Features

• Create PDF documents from scratch.
• Parse existing documents, modify them and recompile them.
• Explore documents at the object level, going deep into the document structure, uncompressing PDF object streams and desobfuscating names and strings.
• High-level operations, such as encryption/decryption, signature, file attachments…
• A GTK interface to quickly browse into the document contents.

Full Scripts

Some scripts are provided to help in performing common actions on PDF files. You can contribute more by sending your own scripts to origami(at)security-labs.org.

• detectjs.rb: search for all JavaScript objects.
• embed.rb: add an attachment to a PDF file.
• create-jspdf.rb: add a JavaScript to a PDF file, executed when the document is opened.
• moebius.rb: transform a PDF to a moebius strip.
• encrypt.rb: encrypt a PDF file.

You can download Origami here:

origami-1.0.0-beta1.tar.gz

Or read more here.

I hope a new project can spawn from this, it has many interesting applications. I think it’d be a good addition to Wireshark and IDS projects like Snort.

http://opendpi.org/

Deep packet inspection (DPI) hardware can identify an astonishing array of protocols passing across the Internet—up to and including protocols that are rare even to us in the Orbiting HQ (Gadu-Gadu? Manolito? Feidian?). But if you’ve ever wondered just how this can be done, and done at wire speed, wonder no more: Europe’s leading DPI vendor has open-sourced a version of its traffic detection engine.

OpenDPI.org is the new home for ipoque’s open source project; anyone interested can take a look at the code or contribute patches. The goal in this case, though, isn’t so much about crowdsourcing product development but about easing consumer fears about DPI technology.

Klaus Mochalski, CEO of ipoque, explains that “transparency was important for us from the beginning. The lack of transparency from the vendors’ side is widespread in the DPI business. Our thoughts are a bit different and that is why we decided to push this project.”

It can identify a whole range of weird and wonderful protocols including those you’ve never heard of.

The free version is basically a watered down of the commercial product, it’s slow, doesn’t come bundled with some fancy supercomputer grade hardware and can’t handle encrypted transmissions.

I think it will be useful too for people building open source router systems to manage traffic, do traffic shaping and general QoS with much more accuracy (rather than relying on port classification).

The OpenDPI engine, released under the LGPL license, differs from ipoque’s commercial scanning engine in its high-priced DPI hardware. The open-source version is much slower and (more importantly) doesn’t reveal ipoque’s methods for identifying encrypted transmissions. DPI vendors all claim high levels of success at identifying such traffic based on the flow patterns and handshake signatures common to protocols like BitTorrent and Skype, even if they cannot crack the encryption and examine the content of those transmissions.

ipoque apparently wants to convince people that its detection code doesn’t store or examine the actual content being transmitted. The company made the same point in a white paper released last week. “DPI as such has no negative impact on online privacy,” it says. “It is, again, only the applications that may have this impact. Prohibiting DPI as a technology would be just as naive as prohibiting automatic speech recognition because it can be used to eavesdrop on conversations based on content.

Although DPI can be used as a base technology to look at and evaluate the actual content of a network communication, this goes beyond what we understand as DPI as it is used by Internet bandwidth management—the classification of network protocols and applications.”

I hope they keep developing the project, or some other folks in the Open Source community step up and turn it into a full blown development fork.

That would be great, harness the existing technology and improve on it.

Because let’s face it, any commercial company releasing an Open Source branch of their software has no incentive to make it that great lest it get better than the stuff they are selling.

Source: Ars Technica

Features

• Injection of packets with bogus data and with randomly selected bad TCP cksum or bad TCP sequences
• Userland binary(tsctrl) for controlling trafscrambler NKE
• SYN decoy – sends out number of SYN pkts before the original SYN pkt
• TCP reset attack – sends out RST/FIN pkt with bad sequence
• Pre-connection SYN – sends out SYN with wrong TCP-checksum
• Post-connection SYN – sends out fake SYN after connection establishment
• Zero Window – send out pkt with “0” window set.

You can download Trafscrambler 0.2 here:

trafscrambler-0.2.tgz

Or read more here.

It is designed to MITM all SSL connections on a LAN and dynamically generates certs for the domains that are being accessed on the fly. The new certificates are constructed in a certificate chain that is signed by any certificate that you provide.

