Tools

Question 1

Allows you to look up all available information about an IP address, hostname, or domain, including country, state or province, city, name of network provider, administrator or tech support contact. Automatically delivers information associated with an IP address no matter where it is registered geographically.

Answer 1

Smart Whois

Question 2

Buffer Overflows. A compiler that emits programs hardened against “stack smashing” attacks. Uses canaries.

Answer 2

StackGuard

Question 3

Buffer Overflows. A family of tools designed to enhance system integrity by hardening system components and platforms against security attacks. Secures a Linux OS and applications. Works by hardening existing software components and platforms so that attempts to exploit security vulnerabilities will fail safe, i.e. the compromised process halts instead of giving control to the attacker, and then is restarted. The software components are effectively “laminated” with technologies to harden them against attack.

Answer 3

Immunix

Question 4

Dos/DDoS. A free, open source tool that can tell a zombie system flooding packets to stop flooding. Works against Trinoo (including the Windows Trinoo agent), TFN, Stacheldraht, and Shaft. It does assume various defaults used by these attack tools are still in place, but allows you to put the zombies to sleep.

Answer 4

Zombie Zapper

Question 5

Dos/DDoS. A remote scanner for the most common Distributed Denial of Service programs (Zombies). Will detect Trinoo, Stacheldraht and Tribe Flood Network programs running with their default settings, although setup of each program type is possible from the configuration screen. Scanning is performed by sending the appropriate UDP and ICMP messages at a controlable rate to a user defined range of addresses.

Answer 5

DdoSPing

Question 6

Dos/DDoS. A third generation network security analysis tool that operates under Unix, Linux, MAC OS/X or Windows (through coLinux) OS’. Integrates the National Vulnerability Database (NVD). Can adapt to many firewalled environments. Supports remote self scan and API facilities. Based on the SATAN model

Answer 6

SARA (Security Auditor’s Research Assistant)

Question 7

Dos/DDoS. Became available in 1999. A network of this type looks conceptually similar to a trinoo; it is a packet flooding attack and the client controls the size of the flooding packets and duration of the attack. One interesting signature of this DDOS tool is that the sequence number for all TCP packets is 0x28374839.

Answer 7

Shaft

Question 8

Dos/DDoS. Designed to launch coordinated denial-of-service attacks from many sources against one or more targets simultaneously. Includes features designed specifically to make its traffic difficult to recognize and filter, to remotely execute commands, to obfuscate the true source of the traffic, to transport its traffic over multiple transport protocols including UDP, TCP, and ICMP, and features to confuse attempts to locate other nodes by sending “decoy” packets. Designed to work on various UNIX and UNIX-like systems and Windows NT. Obfuscates the true source of attacks by spoofing IP addresses. In networks that employ ingress filtering, it can forge packets that appear to come from neighboring machines. Can flood networks by sending large amounts of data to the victim machine. Includes attacks designed to crash or introduce instabilities in systems by sending malformed or invalid packets.

Answer 8

TFN2K

Question 9

Dos/DDoS. Made up of client and daemon programs, which implement a distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood, and Smurf style attacks, as well as providing an “on demand” root shell bound to a TCP port.

Answer 9

TFN

Question 10

Dos/DDoS. Not a virus, but an attack tool released in late December 1999 that performs a distributed Denial of Service attack.

Answer 10

Trinoo

Question 11

Dos/DDoS. Tool consists of a handler and an agent portion, much like previously known DDOS tools such as Trinoo. Handler can be controlled remotely by one or more intruders using a password-protected interactive login to a running handler. Simple commands issued to the handler cause instructions to be sent to agents deployed on compromised systems. The communications between intruder and handler, and the handler and agents, are configurable at compile time and have varied significantly from incident to incident. The default protocol and destination socket numbers in source code recently released to the public are 6723/tcp -> handler (intruder), 7983/udp -> agent (handler), and 9325/udp -> handler (agent).

Answer 11

Mstream

Question 12

Dos/DDoS. Uses intrusion fingerprints to track down compromised hosts. It is capable of remotely detecting Stacheldraht, TFN, and Trinoo if the attacker did not change the default ports.

Answer 12

RID Remote Intrusion Detector

Question 13

DOS/Ping of Death. A Denial of Service (DOS) attack that completely disables networking on many Win95 and WinNT machines.

Answer 13

Win Nuke

Question 14

DOS/Ping of Death. A program that can freeze any computer connected to the Internet or on a network running Windows 95, Windows NT, and older versions of the MacOS that are not behind a firewall that blocks ICMP (Internet Control Message Protocol) data packets.

Answer 14

SSPing

Question 15

DOS/Ping of Death. Attack uses a forged ICMP (InternetControl Message Protocol) echo request.

Answer 15

Smurf

Question 16

DOS/Ping of Death. DoS on Windows systems. Sends TCP packets with bad header. As a result, CPU graph stays over 90% in the kernel.

