The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for the ‘Tools’ Category

WPA’s TKIP cracked in 12 to 15 minutes

Posted by Xavier Ashe on November 8, 2008

According to several sources, security researchers Erik Tews and Martin Beck have found a way to break the Temporal Key Integrity Protocol (TKIP) key used by WPA. Cracking the TKIP key was never thought to be an impossible feat and it was previously thought that the angle of attack would be via a massive dictionary attack over an extended period of time.

Tews and Beck, however, did not use a dictionary attack to crack TKIP. According to Dragos Ruiu (via this Network World article), the organizer of the PacSec conference where Tews plans on discussing the crack, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a “mathematical breakthrough,” that lets them crack WPA much more quickly than any previous attempt.

And how long did it take Tews and Beck….12 to 15 minutes.

Beck, creator of the Aircrack security tool, has also added the ability to exploit this weakness over the past two weeks. Note, this attack only impacts WPA and not WPA2, which is still deemed “safe”. Over the past few years people who were using WEP, which was determined to be an unsafe and easy to crack protocol, were advised to switch over to WPA due to prevent an attack of this magnitude. Now many enterprise customers will be left scratching their heads and wondering how long it will be until they have to switch to something other than WPA2…and at what cost.

From Andrew Hay’s Blog.


Posted in Security, Tools | Leave a Comment »

DEFCON 16: List of tools and stuff released

Posted by Xavier Ashe on August 20, 2008

DEFCON, the 9000+ attendee hacker conference in Vegas has become a sort of hydra conference. It has become more like a global fair than what most people think of conferences; even the badge is highly unique.

I say this because there are so many things to do at DEFCON, other than going to talks, that you could spend your whole weekend looking at the “World’s Largest Boar!”, so to speak. One of the CTF (Capture the Flag) contest winners this year actually exclaimed that he only made it to 2 talks in 12 years! I am also one of those individuals who barely get a chance to go to talks and now that the speaker pool is so diverse, it’s hard to find all of the “stuff” they release.

Before anyone has a chance to post “it’s all on the DEFCON CD dummy,” I want to challenge them to try. After a weekend of googling (which came back with few results) and making contact with some of the speakers, I provide you with a mostly accurate list of “stuff” that was released at DEFCON this year. If any of the information is inaccurate, or a tool is missing, please contact me and I will update this post.

Posted by Ryan Naraine at ZDnet.

Posted in Security, Tools | Leave a Comment »

USB Snoop: A USB Sniffer

Posted by Xavier Ashe on July 27, 2008

USBSnoop is a program (driver) that logs the USB data exchange between hardware and device driver. Best part is, it is OPEN SOURCE.

It is based on the WDM architecture (Windows Driver Model), which supports the insertion of a filter between device drivers. In this case, the filter itself is a driver.

Also, it is very easy to install. All you need to do is copy the driver to your ‘drivers’ directory (normally c:\windows\system32\drivers for Windows XP & c:\WINNT\system32\drivers for Windows 2000). Then, you need to configure the sniffer front-end sniffusb.exe and then use the device that needs to be sniffed. This program saves the logs in your Windows drive with the name usbsnoop.log

This application is compatible with Windows 98, Windows 2000, Windows XP.

Download the latest version (though not updated in a LONG time) here (version 1.8).


Found on

Posted in Security, Tools | Leave a Comment »

DecaffeinatID: A Very Simple IDS

Posted by Xavier Ashe on June 25, 2008

This project started because I wanted a simple ARP Watch like application for Windows. In a short matter of time, feature creep set in. DecaffeinatID is a simple little app that acts as an Intrusion Detection System (more of a log watcher really) to notify the user whenever fellow users at their local WiFi hotspot/ LAN are up to the kind of “reindeer games” that often happen at coffee shops and hacker cons. For more information on the sort of attacks I’m talking about see my article Caffeinated Computer Crackers.  It’s not meant to be a replacement for something more feature rich (but complicated) like Snort. DecaffeinatID watches the Windows logs for three main things and pops up a message in the Windows Systray when it sees any of the following:

Read more and download DecaffeinatID from Irongeek.

Posted in Security, Tools | Leave a Comment »


Posted by Xavier Ashe on June 6, 2008

Many (if not most) VoIP devices have available a Web GUI for their configuration, management, and report generation. These Web GUIs are often on default, meaning that the moment you install the IP phone or IP PBX, the Web GUI is immediately available on the network. And unfortunately it is also common for the username and password to have the default values. Sipflanker will help you find these SIP devices with potentially vulnerable Web GUIs in your network.

