File2pcap updated - now supports pop3/imap/smtp 12/04/2014 06:56
Posted by: warlord
I just posted the updated version 0.95 of file2pcap. The tool now also creates pcaps of files being transferred as email attachments via smtp/pop3/imap., besides the original functionality of creating pcaps showing a file being downloaded from an http server.

file2pcap - written by warlord /
Version: 0.95
Takes a file as input and creates a pcap showing a client grabbing that file from a webserver or transferring it it by email(smtp/pop3/imap).

-m mode h - http / s - smtp / p - pop3 / i - imap [default: http]
-o outfile output filename
-p port[:port] specify source and/or destination port. -p 1234:80 will show a tcp connection from port 1234 to port 80

./file2pcap [options] infile

./file2pcap malware.pdf
./file2pcap -mshp malware.pdf
./file2pcap -mi malware.pdf -o outfile.pcap

Poison updated to 1.5.41 09/18/2014 05:34
Posted by: warlord
I had to release a bugfix here. Poison 1.5.4 had a minor change in how it determines its own source IP address. As a result that code broke when scanning hostnames, or ranges of hostnames. So while poison 1.5.3 would happily scan, version 1.5.4 would not. This has now been fixed. Don't ask how this could have possibly evaded me.

Poison 1.5.4 released 08/20/2014 03:49
Posted by: warlord
A new release of my scanner. As usual, there are bugs fixed, features added, and code improved. The Changelog:

- Cleaned up banner/banner.c.
- Copied the default banner grabbing code from banner.c into its own file banner/00_tcp_default.c
- Made the default banner grab module send a http header if it doesn't receive anything for few seconds
- Changed the naming scheme of the protocol handlers in subfolder banner/
- Fixed an embarassing bug when the portstring on the commandline was too long
- Added simple ssh banner grab support
- Added support for random UDP scans. Before, random scans were TCP only
- Added support for IPMI over TCP. Poison will request auth 'none'
- Changed the poison.csv log file format! Added a field for the protocol
- Fixed a bug that prevented the fingerprinting option -o to actually display the result
- Re-added the -t option to specify the time between packets
- Changed scan options. Now -sS for syn scan and -sU for udp scan. Same syntax like that other scanner
- Added README
- Changed packet TTL from 255 to 64
- Fixed/Improved fingerprinting. Sadly that meant the prints have to be re-collected. Thanks for the patches vanHauser @ THC
- Fixed a major performance bug in the receive code
- By default UDP packets will now send a 4 byte random payload instead of none. This is only true in combination with the -b option.
- Improved auto detection of source IP address
- Fingerprints will be read out of an easily editable text file now. This is additionally to the internal, hardcoded fingerprints
- Added UPNP support. A UDP reply from port 1900 will result in a TCP connection to the indicated port to try and grab the config
- Decreased default delay between packets from 1800 to 1500 nano seconds. See DEFAULT_DELAY in poison.h, or grep poison.c for usleep();
- Updated ip-to-country database (Thanks
- Added two small functions at the end of packets.c. They are called for tcp and udp to determine whether to use specific source ports for packets to specific destination ports

It's available for download in the 'code' section

Fuzzball2 updated 03/07/2014 02:24
Posted by: warlord
I finally updated my TCP/IP options fuzzer 'fuzzball2'. I was quite embarassed when I had to realize that the checksums for many of the packets were bad in older versions. The new release fixes all of these. Happy fuzzing!

Poison 1.5.3 released 04/23/2013 04:59
Posted by: warlord
It took me way too long, but finally I have a new release of my portscanner Poison. Here's the changelog from 1.5.3:

-- Added code to automatically save every single scan into ~.poison/poison-scans.csv
- Open ports won't be reported twice when banner grabbing is enabled
- Http banner only collects useful information
- Http banner grabbing now speaks HTTP/1.1 instead of HTTP/1.0
- Added portmapper support for banner grabbing. Now shows which services a portmapper offers
- Made OS fingerprinting a flag. Removes a lot of clutter from the output if disabled (-o)
- Added daemon mode (-d)
- Improved telnet banner grabbing
- Updated the random IP exclude list (random.c)
- Added country (top level domain) display to the scans
- Removed option -I
- Removed option -t
- Added flag to allow logging to a remote host (-z)
- Improved OS fingerprint handling

It's available for download in the 'code' section