Answer 16

Bubonic

Question 17

DOS/Ping of Death. Freeware. It integrates bonk, jolt, land, nestea, netear, syndrop, teardrop, and winnuke into one multi-platform DoS attack.

Answer 17

Targa

Question 18

DOS/Ping of Death. Sending a packet to a machine with the source host/port the same as the destination host/port crashes a lot of boxes.

Answer 18

Land

Question 19

DOS/Ping of Death. Variant of the Ping-of-Death attack. It sends an IP fragment that beyond the maximum length of a legal IP packet.

Answer 19

Jolt2

Question 20

Enumeration. A security auditing program for Microsoft Windows® NT/XP/200x. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information.

Answer 20

DumpSec

Question 21

Enumeration. The intention of this package is to perform various security checks on remote servers running NetBIOS file sharing services. It is designed to explore the NETBIOS file-sharing services offered by the target system. It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client.

Answer 21

NAT (NetBIOS Auditing Tool)

Question 22

Enumeration/SNMP. A command line utility (included with Windows resource kits) that allows the querying of MIB information from a network device. While it supports GET/GETNEXT and WALK, most people use it to GET information and to WALK OID trees. Can access the SNMP OID and get the information you want from a command line.

Answer 22

SNMPUtil

Question 23

Enumeration/SNMP. SNMP enumeration and management tool

Answer 23

SolarWinds (IP Network Browser)

Question 24

Enumeration/Windows. A command line interface to a WIN32 function LookupAccountName.

Answer 24

User2SID

Question 25

Enumeration/Windows. A command line interface to a WIN32 function LookupSidName.

Answer 25

SID2User

Question 26

Enumeration/Windows. A small command line function that retrieves all available information about any know user from any NT/Win2k system that you can hit 139 on. Returns standard info like SID, Primary group, logon restrictions, etc., but it also dumps special group information, pw expiration info, pw age, smartcard requirements, and lots of other stuff. Works as a null user, even if the system has RA set to 1 to specifically deny anonymous enumeration.

Answer 26

UserInfo

Question 27

Enumeration/Windows. Combines allmost all possible attacks against NETBIOS (users and computers - shares - password policy). It establishes a NETBIOS Null Session and keeps it open during the attack. Based on dictionaries or given values this tool will try to guess passwords.

Answer 27

Enum

Question 28

Enumeration/Windows. Sidesteps “RestrictAnonymous=1” and acquires account information on Windows NT/2000 machines. Shows the information that leaks by opening an anonymous login and showing the following information: An enumeration of user IDs, account names and full names, Password age, User groups the user is a member of, Account type, Whether the account is disabled or locked, Password policies, Last logon time, Number of logons, Bad password count, Quotas

Answer 28

GetAcct

Question 29

Footprinting. A free network query tool. Whois, DNS Query and ZT, traceroute, email header analysis, ping, website download, abuse address query, finger. Runs on Windows.

Answer 29

Sam Spade

Question 30

Footprinting. An e-mail analysis tool that allows you to track Internet e-mails back to the sender.tp://www.visualware.com/emailtrackerpro/index.html)

Answer 30

eMailTracking Pro

Question 31

Footprinting. An internet utility that returns information about the domain name and IP address.

Answer 31

Whois

Question 32

Footprinting. Inherent in Windows command line. Enables you to query DNS and performe zone transfers.

Answer 32

NSLookup

Question 33

Footprinting. Regional Internet Registries (RIR’s) that manage, distribute, and register public IP’s for regions. Online query tool enables users to find the address range of the network.

Answer 33

ARIN, APNIC, RIPE, LACNIC, (AFRINIC)

Question 34

Footprinting. Reliably find out when your email gets opened, how long it gets read for, whether or not it gets forwarded to someone else or published on the internet, where the reader is located, and more.

Answer 34

MailTracking.com

Question 35

Footprinting/Route Determination. Enhanced GUI-based Traceroute tool that provides more feedback regarding failed connections than typical traceroute programs. Features include printer and HTML output, a detailed whois display, continuous ping, instant browser access to nodes.

Answer 35

NeoTrace

Question 36

Footprinting/Route Determination. Gui-based Traceroute tool. Tabbed GUI, traceroute, ping, reverse DNS query, IP Location reporting, network provider reporting, domain whois lookups, browser integration, email address tracing, ICMP traceroutes.

Answer 36

Visual Route

Question 37

Footprinting/Route Determination. Monitors connections to open ports and alerts you to suspicious activity. Allows specific ports, domain names or IP addresses to be singled out for scrutiny and tracking. Identifies which country the connection to your computer is coming from. A real-time “Netstat” that also provides history and a rich set of features to help locate unwelcome visitors.

Answer 37

Visual Lookout

Question 38

Footprinting/Route Determination. Unix/Linux tool that enables user to trace hops or computers between source and target computer. Increments TTL value in packets.