Download it here

You can find a list of default IP phones and other SIP devices here.

Posted in Security, Tools | Leave a Comment »

Disguise your Surfing Traffic with AntiPhorm

Posted by Xavier Ashe on May 23, 2008

AntiPhorm (Lite) is a surfing simulator that runs independently and silently in the background of your PC. It connects to the web and intelligently simulates natural surfing behavior across thousands of customizable topics while you surf the web for your own special interests, or while you do something else entirely. This creates a background of noise blurring, disguising and inverting your own online interests from prying eyes. We believe our technology is indistinguishable from that of a typical user engaging the internet. To support this claim we have introduced a preview mode that works with any of your preferred browsers, and together with a detailed reporting system and a host of custom options each AntiPhorm Lite user can appear unique.

If you suspect your data is being tracked and sold, a solution is to make the data they collect absolutely worthless. At least now you have that option.

Download AntiPhorm Lite.

Posted in Security, Tools | Leave a Comment »

Pass-The-Hash Toolkit

Posted by Xavier Ashe on February 2, 2008

Pass-The-Hash Toolkit v1.2 is available.

What is Pass-The-Hash Toolkit?

Pass-The-Hash Toolkit contains utilities to manipulate the Windows
Logon Sessions maintained by the LSA (Local Security Authority)
component. These tools allow you to list the current logon sessions
with its corresponding NTLM credentials (e.g.: users remotely logged in
thru Remote Desktop/Terminal Services), and also change in runtime the
current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on

Direct download links:
source code:

More info:

what's new:

From Hexale.

Posted in Security, Tools | Leave a Comment »

The evil side of Firefox extensions: FFsniFF (FireFox sniFFer)

Posted by Xavier Ashe on May 16, 2007

FFsniFF is a simple Firefox extension, which transforms your browser
into the html form sniffer. Every time the user click on 'Submit'
button, FFsniFF will try to find a non-blank password field in the
form. If it's found, entire form (also with URL) is sent to the
specified e-mail address. It also has the ability to hide itself in the
'Extensions manager'.

Get the bits from azurIt.

Posted in Security, Tools | Leave a Comment »


Posted by Xavier Ashe on April 18, 2007

Logsurfer is a program for monitoring system logs in
real-time, and reporting on the occurrence of events. It
is similar to the well-known swatch program on
which it is based, but offers a number of advanced
features which swatch does not support.

Logsurfer is capable of grouping related log entries
together – for instance, when a system boots it usually
creates a high number of log messages. In this case,
logsurfer can be setup to group boot-time messages
together and forward them in a single Email message to the
system administrator under the subject line “Host xxx has
just booted”. Swatch just couldn't do this properly.

Logsurfer is written in C – this makes it extremely
efficient, an important factor when sites generate a high
amount of log traffic. I have used logsurfer at a site
where a logging server was recording more than 500,000
events per day – and Logsurfer had no trouble keeping up
with this load. Swatch, on the other hand, is based on
perl and runs into trouble even when dealing with a much
smaller rate of log traffic.

Neat little tool from Kerry Thompson.

Posted in Security, Tools | Leave a Comment »

VoIP Security Tool List

Posted by Xavier Ashe on March 31, 2007

This VoIP Security Tool List provides categories, descriptions and
links to current free and commercial VoIP security tools. Each commercial tool is indicated by the following icon next to it:

The key objectives of this list are as follows:

  1. Provide links to tools that help test the efficacy of implemented best practices outlined by VOIPSA's Best Practices Project.
  2. Facilitate the open discussion of VoIP security tool information
    to help users better audit and defend their VoIP devices and
  3. Provide vendors the information needed to proactively test their
    VoIP devices' ability to function and withstand real-world attacks.

Very good list from VoIPSA.

Posted in Security, Tools | Leave a Comment »

23C3 – new hacker tools for Bluetooth

Posted by Xavier Ashe on January 2, 2007

Two new tools, BTCrack and Hidattack (link to TAR file download), were released today (Friday)
at the 23rd Chaos Communication Congress
in Berlin. They demonstrate serious security vulnerabilities in
Bluetooth at the protocol level. BTCrack permits hacking the pairing of
two Bluetooth devices. Hidattack permits remote, external control of a
wireless Bluetooth keyboard, so that it is possible to make keyboard
entries on the connected computer.

BTCrack builds on a Bluetooth
described by Israeli researchers Avishai Wool and
Yaniv Shaked in 2005. This vulnerability means that it is possible to
listen in on the connection between devices connected by short range
radio directly, during pairing and thus crack the encryption system. The
connected devices are tricked into thinking that their counterpart has
forgotten the so-called link key, which is not required for PIN entry.
This kicks off a new pairing process. This offers an attacker the
opportunity to record the required data using a Bluetooth sniffer.