New In Version 0.6

Version 0.6 has been significantly updated to additionally support the null-prefix attacks that was demonstrated at BlackHat 09 and Defcon 17. These allow for completely silent MITM attacks against SSL/TLS in the NSS, Microsoft CryptoAPI, and GnuTLS stacks — ultimately allowing for SSL communication in Firefox, Internet Explorer, Chrome, Thunderbird, Outlook, Evolution, Pidgin, AIM, irssi, and every other client that uses the Microsoft CryptoAPI to be intercepted.

sslsniff has also been updated to support the OCSP attacks that was published at Blackhat 09 and Defcon 17, thus making the revocation of null-prefix certificates very difficult. Additionally, sslsniff now supports modes for hijacking auto-updates from Mozilla products, as well as for Firefox/Thunderbird addons. Attackers can specify payloads of their choice, which will be delivered to the targets being man-in-the-middled.

sslsniff is useful for deploying other vulnerabilities as well. This is the tool that the people who pulled the recent MD5 hash collision publicity stunt used to demonstrate MITM attacks with their rogue CA-certificate. Also, anyone who is capable of obtaining a forged certificate by any means can easily deploy it through sslsniff with the targeted mode designed for null-prefix attacks.

You can download sslsniff v0.6 here:

sslsniff-0.6.tar.gz

Or read more here.

Xplico Features

• Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
• Port Independent Protocol Identification (PIPI) for each application protocol;
• Multithreading;
• Output data and information in SQLite database or Mysql database and/or files;
• At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
• Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
• TCP reassembly with ACK verification for any packet or soft ACK verification;
• Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
• No size limit on data entry or the number of files entrance (the only limit is HD size);
• IPv4 and IPv6 support
• Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcer) are all modules
• The ability to easily create any kind of dispatcer with which to organize the data extracted in the most appropriate and useful to you

You can download Xplico 0.5.2 here:

xplico-0.5.2.tgz

Or read more here.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Many of you will know it as Ethereal.

Features

• Deep inspection of hundreds of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
• The most powerful display filters in the industry
• Rich VoIP analysis
• Capture files compressed with gzip can be decompressed on the fly

You can see the full changelog for version 1.2.1 here:

Wireshark 1.2.1 Release Notes

A LOT of vulnerabilities and bugs have been fixed in this version, some having persisted since version 1.0 – so it’d be a good time to upgrade if you haven’t already.

You can download Wireshark 1.2.1 here:

Windows 32-bit – wireshark-win32-1.2.1.exe
Source code – wireshark-1.2.1.tar.bz2

Or read more here.

ScreenStamp! is basically a screen grabbing application for pen-testing and people working in forensics. The app will ask you for a location to save your screen shots to, along with a name that the program will number, allowing the user to concentrate on the job at hand as opposed to saving screen shots.

ScreenStamp! also time and date stamps the screen shot at the top right hand corner.

Where did the ScreenStamp! idea come from?

A bunch of students studying Ethical Hacking for Computer Security were carrying out an Information Gathering exercise the task of taking and saving screen shots with the clock opened and date showing was repetitive and tedious, so the group members decided that an application that would do this would be useful. After failing to find an existing application that fulfilled their needs they created one.

ScreenStamp! will not only be available to use on Windows operating systems but also Linux and Mac.

You can download ScreenStamp! here:

screenstamp_win_v1_8.zip
screenstamp_v.1.0.tar.gz

Or read more here.

Like when there was a worm going around that bruteforced SSH2 you could see a spike in port 22 traffic, to quote the about page.

The ISC uses the DShield distributed intrusion detection system for data collection and analysis. DShield collects data about malicious activity from across the Internet. This data is cataloged and summarized and can be used to discover trends in activity, confirm widespread attacks, or assist in preparing better firewall rules.

Currently the system is tailored to process outputs of simple packet filters. As firewall systems that produce easy to parse packet filter logs are now available for most operating systems, this data can be submitted and used without much effort.

If you want to know how to submit you can find out here.

Anyway to get back to the point, with the trend for development moving towards web applications DShield has come out with a Web Honeypot project.

The overall idea is to build something like DShield (which collects firewall logs) for webapps.