Answer 38

Traceroute

Question 39

Footprinting/Route Determination. Windows tool that enables user to trace hops or computers between source and target computer. Increments TTL value in packets.

Answer 39

Tracert

Question 40

Hacking Web Servers. A Very stealthy CGI scanner that is scriptable.

Answer 40

Whisker

Question 41

Hacking Web Servers. An interactive ASP page command prompt that will show you how vulnerable your IIS web server is to the IUSR_COMPUTER, IWAM_COMPUTER and SYSTEM user accounts. It runs in the context of the web server as a standard ASP page, and simulates a backdoor to any IIS web server.

Answer 41

cmdasp.asp

Question 42

Hacking Web Servers. Backdoor allowing upload via http.

Answer 42

IISCrack.dll

Question 43

Hacking Web Servers. Comprehensive and intuitive Web application scanner.

Answer 43

WebInspect

Question 44

Hacking Web Servers. Designed to identify known and unknown vulnerabilities, suggest fixes to identified vulnerabilities, and report possible security holes within a network’s internet, intranet, and extranet environments

Answer 44

Shadow Security Scanner

Question 45

Hacking Web Servers. Exploit c code for hacking Win2K IIS servers

Answer 45

Jill32

Question 46

Hacking Web Servers. HTTP security scanning tool.

Answer 46

N-Stealth Scanner

Question 47

Hacking Web Servers. IIS 5.0 remote win32 exploit for the null.printer buffer overflow.

Answer 47

IIS5-Koei

Question 48

Hacking Web Servers. IIS privilege escalation tool– makes use of the IIS 5.0 + SP0 (SP1, SP2)

Answer 48

ispc.exe

Question 49

Hacking Web Servers. Printer overflow exploit, like IIS-Koei.

Answer 49

IIS5Hack

Question 50

Hacking Web Servers. Resource Kit Utility for changing permissions

Answer 50

Cacls utility

Question 51

Hacking Web Servers. Unicode vulnerability exploit script

Answer 51

UnicodeUploader.pl

Question 52

Hacking Web Servers. Used to view the SAM file on a server which is vulnerable to a certain IIS hole.

Answer 52

IISExploit

Question 53

Hacking Web Servers. Web site traffic analysis software

Answer 53

LogAnalyzer

Question 54

Hacking Web Servers. Windows software patch management tool that helps you secure your systems by remotely managing service packs and hotfixes.

Answer 54

UpdateExpert

Question 55

IDS, Firewalls, and Honeypots. A network intrusion detection evasion toolkit. It implements most of the attacks described in the Secure Networks “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection” paper of January 1998. Was written in the hopes that a more precise testing methodology might be applied to the area of network intrusion detection, which is still a black art at best.

Answer 55

Fragrouter

Question 56

IDS, Firewalls, and Honeypots. A network intrusion detection system test suite.

Answer 56

NIDSbench

Question 57

IDS, Firewalls, and Honeypots. An IDS evasion tool.

Answer 57

SideStep

Question 58

IDS, Firewalls, and Honeypots. An open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. The most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.

Answer 58

Snort

Question 59

IDS, Firewalls, and Honeypots. API that can mask buffer overflow exploit signatures from Network IDS systems so that they are more difficult to detect.

Answer 59

ADMutate

Question 60

IDS, Firewalls, and Honeypots. Tool to replay saved tcpdump or snoop files at arbitrary speeds.

Answer 60

TCPReplay

Question 61

Linux Hacking. A set of scripts that scan a Un*x system looking for security problems.

Answer 61

TARA

Question 62

Linux Hacking. A third-generation security analysis tool that is based on the SATAN model.

Answer 62

SARA (Security Auditor’s Research Assistant)

Question 63

Man In The Middle. A collection of tools for network auditing and penetration testing. Some modules passively monitor a network for interesting data (passwords, email, files, etc.) and others facilitate the interception of network traffic normally unavailable to an attacker(due to layer-2 switching). Others implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

Answer 63

Dsniff

Question 64

Novell Hacking. Brute force cracker

Answer 64

NOVELBFH

Question 65

Novell Hacking. Brute force cracker.

Answer 65

Kock

Question 66

Novell Hacking. Checks for users that have no password. For both Netware 3.x and 4.x.

Answer 66

Chknull

Question 67

Novell Hacking. Emulates a fake Novell file server.

Answer 67

Novelffs

Question 68

Novell Hacking. Login spoofing utility for all versions of NetWare.

Answer 68

Spooflog

Question 69

Novell Hacking. NLM which will create supervisor account from server.

Answer 69

Burglar

Question 70

Novell Hacking. Novell hacking and cracking tool.

Answer 70

Bindery/BinCrack

Question 71

Novell Hacking. Popular Packet Sniffers for Ethernet networks.