Hidattack exploits the HD server (human interface device) installed
with many Bluetooth keyboards. The program, penned by Colin Mulliner,
by bypassing the PIN request in a similar manner connects to this
little server and can then pretend to be the keyboard. Zoller
elucidated one application possibility for Hidattack – if the keyboard
were in a nearby bank and were connected to a terminal that was visible
using a telescope, it might be possible, for example, to carry out
transactions. In this scenario it would be possible to operate the
terminal almost as if you were sitting right in front of it. The only
thing missing would be the mouse.

More on Heise Security.

Posted in Security, Tools | Leave a Comment »

Cain & Abel v3.9 released

Posted by Xavier Ashe on November 21, 2006

Cain & Abel v3.9 released

New features:
– Added Ophcrack's RainbowTables support for NTLM Hashes Cryptanalysis attack.
– Added ability to dump MSCACHE hashes directly from SYSTEM and SECURITY registry hive files.
– MSCACHE Hashes Cryptanalysis via Sorted Rainbow Tables.
– ORACLE Hashes Cryptanalysis via Sorted Rainbow Tables.
– New RainbowTable types have been added to Winrtgen v2.0. “mscache” and “oracle” tables can be used against MSCACHE and ORACLE hashes for specific usernames that can be set in the configuration dialog.

Posted in Security, Tools | Leave a Comment »


Posted by Xavier Ashe on July 24, 2006

Nepenthes is a low interaction honeypot like honeyd or mwcollect.
Low Interaction Honeypots emulate _known_ vulnerabilities to collect
information about potential attacks. Nepenthes is designed to emulate
vulnerabilties worms use to spread, and to capture these worms. As
there are many possible ways for worms to spread, Nepenthes is modular.
There are module interface to

  • resolve dns asynchronous
  • emulate vulnerabilities
  • download files
  • submit the downloaded files
  • trigger events (sounds abstract and it is abstract but is still quite useful)
  • shellcode handler

Click here for the project homeFound on Bruce Schneier blog.

Posted in Security, Tools | Leave a Comment »


Posted by Xavier Ashe on July 22, 2006

is a live DVD collection
featuring the 10 Best
Security Live CD Distros (Pen-Test, Forensics & Recovery) as
per Darknet (see article here)
on one single DVD.

The live DVD collection features the following security based live
distributions (click names for further information):

  1. BackTrack 1.0
  2. Operator v3.3.20
  3. PHLAK v0.3
  4. Auditor v200605-02
  5. L.A.S.
    Linux – Local
    Area Security v0.5
  6. Knoppix-STD v0.1
  7. Helix v1.7
  8. F.I.R.E. v0.3.5
  9. nUbuntu vFlight 6
  10. INSERT Rescue Security
    Toolkit v1.3.6

Get the SecureDVD here.

Posted in Other Technology, Security, Tools | Leave a Comment »

New Behavioral Analysis Rootkit Detection Tool

Posted by Xavier Ashe on July 18, 2006

Helios is an advanced malware detection system.
It has been designed to detect, remove and inoculate against modern
Windows rootkits. It performs behavioral analysis as opposed to
signature based analysis and is able to detect rootkits in real-time as
well as unhide hidden processes and restore hijacked system functions.

A public technology preview can be downloaded from here.
Also provided are videos of Helios in action and a whitepaper on the technology.


Posted in Security, Tools | Leave a Comment »

Fyodor updates Top 100 Security Tools

Posted by Xavier Ashe on June 27, 2006

After the tremendously successful 2000 and 2003
security tools surveys, Insecure.Org is delighted to
release this 2006 survey. I (Fyodor) asked users
from the nmap-hackers
mailing list to share their favorite tools, and 3,243 people
responded. This allowed me to expand the list to 100 tools, and even
subdivide them into categories. Anyone in the security field
would be well advised to go over the list and investigate tools they
are unfamiliar with. I discovered several powerful new tools this
way. I also will be pointing newbies to this site whenever they write
me saying “I don't know where to start”.

Respondents were allowed to list open source or commercial tools on
any platform. Commercial tools are noted as such in the list below.
No votes for the Nmap Security
were counted because the survey was taken on a Nmap
mailing list. This audience also means that the list is slightly
biased toward “attack” tools rather than defensive ones.

Nessus, Wireshark, Snort, Netcat and Metasploit Framwork hit the top 5.  Google is #34.  Tor is #59.

See the Top 100 Security Tools.