The goal of the project is to collect quantitative data measuring the activity of automated or semi-automated probes against web applications. First of all, we will not just look for “attacks”. We look for “probes”. If they are malicious or not can only be determined in context.

We will not look for 0-day style or targeted attacks. Maybe we will get lucky and catch one. But in order to detect them, we would need sensors in specific networks. What we are after is more the “background noise”.

How does it work?
A: The Web Honeypot is made up of 3 elements: a client, a set of templates and a logging system. All web requests destined for the honeypot are passed to the honeypot client. The client attempts to match the specific web application requested to one of the templates installed in the honeypot. If a suitable template is found then it is sent back to the requester. If there is no template available, a default web page is returned. In both cases the specific web application request is logged and sent to a central DShield database.

Should I run this on my production environment?
A: That depends on your risk tolerance. If your organization is willing to approve it, then the program itself is designed so that it can run as a virtual host under apache. You could assign unused IP addresses to the honeypot virtual host.

Can I run this at home?
A: Several people already are. If you can forward port 80 to your honeypot machine, then it will work.
Installation:

Will the Web Honeypot work on my OS?
A: Currently the Web Honeypot works on Windows (2000 or later) and Linux OS with install packages available for: Debian, Redhat, openSUSE and Mac OSX.

Does it run on Windows/IIS/PHP?
A: It should with some minor modifications. IIS does not support the same redirection of all requests that apache does.

You can download the Web Honeypot here:

webhoneypot-alpha.tgz

Or read more here.

Coupled with its graphing libraries, Maltego, allows you to identify key relationships between information and identify previously unknown relationships between them. It is a must-have tool in the forensics, security and intelligence fields!

Maltego offers the user with unprecedented information. Information is leverage.

What does Maltego do?

Maltego is a program that can be used to determine the relationships and real world links between:

• People
• Groups of people (social networks)
• Companies
• Organizations
• Web sites
• Internet infrastructure such as: Domains, DNS Names, Netblocks and IP Addresses
• Phrases
• Affiliations
• Documents and files

These entities are linked using open source intelligence.

• Maltego is easy and quick to install – it uses Java, so it runs on Windows, Mac and Linux.
• Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate – making it possible to see hidden connections.
• Using the graphical user interface (GUI) you can see relationships easily – even if they are three or four degrees of separation away.
• Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

Limitations

The Community Edition is limited in the following ways:

• A 15second nag screen
• Save and Export has been disabled
• Limited zoom levels
• Can only run transforms on a single entity at a time
• Cannot copy and paste text from detailed view
• Transforms limited to 75 per day
• Throttled client to TAS communication

Check out the User Guide here.

You can download Maltego Community Edition here:

Maltego CE – Linux
Maltego CE – Windows

Or read more here.

HeX Main Features

HeX Main Menu – Cleaner look and more user interface oriented and maximum 4 levels depth HeX Main Menu allows quick access to all the installed applications in HeX.

Terminal – This is exactly what you need, the ultimate analyzt console!

Instant access to all the Network Security Monitoring(NSM) and Network Based Forensics(NBF) Toolkits via Fluxbox Menu. We have also categorized them nicely so that you know what to use conditionally or based on scenario.

Instant access to the Network Visualization Toolkit, you can watch the network traffics in graphical presentation and that assist you in identifying large scale network attacks easily.

Instant access to Pcap Editing Tools which you can use to modify or anonymize the pcap data, it’s great especially when you want to share your pcap data.

Network and Pentest Toolkits contain a lot of tools to perform network or application based attacks, you can generate malicious packets using them and study malicious packets using those analysis tools listed in NSM-Toolkit and NBF-Toolkit as well.

While we think HeliX liveCD is better choice in digital forensics arsenal, Forensics-Toolkit can be considered as the add-on for people who are interested in doing digital forensics.

Under Applications, there are Desktop, Sysutils and Misc, all of them are pretty self-explained and contain user based applications such as Firefox, Liferea, Xpdf and so forth. Additionally, Misc contains some useful scripts, for example you can just start ssh service by clicking on SSHD-Start.

You can download HeX 1.0.3 here:

hex-i386-1.0.3.iso

Or read more here.