Answer 71

Gobbler

Question 72

Novell Hacking. Resets any user password, including that of supervisor.

Answer 72

SETPWD.NLM

Question 73

Novell Hacking. Simple bruteforce hacker for Novell.

Answer 73

nwpcrack

Question 74

Novell Hacking. Tools for the opening of Novell’s Netware Directory Services.

Answer 74

Pandora

Question 75

Novell Hacking. TSR program for recording typed passwords.

Answer 75

Getit

Question 76

Novell Hacking. UserDump simply lists all users in the Bindery.

Answer 76

userdump

Question 77

Port Monitoring. A Windows program that displays all active TCP and UDP endpoints on your system, indicating which process is associated with each local and remote IP address and relaying continuous, detailed real-time data on system’s TCP/IP activity.

Answer 77

TCPView

Question 78

Port Monitoring. Destructive virus affecting MS-DOS computers. This virus infects the boot sector, then hides itself by marking unused blocks on floppy or hard disks as bad.

Answer 78

Hard Disk Killer

Question 79

Port Monitoring. Lists the current processes in your Windows system and which ports they listen on. Written to work on Windows NT and Windows 9x.

Answer 79

Inzider

Question 80

Port Monitoring. Reports all open TCP/IP and UDP ports and maps them to the owning application. Same information you would see using the “netstat -an” command, but it also maps those ports to running processes with the PID, process name and path. Can be used to quickly identify unknown open ports and their associated applications.

Answer 80

FPort

Question 81

Scanning. A free open source utility for network exploration or security auditing. Designed to rapidly scan large networks, although it works fine against single hosts. Uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Runs on most types of computers and both console and graphical versions are available. Free and open source.

Answer 81

Nmap

Question 82

Scanning. A Network management tool for mapping and monitoring your network. It has host/network discovery functionality as well as OS detection of hosts. Has the ability to probe hosts to see what services they are running. On some services, it is actually able to see what program is running for a service and the version number of that program.

Answer 82

Cheops

Question 83

Scanning. A program that allows to work with any Internet service through a chain of SOCKS or HTTP proxies to hide the real IP-address. Can function as a usual SOCKS-server that transmits queries through a chain of proxies. Can be used with client programs that do not support the SOCKS protocol, but work with one TCP-connection, such as TELNET, HTTP, IRC… (FTP uses 2 connections). And your IP-address will not be seen in the server’s logs or mail headers;

Answer 83

SocksChain

Question 84

Scanning. A project that monitors end-to-end performance of Internet links using ICMP Echo (Ping).

Answer 84

Pinger

Question 85

Scanning. A W2k and XP TCP port scanner that can do SYN, FIN, Null and Xmas scans.

Answer 85

IPEye

Question 86

Scanning. A Windows tool that can scan either a single IP address or a range of IP addresses looking for systems that are IPSec enabled.

Answer 86

IPSECSCAN

Question 87

Scanning. Allows you to bypass an HTTP proxy to use e-mail, IRC, ICQ, news, FTP, AIM, any SOCKS capable software, etc.

Answer 87

HTTPort

Question 88

Scanning. Allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. Arranges the original site’s relative link-structure. Simply open a page of the “mirrored” website in your browser, and you can browse the site from link to link, as if you were viewing it online. Can also update an existing mirrored site, and resume interrupted downloads.

Answer 88

HTTrack Web Copier

Question 89

Scanning. Command-line oriented TCP/IP packet assembler/analyzer. Used to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. Supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel. Also, Firewall testing, Advanced port scanning, using different protocols, TOS, fragmentation, Manual path MTU discovery, Advanced traceroute, Remote OS fingerprinting, Remote uptime guessing, TCP/IP stacks auditing.

Answer 89

Hping2

Question 90

Scanning. Commercial wardialer. Supports and identifies MS-Chap v2. A robust, multi-line scanner. Can operate in 3 modes, connect identify and penetrate.

Answer 90

PhoneSweep

Question 91

Scanning. Host enumeration tool; uses ICMP Echo packets to probe networks, AND ICMP Timestamp and ICMP Information packets as well. Supports spoofing and promiscuous listening for reply packets.

Answer 91

Icmpenum

Question 92

Scanning. Network diagnosis tool using SNMP, ICMP and other methods. DNS checking via Nslookup, advanced whois and rwhois query tool, ping sweep, netbios share detection, SNMPv1v2 tools, port scanner, DHCP server discovery, IP packet viewer, email address validation, subnet calculator.

Answer 92

Netscan Tools Pro 2000

Question 93

Scanning. Network diagnosis tool using SNMP, ICMP and other methods. Verify connectivity to a specific device, quantitatively test data connections, trace path to network host, obtain information on hostnames/IP’s, view summary info about a network host or device, including official hostname, IP address, and contact info. View SNMP values as well as Windows domains, hosts, and ws’s, and search LDAP.

