2015 year was an another interesting year for security and some cool utilities appeared. Rather than cover the same old ground and gush about how amazing nmap, masscan and shodan are though (not that they’re not amazing, of course), I’d like to highlight a few lesser known tools I’ve found useful, and discovered in the last year.
One of my favourite security projects last year was undoubtedly TLS Prober.
This is a great recon tool which attempts to identify a given SSL stack by examining its behaviour. For full details, see the whitepaper included in the project repo.
You can run TLS Prober against lots of different service types, including some using STARTTLS, and it will give you a list of the most likely SSL stacks, along with the number of signatures for each match
This can be really useful for OS identification if you can’t find
response headers or other useful indicators, since it can distinguish
Microsoft’s SChannel from, say, OpenSSL.
This project hasn’t seen as much love as it deserves, but I’m hoping more people will jump in and provide fingerprints. Currently, for example, I sometimes see it identify Postfix on CentOS 7 as Fortigate (since apparently they look identical!).
If you’re interested in network recognisance tools you should definitely check TLS Prober out, and submit some new signatures. It could also prove you with inspiration to help writing tools of your own.
WAFW00F is another interesting recon tool, designed to identify web application firewalls. It does this by making various HTTP requests and then examining the responses for telltale signs that certain WAFs are present. Things like cookies, headers, and other responses to certain stimuli.
Check it out and submit any handy improvements you might have in mind – the developers are open to pull requests.
I said I wouldn’t mention nmap, but I’ll mention one of its projects, ncat.
ncat is the nmap project’s reimagined
netcat. Use it in most of the places you would usually have used either netcat
openssl s_client in the past. For example, to view an SSH banner:
~ % ncat scanme.nmap.org 22 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
Or to cat a file across the network, using encryption:
cat korg.tiff| ncat -l --ssl -p 1234
This is another tool that’s worth a look, and if you have nmap, you probably already have it installed.
This is a really short list of interesting things I found last year. Please leave a comment if I’m missing a handy tool you’ve found useful.