Posted in Security, Tools | Leave a Comment »

Nessus for Windows Public Beta

Posted by Xavier Ashe on June 27, 2006

Tenable Network Security, Inc. is proud to announce the immediate availability of Nessus 3.0.3 (build 180).

Nessus 3.0.3 fixes several bugs and adds some enhancements over Nessus
3.0.2 and adds support for the Microsoft Windows and Sun Solaris
operating systems.

This release contains the following fixes and improvements :

– nessusd would stop in a middle of a scan if the log file is bigger than 2 gigabytes
– nessusd would stop in a middle of a scan due to a hard to trigger one-byte memory overwrite issue
– ping/packet forgery would fail when scanning a network over a NIC which was not enabled when nessusd initially started up
– performance problems would arise when reading/writing KB files when scanning big networks
nasl -T – script.nasl now makes script debugging easier
– Slightly faster initial plugins processing
– More robust plugins database backend
– On Mac OS X, users can be managed graphically thru the Nessus Server Manager program
– Updated the plugins distributed with the archive

Nessus 3.0.3 is available immediately for Linux, FreeBSD, Mac OS X, Solaris and as a public beta for Microsoft Windows.   More Information

Posted in Security, Tools | Leave a Comment »

Ethereal changes name to Wireshark

Posted by Xavier Ashe on June 15, 2006

Gerald Combs, founder of the Ethereal
project — billed as the world's most popular network protocol analyzer
— caused a flurry of excitement among users and developers Wednesday
when he announced on the Ethereal developers mailing list that he was changing jobs, moving to a new location, and taking the project and its core developers with him as he leaves.

His initial announcement to the list provided some explanation:

I recently accepted a job
with CACE Technologies, best known for WinPcap. This means that I get
to work with Loris Degioanni and Gianluca Varenni, and that my wife and
I get to raise our daughter in Davis, CA.

The move also means a major change for the project. We're continuing development under the name “Wireshark”, at
The web site, mailing lists, bug tracker, SVN repository, buildbot, and
other resources are already in place. All recent source code
submissions have been checked into the new repository, and automated
builds are available at

The next version of Wireshark will be 0.99.1. A prerelease version, 0.99.1pre1, is available for download right now at

Read the full Article on NewsForge.  It goes into further explaination an what happened to the ethereal name.

Posted in Security, Tools | Leave a Comment »

Windows Forensic Toolchest

Posted by Xavier Ashe on May 22, 2006

The Windows Forensic
Toolchest (WFT) was written to provide an automated incident response
[or even an audit] on a Windows system and collect security-relevant
information from the system. It is essentially a forensically enhanced
batch processing shell capable of running other security tools and
producing HTML based reports in a forensically sound manner. A
knowledgeable security person can use it to help look for signs of an
incident (when used in conjunction with the appropriate tools). WFT is
designed to produce output that is useful to the user, but is also
appropriate for use in court proceedings. It provides extensive logging
of all its actions along with computing the MD5 checksums along the way
to ensure that its output is verifiable. The primary benefit of using
WFT to perform incident responses is that it provides a simplified way
of scripting such responses using a sound methodology for data
collection. Click here for a screen capture of WFT's main screen.

Windows Forensic Toolchest (WFT) was written to be forensically sound
and has been validated through my efforts to complete the SANS GIAC Certified Forensic Analyst (GCFA) practical assignment. If you have ever seen Incident Response Collection Report (IRCR), then Windows Forensic Toolchest is substantially equivalent in base functionality. IRCR claims to be “similar to The Coroner's Toolkit (TCT)
by Dan Farmer & Wietse Venema”, but it essentially serves as a
wrapper program to automate the running of several other command line
programs for the purpose of taking a “snapshot of the system in the
past”. The Windows Forensic Toolchest (WFT) was born based on my desire
to have a tool that surpassed IRCR in flexibility, while being
forensically sound in its implementation. Click here for a screen capture of WFT running.

Download WFT from Fool Moon Software and Security.

Posted in Security, Tools | Leave a Comment »

SMTP content filter security and PIRANA

Posted by Xavier Ashe on April 5, 2006

PIRANA is an exploitation framework that tests the security of a email
content filter. By means of a vulnerability database, the content
filter to be tested will be bombarded by various emails containing a
malicious payload intended to compromise the computing platform.
PIRANA's goal is to test whether or not any vulnerability exists on the
content filtering platform.

Download PIRANA here :
pirana-0.2.1.tar.gz.  From Jean-Sébastien Guay-Leroux.

Posted in Security, Tools | Leave a Comment »

%d bloggers like this: