4li3n’s after midnight useless news and links – 2011.04.18 (*sl0w-sw4p* edition)

[UPDATE] THC-Amap 5.3 released -> http://goo.gl/LcvWz
[UPDATE] THC-Hydra 6.2 released -> http://goo.gl/Zt20q
[POST] Filejacking: How to make a file server from your browser (with HTML5 of course) -> http://goo.gl/5dQ9O
[MAG] The Hacker News (#1 – April 2011) -> http://goo.gl/h5ywx
[NEWS] Yes Exploit Kit 4.0 -> http://goo.gl/twfDJ
[POST] Microsoft SDL Process Guidance -> http://goo.gl/GyAr6
[DISCLOSURE] Another Microsoft (and other) IPv6 security issue: sniffer detection -> http://goo.gl/DfnVe
[DISTRO] DEFT Linux v.6.1 Released: Computer Forensics live cd -> http://goo.gl/v4l0b
[NEWS] FBI Raids College Kids, Looking for WoW Gold Farming Fraud -> http://goo.gl/hXxAZ
[UPDATE] Armitage UI for Metasploit v04.13.11 Released -> http://goo.gl/w0b9P
[TOOL] GetSploits v0.9: Search Exploits in exploit-db.com database -> http://goo.gl/KGJ20
[TOOL] WebCruiser v2.5.0: Web Vulnerability Scanner -> http://goo.gl/yIQOq
[TOOL] SandCat v4.2: The Web Scanner -> http://goo.gl/IGXbs
[POST] Tech Insight: Updating Your Security Toolbox (free/OS sec tools roundup) -> http://goo.gl/zmRs5
[NEWS] Windows 8 to feature USB-runnable Portable Workspaces -> http://goo.gl/Lr9JT
[UPDATE] SET v.1.3.4, adds set-proxy -> http://goo.gl/VBtxL
[METASPLOIT] Rev. 12330 – Added adobe_flashplayer_flash10o.rb (CVE-2011-0611) -> http://goo.gl/x6vCo
[POST] Reverse connection: ICMP shell -> http://goo.gl/1Q0hj
[UPDATE] New Versions of Wireshark released -> http://goo.gl/wCSMW
[GEEK] 30 Levels of NAT Firewall Lab -> http://goo.gl/FTxOA
[NEWS] European Space Agency (ESA.INT) Hacked – Full Disclosure -> http://goo.gl/LLDe9

4li3n’s after midnight useless news and links – 2011.04.15 (*4-Bi11* edition)

This edition is dedicated to Bill, a good friend whose positive attitude lit the spark back and helped me through dark times. Thanx buddy, we’ll be in touch!

[ADVISORY] Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat (CVE-2011-0611) & update -> http://goo.gl/VqCHD , http://goo.gl/10emp
[POST] Network Forensic Analysis of SSL MITM Attacks -> http://goo.gl/CXhQq
[DISCLOSURE] Linksys WRT54G Password Disclosure -> http://goo.gl/XRrjZ
[HOAX?] New *UNLOCK NOW FREE* iOS Virus Deleting Phone/SIM Content -> http://goo.gl/dTRS8
[INFO] iDroid Project (Android for iPhone – thanx @Erethon) -> http://goo.gl/GIUmR
[TOOL] nginx-1.0.0 stable version has been released! -> http://goo.gl/qGVGn
[NEWS] Milw0rm and inj3ct0r Merge Into 1337day.com -> http://goo.gl/Vgub9
[ADVISORY] Microsoft Office File Validation (MSA2501584) -> http://goo.gl/cRKS7
[ADVISORY] Windows Operating System Loader Update (MSA2506014) -> http://goo.gl/6qtOh
[NEWS] Commercial firewalls found vulnerable under TCP Split Handshake -> http://goo.gl/JjYCK , http://goo.gl/knjEb
[NEWS] WordPress.com/Automattic suffered a low-level (root access) compromise -> http://goo.gl/7fKed
[NEWS] Toshiba releases self-erasing drives -> http://goo.gl/ateFT
[INFO] SQLmap and TOR mini tutorial (kudos to Nicolas Krassas) -> http://goo.gl/0ZHkc
[PAPER] Attacking Oracle Web Applications with Metasploit (PDF) -> http://goo.gl/Xt41I
[POST] Execute Metasploit payloads bypassing any anti-virus -> http://goo.gl/K7ZW2

4li3n’s after midnight useless news and links – 2011.04.12 (*b4ck-0n-tr4ck* edition)