Answer 93

WS_Ping_Pro

Question 94

Scanning. Remote OS detector. Sends obscure TCP packets to determine remote OS. Fully configurable. Runs on Linux, Solaris and probably any OS with libpcap support.

Answer 94

Queso

Question 95

Scanning. The act of using a modem to dial every telephone number in a local area to find out where computers are available, then attempting to access them by guessing passwords.

Answer 95

War Dialing

Question 96

Scanning. Uses a modem to dial a range of telephone numbers to find carriers, PBX’s, voice mail boxes, and so on. Although this program is a DOS program, it can be successfully run on a range of UNIX-based systems, using a DOS emulator such as Dosemu.

Answer 96

THC-Scan

Question 97

Scanning. Website that reports a site’s OS, web server, and netblock owner and, if available, a graphical view of the time since last reboot for each of the computers serving the site.

Answer 97

netcraft.com

Question 98

Session Hijacking. A network sniffer that can also be used to hijack TCP sessions.

Answer 98

Juggernaut

Question 99

Session Hijacking. A network tool that can control any login session on a network by performing session hijacking

Answer 99

IP Watcher

Question 100

Session Hijacking. A utility program that monitors and controls users on a single system. The program can share an existing, in-use tty so that when the user types something into the monitored window, the information will also appear on the

Answer 100

TTYWatcher

Question 101

Session Hijacking. Advanced intrusion investigation and response tool to monitor network connections in real-time. Real time monitoring, reporting and graphing, active countermeasures, alarms, and filters.

Answer 101

T-Sight

Question 102

Session Hijacking. Sniffer/Session Hijacker that includes a handy ARP cache poisoning feature specifically designed to disable the isolation normally provided by Ethernet switches

Answer 102

Hunt

Question 103

Sniffers. A protocol analyzer. Has all of the standard features of a protocol analyzer. Functionality is very similar to tcpdump, but it has a GUI front-end, and many more information sorting and filtering options. Allows user to see all traffic being passed over the network (usually an Ethernet network but support is being added for others) by putting the network card into promiscuous mode. Runs on most Unix and Unix-compatible systems, including Linux, Solaris, FreeBSD, NetBSD, OpenBSD, Mac OS X and Windows.

Answer 103

Ethereal

Question 104

Sniffers. A simple DNS ID Spoofer for Windows 9x/2K

Answer 104

WinDNSSpoof

Question 105

Sniffers. A suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

Answer 105

Ettercap

Question 106

Sniffers. A TCP connection killer for Windows 9x/2K.; requires the ability to use a sniffer to sniff incoming/outgoing traffic of the target. If you are in a switched network you can to bypass the switching capabilities by using an ARP Cache Poisoning tool like winarp_sk or winarp_mim

Answer 106

WinTCPKill

Question 107

Sniffers. Allows you to ‘sniff’ and record network traffic, then completely reconstruct the data into its original format.

Answer 107

IRIS

Question 108

Sniffers. An open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods.

Answer 108

Snort

Question 109

Sniffers. An OpenSource implementation of a set of tests for remote sniffers detection in TCP/IP network environments. Implements various tests for the detection of machines running in promiscuous mode or with a sniffer. Also provides ICMP test, ARP test, DNS test, LATENCY test.

Answer 109

SniffDet

Question 110

Sniffers. Captures whole packets (not just headers), and archives that traffic for future analysis. Reconstructs sessions, and uses heuristic traffic analysis to detect spoofing and non-standard port usage, unwraps compressed files, reconstructs files sent over the network, and searches for key words and phrases. Maintains a database of session data, powerful search tools for investigation and analysis, graphs and reports, and access to all the reconstructed files. Raw packet-by-packet data available as well.

Answer 110

NetIntercept

Question 111

Sniffers. Easy to use password sniffer for Windos 95/98/NT/2000. Allows network administrators to capture passwords of any network user. Monitors incoming and outgoing network traffic and decodes FTP, POP3, HTTP, ICQ, SMTP, Telnet, IMAP, and NNTP usernames and passwords. Has advanced, integrated technology that allows it to reconstruct network traffic in a format that is simple to use and understand. Will reconstruct each of those packets individually. Thus, capturing a clear and concise image of the integrity of an organizations entire network.

Answer 111

WinSniffer

Question 112

Sniffers. Floods a switched network with Ethernet frames with random hardware addresses. The effect on some switches is that they start sending all traffic out on all ports so you can sniff all traffic on the network.

Answer 112

EtherFlood

Question 113

Sniffers. Freeware program for reporting the URLs loaded by both Internet Explorer and Netscape Navigator in real time.

