WIRESHARK
Wireshark is the world's foremost network protocol analyzer. It lets you see what's happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions.
Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.
FAKENET
FakeNet is a tool that aids in the dynamic analysis of malicious software. The tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware’s network activity from within a safe environment.
-
HTTP server always serves a file and tries to serve a meaningful file; if the malware request a .jpg then a properly formatted .jpg is served, etc. The files being served are user configurable.
-
Ability to redirect all traffic to the localhost, including traffic destined for a hard-coded IP address.
-
Python extensions, including a sample extension that implements SMTP and SMTP over SSL.
-
Built in ability to create a capture file (.pcap) for packets on localhost.
-
Dummy listener that will listen for traffic on any port, auto-detect and decrypt SSL traffic and display the content to the console.
INETSIM
To perform a quick run-time analysis of the network behaviour of unknown malware samples, we were in need of a tool to simulate internet services which are commonly used by malware in our laboratory environment. We started off with a bunch of home-grown Perl scripts together with specially configured server service implementations like Apache, Postfix, dnsmasq and ntpd, but we were not happy with this because of a lot of disadvantages resulting from the combination of many programs (e.g. problems with correlation of log data).
While talking to other security analysts, we noticed that there is definitely a need for a comfortable single suite to simulate different internet services with common logging and centralized control functions. So we decided to start the project 'INetSim' to develop such a suite.
Due to lack of time at the office, the programming was done in our spare time. We both have been using Perl for many years but mostly for small scripts, e.g. for the analysis of logfiles. The project INetSim was a welcome opportunity to gain more practical experience in programming Perl and to deal with the specifications (RFCs) for several services in depth.
INetSim is developed by Thomas Hungenberg and Matthias Eckert. We both work in the field of IT security and part of our daily work is the analysis of unknown malware samples.
NCAT
Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.
Among Ncat’s vast number of features there is the ability to chain Ncats together, redirect both TCP and UDP ports to other sites, SSL support, and proxy connections via SOCKS4 or HTTP (CONNECT method) proxies (with optional proxy authentication as well). Some general principles apply to most applications and thus give you the capability of instantly adding networking support to software that would normally never support it.
Ncat is integrated with Nmap and is available in the standard Nmap download packages (including source code and Linux, Windows, and Mac binaries) available from the Nmap download page. You can also find it in our SVN source code repository.
APT PROTOCOL DECODERS
We'll be adding some of the most useful decoder tools here to help quickly identify compromised machines from network pcap.
FAKE DNS
A regular-expression based python MITM DNS server with correct DNS request passthrough and "Not Found" responses.
APATE DNS
Mandiant ApateDNS is a tool for controlling DNS responses though an easy to use GUI. As a phony DNS server, Mandiant ApateDNS spoofs DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine. Mandiant ApateDNS also automatically sets the local DNS to localhost. Upon exiting the tool, it sets back the original local DNS settings.
FAKE SMTP
FakeSMTP is a Free Fake SMTP Server with GUI for testing emails in applications easily. It is written in Java.
Configure your application to use "localhost" as your SMTP server, and all emails will be intercepted and displayed in this software.
HONEYD
Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses - I have tested up to 65536 - on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.
TCP DUMP
a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.
FIDDLER
Building web applications is no easy thing. Most developers remain unaware of exactly how their application is interacting with the web browsers installed on their clients’ machines. This is where Fiddler steps in to help you record all the HTTP and HTTPS traffic that passes between your computer and the Internet. Better yet, Fiddler captures traffic from all locally-running processes thus logging server-to-server (e.g. Web Services) and device-to-server traffic (e.g. iPad and Windows Phone clients).
BURP SUITE
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.
An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
NETWORK MINER
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but alsoworks in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main user interface view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).
NGREP
ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
NETWITNESS
NetWitness Investigator is the award-winning interactive threat analysis application of the NetWitness NextGen product suite. Investigator provides security operations staff, auditors, and fraud and forensics investigators the power to perform unprecedented free-form contextual analysis of raw network data captured and reconstructed by the NetWitness NextGen infrastructure. Developed originally for the U.S. Intelligence Community, and now used extensively by Law Enforcement, Defense, and other public and private organizations, Investigator is based upon 10 years of development and deployment in some of the most demanding and complex threat environments. With its groundbreaking user interface and unprecedented analytics, Investigator lets you see your network traffic in a new way. Unlike packet analysis products, products which display network traffic in the context of confusing network nomenclature, Investigator uses a lexicon of nouns, verbs and adjectives--characteristics of the actual application and logic layer protocols parsed during session reconstruction.