Difference between pages "Knoppix STD" and "Tools:Network Forensics"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(New page: {{Infobox_Software | name = Knoppix STD | maintainer = | os = | genre = {{Live CD}} | license = {{GPL}} | website = [http://s-t-d.org/ s-t-d.org/] | }} Knoppix STD is a [[Co...)
 
(Network Forensics Packages and Appliances)
 
Line 1: Line 1:
{{Infobox_Software |
+
=Network Forensics Packages and Appliances=
  name = Knoppix STD |
+
; [[Burst]]
  maintainer = |
+
: http://www.burstmedia.com/release/advertisers/geo_faq.htm
  os =  |
+
: Expensive IP geo-location service.
  genre = {{Live CD}} |
+
  license = {{GPL}} |
+
  website = [http://s-t-d.org/ s-t-d.org/] |
+
}}
+
  
Knoppix STD is a [[Computer Forensics|computer forensics]] / [[Incident Response|incident response]] [[live CD]] based on Knoppix.
+
; [[chkrootkit]]
 +
: http://www.chkrootkit.org
  
== Tools ==
+
; [[cryptcat]]
 +
: http://farm9.org/Cryptcat/
  
=== Forensics ===
+
; [[Enterasys Dragon]]
 +
: http://www.enterasys.com/products/advanced-security-apps/index.aspx Instrusion Detection System includes session reconstruction.
  
* [[Sleuthkit]] 1.66 : extensions to The Coroner's Toolkit forensic toolbox.
+
; [[MaxMind]]
* autopsy 1.75 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
+
: http://www.maxmind.com
* biew : binary viewer
+
: [[IP geolocation]] services and data provider for off-line geotagging. Free GeoLite country database. Programmable APIs.
* bsed : binary stream editor
+
* consh : logged shell (from F.I.R.E.)
+
* coreography : analyze core files
+
* dcfldd : US DoD Computer Forensics Lab version of dd
+
* fenris : code debugging, tracing, decompiling, reverse engineering tool
+
* fatback : Undelete FAT files
+
* foremost : recover specific file types from disk images (like all JPG files)
+
* ftimes : system baseline tool (be proactive)
+
* galleta : recover Internet Explorer cookies
+
* hashdig : dig through hash databases
+
* hdb : java decompiler
+
* mac-robber : TCT's graverobber written in C
+
* [[md5deep]] : run md5 against multiple files/directories
+
* memfetch : force a memory dump
+
* pasco : browse IE index.dat
+
* photorec : grab files from digital cameras
+
* readdbx : convert Outlook Express .dbx files to mbox format
+
* readoe : convert entire Outlook Express .directory to mbox format
+
* rifiuti : browse Windows Recycle Bin INFO2 files
+
* secure_delete : securely delete files, swap, memory....
+
* testdisk : test and recover lost partitions
+
* wipe : wipe a partition securely. good for prep'ing a partition for dd
+
* and other typical system tools used for forensics (dd, lsof, strings, grep, etc.)
+
  
== External Links ==
+
; [[netcat]]
 +
: http://netcat.sourceforge.net/
  
* [http://s-t-d.org/ Official Site]
+
; [[netflow]]/[[flowtools]]
* [http://forum.s-t-d.org/ Support Forum]
+
: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
 +
: http://www.splintered.net/sw/flow-tools/
 +
: http://silktools.sourceforge.net/
 +
: http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (vmWare)
  
[[Category:Incident response tools]]
+
; NetIntercept
 +
: http://www.sandstorm.net/products/netintercept
 +
: NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
 +
; [[rkhunter]]
 +
: http://rkhunter.sourceforge.net/
 +
 
 +
; [[ngrep]]
 +
: http://ngrep.sourceforge.net/
 +
 
 +
; [[nslookup]]
 +
: http://en.wikipedia.org/wiki/Nslookup Name Server Lookup command line tool used to find IP address from domain name
 +
 
 +
; [[Sguil]]
 +
: http://sguil.sourceforge.net/
 +
 
 +
; [[Snort]]
 +
: http://www.snort.org/
 +
 
 +
; [[ssldump]]
 +
: http://ssldump.sourceforge.net/
 +
 
 +
; [[Tcpdump]]
 +
: http://www.tcpdump.org
 +
 
 +
; [[tcpextract]]
 +
: http://tcpxtract.sourceforge.net/
 +
 
 +
; [[tcpflow]]
 +
: http://www.circlemud.org/~jelson/software/tcpflow/
 +
 
 +
; [[truewitness]]
 +
: http://www.nature-soft.com/forensic.html
 +
: Linux/open-source. Based in India.
 +
 
 +
; [[etherpeek]]
 +
: http://www.wildpackets.com/products/etherpeek/overview
 +
 
 +
; [[Whois]]
 +
: http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
 +
: http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
 +
 
 +
; [[IP Regional Registries]]
 +
: http://www.arin.net/community/rirs.html
 +
: http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
 +
: http://www.afrinic.net/ African Network Information Center (AfriNIC)
 +
: http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
 +
: http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
 +
: http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
 +
 
 +
; [[Wireshark/Ethereal]]
 +
: http://www.wireshark.org/
 +
: Open Source protocol analyzer previously known as ethereal.
 +
 
 +
; [[Xplico]]
 +
: http://www.xplico.org/
 +
: Open Source Network Forensic Analysis Tool (NFAT).
 +
 
 +
=Command-line tools=
 +
 
 +
[[arp]] - view the contents of your ARP cache
 +
 
 +
[[ifconfig]] - view your mac and IP address
 +
 
 +
[[ping]] - send packets to probe remote machines
 +
 
 +
[[tcpdump]] - capture packets
 +
 
 +
[[snoop]] - captures packets from the network and displays their contents - [[Solaris]]
 +
 
 +
[[nemesis]] - create arbitrary packets
 +
 
 +
[[tcpreplay]] - replay captured packets
 +
 
 +
[[traceroute]] - view a network path
 +
 
 +
[[gnetcast]] - GNU rewrite of netcat
 +
 
 +
[[packit]] - Packet generator
 +
 
 +
[[nmap]]
 +
 
 +
==ARP and Ethernet MAC Tools==
 +
 
 +
[[arping]] - transmit ARP traffic
 +
 
 +
[[arpdig]] - probe LAN for MAC addresses
 +
 
 +
[[arpwatch]] - Watch ARP changes
 +
 
 +
[[arp-sk]] Perform denial of service attacks
 +
 
 +
[[macof]] CAM table attacks
 +
 
 +
[[ettercap]] Performs various low-level Ethernet network attacks.
 +
 
 +
==CISCO Discovery Protocol Tools==
 +
[[cdpd]] - Transmit and receive CDP announcements; provides forgery capabilities.
 +
 
 +
==ICMP Layer Tests and Attacks==
 +
[[icmp-reset]]
 +
 
 +
[[icmp-quench]]
 +
 
 +
[[icmp-mtu]]
 +
 
 +
[[ish]] - ICMP shell (like SSH, but uses ICMP)
 +
 
 +
[[isnprober]]
 +
 
 +
 
 +
 
 +
==IP Layer Tests==
 +
[[iperf]] - IP multicast test
 +
 
 +
[[fragtest]]  IP fragment reassembly test
 +
 
 +
==UDP Layer Tests==
 +
 
 +
[[udpcast]] - Includes udp-receiver and udp-sender
 +
 
 +
 
 +
==TCP Layer==
 +
 
 +
[[lft]] http://pwhois.org/lft - TCP tracing
 +
 
 +
[[etrace]] http://www.bindshell.net/tools/etrace
 +
 
 +
[[firewalk]] http://www.packetfactory.net

Revision as of 10:21, 3 March 2008

Contents

Network Forensics Packages and Appliances

Burst
http://www.burstmedia.com/release/advertisers/geo_faq.htm
Expensive IP geo-location service.
chkrootkit
http://www.chkrootkit.org
cryptcat
http://farm9.org/Cryptcat/
Enterasys Dragon
http://www.enterasys.com/products/advanced-security-apps/index.aspx Instrusion Detection System includes session reconstruction.
MaxMind
http://www.maxmind.com
IP geolocation services and data provider for off-line geotagging. Free GeoLite country database. Programmable APIs.
netcat
http://netcat.sourceforge.net/
netflow/flowtools
http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
http://www.splintered.net/sw/flow-tools/
http://silktools.sourceforge.net/
http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (vmWare)
NetIntercept
http://www.sandstorm.net/products/netintercept
NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
rkhunter
http://rkhunter.sourceforge.net/
ngrep
http://ngrep.sourceforge.net/
nslookup
http://en.wikipedia.org/wiki/Nslookup Name Server Lookup command line tool used to find IP address from domain name
Sguil
http://sguil.sourceforge.net/
Snort
http://www.snort.org/
ssldump
http://ssldump.sourceforge.net/
Tcpdump
http://www.tcpdump.org
tcpextract
http://tcpxtract.sourceforge.net/
tcpflow
http://www.circlemud.org/~jelson/software/tcpflow/
truewitness
http://www.nature-soft.com/forensic.html
Linux/open-source. Based in India.
etherpeek
http://www.wildpackets.com/products/etherpeek/overview
Whois
http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
IP Regional Registries
http://www.arin.net/community/rirs.html
http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
http://www.afrinic.net/ African Network Information Center (AfriNIC)
http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
Wireshark/Ethereal
http://www.wireshark.org/
Open Source protocol analyzer previously known as ethereal.
Xplico
http://www.xplico.org/
Open Source Network Forensic Analysis Tool (NFAT).

Command-line tools

arp - view the contents of your ARP cache

ifconfig - view your mac and IP address

ping - send packets to probe remote machines

tcpdump - capture packets

snoop - captures packets from the network and displays their contents - Solaris

nemesis - create arbitrary packets

tcpreplay - replay captured packets

traceroute - view a network path

gnetcast - GNU rewrite of netcat

packit - Packet generator

nmap

ARP and Ethernet MAC Tools

arping - transmit ARP traffic

arpdig - probe LAN for MAC addresses

arpwatch - Watch ARP changes

arp-sk Perform denial of service attacks

macof CAM table attacks

ettercap Performs various low-level Ethernet network attacks.

CISCO Discovery Protocol Tools

cdpd - Transmit and receive CDP announcements; provides forgery capabilities.

ICMP Layer Tests and Attacks

icmp-reset

icmp-quench

icmp-mtu

ish - ICMP shell (like SSH, but uses ICMP)

isnprober


IP Layer Tests

iperf - IP multicast test

fragtest IP fragment reassembly test

UDP Layer Tests

udpcast - Includes udp-receiver and udp-sender


TCP Layer

lft http://pwhois.org/lft - TCP tracing

etrace http://www.bindshell.net/tools/etrace

firewalk http://www.packetfactory.net