Answer 113

Webspy

Question 114

Sniffers. Performs traffic monitoring and packet capture. Can decode over 1,000 protocols, but support is limited to Ethernet networks. Packet information can be viewed without stopping the capture, and statistics are updated in real time. Traffic capture can be customized with triggers, alarms, and filters. Triggers can be set off by a time event or by network traffic. Alarms warn you of abnormalities in LAN activity, such as bottlenecks, when traffic deviates from a specified limit.

Answer 114

EtherPeek

Question 115

Sniffers. The Windows version of tcpdump, the command line network analyzer for UNIX. Fully compatible with tcpdump and can be used to watch, diagnose and save to disk network traffic according to various complex rules. It can run under Windows 95, 98, ME, NT, 2000, XP, 2003 and Vista.

Answer 115

WinDump

Question 116

Sniffers. Utility for viewing/manipulating the MAC addresses of network interfaces

Answer 116

MAC Changer

Question 117

Sniffers. Windows MAC Address Modifying Utility

Answer 117

SMAC

Question 118

SQL Injection. A dictionary attack tool for SQL Server

Answer 118

SQLDict

Question 119

SQL Injection. A password guesser, designed to try to break through a password system by guessing millions of passwords until it gets the correct one. Can set up the password guesser directly on the machine to try to log in to the network, and let it run until it does. That way, admin traces attempts back to legitimate machine.

Answer 119

SQLbf

Question 120

SQL Injection. A UNIX Based Remote Command Execution for MSSQL.

Answer 120

SQLSmack

Question 121

SQL Injection. MSSQL Server 2000 SP0 - SP2 remote exploit which uses UDP to overflow a buffer and send a shell to tcp port 53. Windows binary, C++ source code.

Answer 121

SQL2.exe

Question 122

SQL Injection. SQL Server password brute force tool.

Answer 122

SQLExec

Question 123

Steganography. Conceals messages in ASCII text by appending whitespace to the end of lines.

Answer 123

Snow

Question 124

Steganography. Detects data at the end of image files hidden with tools like appendX or camouflage.

Answer 124

StegDetect

Question 125

Steganography. Hide loads of text in images; Simple encrypt and decrypt of data

Answer 125

ImageHide

Question 126

Steganography. Hides information in MP3 files during the compression process.

Answer 126

MP3Stego

Question 127

Steganography. Lists the users who have ordinary decryption keys or recovery keys for an EFS encrypted file.

Answer 127

EFSView

Question 128

Steganography. Sector editor for Windows 2000. Allows a user with local Administrator rights to directly edit, save, and copy data on the physical hard drive that is not accessible in any other way.

Answer 128

Dskprobe

Question 129

System Hacking. A password auditing and recovery application. used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, and hybrid attacks. It was one of the crackers’ tools of choice, although most use old versions because of its price and low availability.

Answer 129

L0phtCrack

Question 130

System Hacking. Allows you to scan an NT machine for information concerning its configuration, including ftp services, telnet services, web services, system account information, file systems and permissions.

Answer 130

NTInfoScan

Question 131

System Hacking. Consists of two programs. The sniffer listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a brute force attack or a dictionary attack.

Answer 131

KerbCrack

Question 132

System Hacking. NetBIOS scanner which can enumerate NetBIOS file shares across large ranges of IP addresses. Also provides a brute force password cracking component which can be directed against a single NetBIOS file share.

Answer 132

Legion

Question 133

System Hacking. Provides insight into the NT event logs to assess the activity of a distributed network more accurately and efficiently

Answer 133

VisualLast

Question 134

System Hacking/Buffer Overflows. Exploit for Outlook / Outlook Express GMT Field Buffer Overflow Vulnerability

Answer 134

Outoutlook

Question 135

System Hacking/Checksum. Checksum utility that automatically verifies data and file integrity against a known good source file stored in a database and quickly notifies you of changes.

Answer 135

Tripwire

Question 136

System Hacking/Covering Tracks. A command-line tool that enables the user to modify the audit policy of the local computer or of any remote computer. To run it, the user must have administrator privileges on the target computer.

Answer 136

Auditpol

Question 137

System Hacking/Covering Tracks. Allows data to be stored in hidden files that are linked to a normal visible file. Streams are not limited in size and there can be more than one stream linked to a normal file. Streams are almost completely hidden and represent possibly the closest thing to a perfect hiding spot on a file system - something trojans can and will take advantage of. Streams can easily be created/written to/read from, allowing any trojan or virus author to take advantage of a hidden file area. Streams are easily be used, and only found with specialized software.

Answer 137

NTFS File Streaming

Question 138

System Hacking/Covering Tracks. Deletes all the logs in the nt/2k machine so any audits taken are removed from the machine.

Answer 138

Elslave

Question 139

System Hacking/Covering Tracks. Lets you erase event records selectively from the Security Log in Windows NT 4.0 and Windows 2000.

Answer 139

Winzapper

Question 140

System Hacking/Covering Tracks. Moves data from a commandline-specified file into a hidden Alternate Data Stream attached to the original.