[ONLINE] Google Hacking entries -> http://goo.gl/EDPCy
[TOOL] Spooftooph v0.4: The Bluetooth Spoofer -> http://goo.gl/z7xwY
[UPDATE] Armitage 04.10.11 -> http://goo.gl/sEfWK
[SHEET] Notes on password strength -> http://goo.gl/JPNQ1
[POST] Understanding EXT4 (Parts 1-4) -> http://goo.gl/0V6jv , http://goo.gl/tJ9ie , http://goo.gl/S8TQr , http://goo.gl/urCCA
[UPDATE] Kismet 2011-03-R2 -> http://goo.gl/RzOeA
[UPDATE] SET v1.3.3 -> http://goo.gl/pNylt
[UPDATE] Cain & Abel v4.9.40 -> http://goo.gl/EfhTt
[RETRO] C64 Reissued as a full blown PC! -> http://goo.gl/lMrhr
[VIDCAST] PaulDotCom #238 – XSS Street Fighting with Ryan Barnett -> http://goo.gl/CS5Vx
[UPDATE] WiFite version r68: The WEP/WPA Cracker -> http://goo.gl/AHBpa
[TOOL] WhatWeb v0.4.8: CMS fingerprint -> http://goo.gl/6Et03
[TOOL] CryptoNark v0.4.1: SSL scanner/reporter -> http://goo.gl/gxCtI
[POST] CSS and XSS in Melodious Harmony -> http://goo.gl/U51eR
[TOOL] Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) -> http://goo.gl/O2eB7
[iOS] Keylogger for the iOS -> http://goo.gl/OKJLn
[POST] Chinese Magical Hard-Drive! -> http://goo.gl/JZdJK
[GIF] Real men code with MS Paint! -> http://goo.gl/hLMsq
[TOOL] RawCap sniffer for Windows released -> http://goo.gl/Y093V
[POST] Download and Execute shellcode on Windows 7 -> http://goo.gl/YZ3bz
[POST] Blind SQLi techniques -> http://goo.gl/hNzlw
[POST] Dropbox authentication: insecure by design (post & PoC code) -> http://goo.gl/Tn6FI , http://goo.gl/vs2bi
[TOOL] Sqlmap v.0.9 Released -> http://goo.gl/ziGZo
[NEWS] Apple AirPlay Private Key Exposed – HURRY UP! (post & key) -> http://goo.gl/Mq6rr , http://goo.gl/lxTc7

RawCap sniffer for Windows released (via netresec.com)

We are today proude to announce the release of RawCap, which is a free raw sockets sniffer for Windows.

Here are some highlights of why RawCap is a great tool to have in your toolset:

  • Can sniff any interface that has got an IP address, including 127.0.0.1 (localhost/loopback)
  • RawCap.exe is just 17 kB
  • No external libraries or DLL’s needed
  • No installation required, just download RawCap.exe and sniff
  • Can sniff most interface types, including WiFi and PPP interfaces
  • Minimal memory and CPU load
  • Reliable and simple to use

Usage

RawCap takes two arguments; the first argument is the IP address or interface number to sniff from, the second is the path/file to write the captured packets to.

C:Tools>RawCap.exe 192.168.0.23 dumpfile.pcap

You can also start RawCap without any arguments, which will leave you with an interactive dialog where you can select NIC and filename:

C:Tools>RawCap.exe
Network interfaces:
0.     192.168.0.23    Local Area Connection
1.     192.168.0.47    Wireless Network Connection
2.     90.130.211.54   3G UMTS Internet
3.     192.168.111.1   VMware Network Adapter VMnet1
4.     192.168.222.1   VMware Network Adapter VMnet2
5.     127.0.0.1       Loopback Pseudo-Interface
Select network interface to sniff [default ‘0’]: 1
Output path or filename [default ‘dumpfile.pcap’]:
Sniffing IP : 192.168.0.47
File        : dumpfile.pcap
Packets     : 1337

For Incident Responders

RawCap comes in very handy for incident responders who want to be able to sniff network traffic locally at the clients of the corporate network. Here are a few examples of how RawCap can be used for incident response:

  1. A company laptop somewhere on the corporate network is believed to exfiltrate sensitive coporate information to a foreign server on the Internet by using a UMTS 3G connection on a USB dongle. After finding the internal IP address on the corporate network the Incident Response Team (IRT) use the Sysinternals tool PsExec to inject RawCap.exe onto the laptop and sniff the packets being exfiltrated through the 3G connection. The generated pcap file can be used to determine what the external 3G connection was used for.
  2. A computer is suspected to be infected with malware that uses an SSL tunnelling proxy (stunnel) to encrypt all Command-and-Control (C&C) communication. The data that is to be sent into the tunnel is first sent unencrypted to localhost (127.0.0.1 aka loopback interface) before it enters the encrypted tunnel. Incident responders can use RawCap to sniff the traffic to/from localhost on the Windows OS, which is something other sniffing tools cannot do.
  3. A corporate laptop connected to the companies WPA2 encrypted WiFi is found to have suspicious TCP sessions opened to other computers on the same WiFi network. Incident responders can run RawCap locally on any of those machines in order to capture the WiFi network traffic to/from that machine in unencrypted form.

For Penetration Testers

RawCap was not designed for pen-testers, but I realize that there are some situations where the tool can come in hany when doing a penetration test. Here are some examples:

  1. After getting remote access and admin privileges on a Windows XP machine the pen-tester wanna sniff the network traffic of the machine in order to get hold of additional credentials. Sniffing tools like dumpcap, WinDump and NMCap can unfortunately not be used since no WinPcap or NDIS driver is installed. RawCap does, however, not need any special driver installed since it makes use of the Raw Sockets functionality built into Windows. Pen-testers can therefore run RawCap.exe to sniff traffic without installing any drivers.
  2. After getting admin on a box the pen-tester wanna sniff the network traffic, but box uses a WiFi network so traditional sniffing tools won’t work. This is when RawCap comes in handy, since it can sniff the WiFi traffic of the owned machine just as easily as if it had been an Ethernet NIC.

Download RawCap

RawCap is provided for free and can be downloaded from here:
http://www.netresec.com/?page=RawCap

Original post: http://www.netresec.com/?page=Blog&month=2011-04&post=RawCap-sniffer-for-Windows-released