of a rudimentary brute force dictionary attack on individual accounts.

Usage

enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>

  -U  is get userlist

  -M  is get machine list

  -N  is get namelist dump (different from -U|-M)

  -S  is get sharelist

  -P  is get password policy information

  -G  is get group and member list

  -L  is get LSA policy information

  -D  is dictionary crack, needs -u and -f

  -d  is be detailed, applies to -U and -S

  -c  is don't cancel sessions

  -u  is specify username to use (default "")

  -p  is specify password to use (default "")

  -f  is specify dictfile to use (wants -D)

Requirements

Download 

Original Download enum Tool

Mirror Download enum Tool

Author: Jordan Ritter
Version: 1.0

By guru 1 comment