Answer 140

makestrm

Question 141

System Hacking/Covering Tracks. Purges local sensitive info from system; covers tracks typically accessible through EnCase-type Forensics analysis.

Answer 141

Evidence Eliminator

Question 142

System Hacking/Keystroke Loggers. A desktop activity logger that is powered by a kernel mode driver. This driver enables it to run silently at the lowest level of windows 2000/XP operating systems. Extremely difficult to detect, primarily because of it’s steath surveillance methods.

Answer 142

IKS Software Logger

Question 143

System Hacking/Keystroke Loggers. Keylogger software that allows you to remotely control/monitor your PC via a web browser. Allows you to view system activity and user actions in real time, shutdown/restart, lockdown/freeze, and browse the file system of a remote PC.

Answer 143

SpyAnywhere

Question 144

System Hacking/Keystroke Loggers. Keylogger software. Captures emails and immediately forwards them to you. Also captures both sides of chat conversations, IM’s, keystrokes typed, applications launched, and websites visited - then sends you a detailed activity report every hour.

Answer 144

EBlaster

Question 145

System Hacking/Keystroke Loggers. Keylogger software. Records emails, chats, IM, web sites visited, keystrokes, programs launched, PTP file sharing, screen snapshots, and passwords.

Answer 145

Spector

Question 146

System Hacking/Keystroke Loggers. Small tool which detects and removes the installed surveillance tool Spector.

Answer 146

AntiSpector

Question 147

System Hacking/Privilege Escalation. A fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

Answer 147

John the Ripper

Question 148

System Hacking/Privilege Escalation. Allows any normal user to join the administrator group.

Answer 148

GetAdmin

Question 149

System Hacking/Privilege Escalation. Attempts to determine a user password by actually trying to log on to a computer remotely using SAMBA (the SMB protocol).

Answer 149

SMBGrinder

Question 150

System Hacking/Privilege Escalation. Decodes and displays all NetBIOS name packets it receives on UDP port 137.

Answer 150

Nbname

Question 151

System Hacking/Privilege Escalation. Rregisters a NetBIOS computer name on the network and is ready to respond to NetBT name-query requests. Works nicely with SMBRelay. Helps to resolve IP address from NetBIOS computer name. Similar to Proxy ARP.

Answer 151

NBTDeputy

Question 152

System Hacking/Privilege Escalation. Takes advantage of the Server Message Block (SMB) file sharing protocol. It collects NTLM password hashes and writes them to hashes.txt in a format usable by L0phtcrack so the passwords can be cracked later. It is an SMB man-in-the-middle attack.

Answer 152

SMBRelay/SMBRelay2

Question 153

System Hacking/Privilege Escalation. Tool that crashes Windows machines with Netbios enabled by sending a specially crafted SMB request. Tested against Windows NT/2k/XP/.NET RC1.

Answer 153

SMBDie

Question 154

Trojans and Backdoors. 3 kilobyte trojan written in Assembly. It uses telnet as its client. Uses cmd.exe to run commands received on port 7777.

Answer 154

Tini

Question 155

Trojans and Backdoors. A powerful remote control system for workstations running Windows 95, 98 or NT 4.0. Implemented to replace well-known trojans, and to be invisible for existing antiviruses. File system - full access: browse, create, remove directories; erase, rename, copy, upload, download files; set date/time of file. Processes and threads: browse, terminate; run programs; additionally for processes - set priority; for threads - suspend, resume. Registry - full access: browse, create, remove keys and values; set values. System: get/set system time (you can perform Y2K compliance test ;) ); shutdown/logoff/reboot/power off; query system info, query/set system parameters. Windows: get list of windows; query and set system colors; get screenshot or the shot for particular window; send messages to window.

Answer 155

Donald Dick

Question 156

Trojans and Backdoors. Allows a remote user to access and control your machine by way of its Internet link.

Answer 156

NetBus

Question 157

Trojans and Backdoors. An .exe wrapper to facilitate remote installation of Back Orifice server and execution of specified applications. Binds a BO installer with any program to create a single file.

Answer 157

Silk Rope 2000

Question 158

Trojans and Backdoors. Backdoor working through any firewall which has got the security policy to allow users to surf the WWW.

Answer 158

Reverse WWW Shell:

Question 159

Trojans and Backdoors. BackOrifice trojan detecter that is a trojan itself. Distributed as a cure for Back Orifice infections.

Answer 159

BoSniffer

Question 160

Trojans and Backdoors. Goes beyond NetBus, including: File controls, Monitoring, Network control.

Answer 160

SubSeven

Question 161

Trojans and Backdoors. Increases the Trojan qualities of Netbus and others, by giving the user an incentive to run the program.

Answer 161

Whack a Mole

Question 162

Trojans and Backdoors. IRC backdoor

Answer 162

IconPlus

Question 163

Trojans and Backdoors. Malicious code spreads within a network of shared computer systems, infecting the Notepad.exe file.

