Nemesis can natively craft and inject packets for:

• ARP
• DNS
• ETHERNET
• ICMP
• IGMP
• IP
• OSPF
• RIP
• TCP
• UDP

Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected.

Unix-like systems require: libnet-1.0.2a, and a C compiler (GCC)
Windows systems require: libnetNT-1.0.2g and either WinPcap-2.3 or WinPcap-3.0

Download it here:

Source code: nemesis-1.4.tar.gz (Build 26)
Windows binary: nemesis-1.4.zip (Build 26) (includes LibnetNT)

You can read more here:

Nemisis at Sourceforge

LFT

LFT, short for Layer Four Traceroute, is a sort of ‘traceroute’ that often works much faster (than the commonly-used Van Jacobson method) and goes through many configurations of packet-filters (firewalls). More importantly, LFT implements numerous other features including AS number lookups through several reliable sources, loose source routing, netblock name lookups, et al.

What makes LFT unique?

LFT is the all-in-one traceroute tool because it can launch a variety of different probes using both UDP and TCP layer-4 protocols. For example, rather than only launching UDP probes in an attempt to elicit ICMP “TTL exceeded” from hosts in the path, LFT can send TCP SYN or FIN probes to target arbitrary services. Then, LFT listens for “TTL exceeded” messages, TCP RST (reset), and various other interesting heuristics from firewalls or other gateways in the path.

LFT also distinguishes between TCP-based protocols (source and destination), which make its statistics slightly more realistic, and gives a savvy user the ability to trace protocol routes, not just layer-3 (IP) hops. With LFT’s verbose output, much can be discovered about a target network.

WhoB

WhoB is a likable whois client (see whois(1)) designed to provide everything a network engineer needs to know about a routed IP address by typing one line and reading one line. But even so, it’s worth typing a few more lines because WhoB can do lots of other cool things for you! It can display the origin-ASN based on the global routing table at that time (according to Prefix WhoIs, RIPE NCC, or Cymru), the ‘origin’ ASN registered in the RADB (IRR), the netname and orgname, etc. By querying pWhoIs, WhoB can even show you all prefixes being announced by a specific Origin-ASN.

WhoB performs the lookups quickly, the output is easily parsed by automated programs, and it’s included as part of the Layer Four Traceroute (LFT) software package. LFT uses WhoB as a framework (and you can too, quite easily–see whois.h). Recent LFT releases (as of version 2.5) include WhoB functionality through a standalone “whob” client/command placed in the LFT binary directory.

LFT and WhoB continue to evolve and provide more and more useful data to network engineers and to anyone else that cares how IP datagrams are being routed. With the advent of smarter firewalls, traffic engineering, QoS, and per-protocol packet forwarding, LFT and WhoB have become invaluable tools for many network managers worldwide.

You can download LFT & WhoB and read more here:

LFT & WhoB

SinFP is a new approach to OS fingerprinting, which bypasses limitations that nmap has.

Nmap approaches to fingerprinting as shown to be efficient for years. Nowadays, with the omni-presence of stateful filtering devices, PAT/NAT configurations and emerging packet normalization technologies, its approach to OS fingerprinting is becoming to be obsolete.

SinFP uses the aforementioned limitations as a basis for tests to be obsolutely avoided in used frames to identify accurately the remote operating system. That is, it only requires one open TCP port, sends only fully standard TCP packets, and limits the number of tests to 2 or 3 (with only 1 test giving the OS reliably in most cases).

SinFP 2.04 is now available, which for the first time, can now run under Windows ActivePerl.

More info here:

SinFP

SinFP has now more than 130 signatures in its database.

For Windows users, follow these instructions:

This was tested with ActivePerl 5.8.8.819, with PPM v4.0.

  # If you are behind a proxy:
  C:\> set http_proxy=http://username:password@proxy:port

  # Add gomor repository
  C:\> ppm repo add gomor http://www.gomor.org/files/ppm/repo-8xx

  # Disable all other repo, if you have many. Or only ActiveState repo
  # by default
  C:\> ppm repo 1 off
  ...
  C:\> ppm install Net-SinFP

  # Re-enable all other repo
  C:\> ppm repo 1 on
  ...

  Launch it:
  C:\> perl C:\perl\site\bin\sinfp.pl

If you have error messages about failing to load some .dll, go to www.microsoft.com. Then, in the search field, type in vcredist_x86.exe, download it and install it.

There are 2 basics mode:
– who-has: build a request ARP message.
– reply: build a reply ARP message (default)

Other advanced modes should come very soon
– arping: send a who-has to every host on the LAN to see who is here
– promisc: detection of boxes that are sniffing on the network using promiscuous mode of their network interface
– arpmim: perform Man in the Middle attack

Link level options

-s: set the source address of the packet.
Default : MAC address of the interface used to send the packets.

-d: set the destination address of the packet
Default: broadcast

These 2 options have a strong influence on the ARP message itself.
Here are the default according to these options:

– request

      # ./arp-sk -i eth1 -w
      + Running mode "who-has"
      + IfName: eth1
      + Source MAC: 52:54:05:f4:62:30
      + Source ARP MAC: 52:54:05:f4:62:30
      + Source ARP IP : 192.168.1.1 (batman)
      + Target MAC: ff:ff:ff:ff:ff:ff
      + Target ARP MAC: 00:00:00:00:00:00
      + Target ARP IP : 255.255.255.255 (255.255.255.255)

– reply

      # ./arp-sk -i eth1 -r
      + Running mode "reply"
      + IfName: eth1
      + Source MAC: 52:54:05:f4:62:30
      + Source ARP MAC: 52:54:05:f4:62:30
      + Source ARP IP : 192.168.1.1 (batman)
      + Target MAC: ff:ff:ff:ff:ff:ff
      + Target ARP MAC: ff:ff:ff:ff:ff:ff
      + Target ARP IP : 255.255.255.255 (255.255.255.255)

The only difference comes from the destiantion mac address from ARP message, since it has to be 00:00:00:00:00:00. For the reply mode, consistency is preserved and the destination MAC address used for the link layer is copied in the ARP message.

You can download arp-sk here:

arp-sk-0.0.16.tgz

I saw a Freeware MAC Address Changing tool today which I thought I’d share with you all, as I used to use SMAC, a nice tool, until the guy started charging for it!

Hopefully this one won’t go the same way.

Technitium MAC Address Changer, which allows you to change Machine Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver.

It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has an MAC address hard coded in its circuit by its manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Networks (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address.

Technitium MAC Address Changer v3.1 is a must tool in every security professionals tool box.

Technitium MAC Address Changer v3.1 is coded in Visual Basic 6.0.

There are some famous commercial tools available in the market for as much as US$19.99, but Technitium MAC Address Changer is available for FREE. (We don’t charge for just changing an registry value! Also knowing how this works doesn’t require extensive research as some commercial tool providers claim!)

You can download the MAC Address Changer here:

MAC Changer v3.1