Answer 163

QAZ

Question 164

Trojans and Backdoors. Malware that disables AV and software firewalls.

Answer 164

FireKiller 2000

Question 165

Trojans and Backdoors. Trojan, whose communication port is 31337.

Answer 165

BackOrifice 2000

Question 166

Trojans and Backdoors. Used to pack various Trojan files together into a single executable.

Answer 166

EliteWrap

Question 167

Trojans and Backdoors. Utility that is able to write and read data across TCP and UDP network connections.

Answer 167

Netcat

Question 168

Web App Vulnerabilties. A common name used for rogue Java applets available in the WWW.

Answer 168

Black Widow

Question 169

Web App Vulnerabilties. A free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols.

Answer 169

Wget

Question 170

Web App Vulnerabilties. A text browser for the World Wide Web. Rruns on Un*x, VMS, Windows 95/98/NT, DOS386+ but not 3.1, 3.11, or OS/2 EMX.

Answer 170

Lynx

Question 171

Web App Vulnerabilties. Remotely controls Internet Explorer using DCOM. Captures data sent and received using Internet Explorer. Even on SSL encrypted websites (e.g. Hotmail), it can capture user ID and password in plain text.

Answer 171

IEEN

Question 172

Web App Vulnerabilties. Taking over a session via stealing a session cookie.

Answer 172

Cookie Stealing

Question 173

Web App Vulnerabilties. Web application security auditing tool. It is not just one application, it is a complete toolbox of applications that come together to let you do some unique things. Focuses only on trying to give auditors the tools they need to manually disassemble the web application by hand and to efficiently test it in any manner they can conceive.

Answer 173

WebSleuth

Question 174

Web Based Password Cracking. A custom explorer bar. This extension was created for the monitoring of cookie activity and for the possibility to add and edit cookies.

Answer 174

CookieSpy

Question 175

Web Based Password Cracking. A tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP. Supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, kerberos, HTTP form based upload, proxies, cookies, user+password authentication, file transfer resume, http proxy tunneling and a busload of other useful tricks.

Answer 175

CURL

Question 176

Web Based Password Cracking. A utility utilizing the HTTP protocol to brute force into any login mechanism/system that requires a username and password, on a web page (or HTML form).

Answer 176

Munga Bunga

Question 177

Web Based Password Cracking. An HTTPS Man in the Middle attacking tool. It includes FakeCert, a tool to make fake certificates (like the DCA of sslmim found in Phrack 57). It can be used to exploit the Certificate Chain vulnerability in Internet Explorer. The tool works under Windows 9x/2000.

Answer 177

WinSSLMiM

Question 178

Web Based Password Cracking. Brute force authentication attack against Webserver with authentication requests.

Answer 178

ObiWan

Question 179

Web Based Password Cracking. Displays cookie information.

Answer 179

ReadCookies

Question 180

Web Based Password Cracking. Flexible remote password cracker.

Answer 180

Brutus

Question 181

Web Based Password Cracking. Pulls passwords from cookies.

Answer 181

SnadBoy

Question 182

Web Based Password Cracking. Taking over a session via stealing a session cookie.

Answer 182

Stealing Cookies

Question 183

Web Based Password Cracking. This program exploits a rather large hole in web site authentication methods. Password protected websites can be easily brute-force hacked, because there is no set limit on the number of time an incorrect password or User ID can be tried.

Answer 183

WebCracker

Question 184

Wireless Hacking. A Linux utility (using GTK+) for decrypting WEP encryption. A Windows port also exists.

Answer 184

AirSnort

Question 185

Wireless Hacking. A PASSIVE network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Will work with any wireless card which supports raw monitoring mode, and can sniff 802.11b, 802.11a and 802.11g traffic. The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X. The client can also run on Windows, although a drone is the only compatible packet source.

Answer 185

Kismet

Question 186

Wireless Hacking. A tool for Windows that facilitates detection of Wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards. A trimmed-down version is available for Windows CE. Used for wardriving, verifying network configurations, finding locations with poor coverage in one’s WLAN, detecting causes of wireless inteference, detecting unauthorized (“rogue”) access points, and aiming directional antennas for long-haul WLAN links.

Answer 186

NetStumbler

Question 187

Wireless Hacking. IDS system for 802.11 that guards an AP(s) and Monitors local frequencies for potentially malevolent activity. It detects scans, association floods, and bogus/Rogue AP’s. It can easily be integrated with SNORT or RealSecure.

Answer 187

WIDZ- Wireless IDS

Question 188

Wireless Hacking. Performs packet analysis of IEEE 802.11 wireless LANs in support of security audits, site surveys, network management, and troubleshooting. Rich security auditing features, broad protocol support, and flexible packet filtering.

Answer 188

AiroPeek