Tools

This section of the site provides links to many of the tools, scripts, applications, etc. related to security including assessment tools, OSINT, forensic/DFIR, monitoring, etc. There are links to open source and commercial products. If you would like me to add a link to a favorite tool of yours, please drop me an e-mail.

Penetration Testing Tools

  • Responder – This tool is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix
  • EyeWitness – EyeWitness is designed to take screenshots of websites, RDP services, and open VNC servers, provide some server header info, and identify default credentials if possible.
  • Yersinia – Layer 2 DTP and Root switch attack (VLAN hopping). Essentially plugging a Pi on to a port and having that Pi emulate a trunk port.
  • ADRecon – Tool which extracts and combines various artefacts (as highlighted below) out of an AD environment. The information can be presented in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis and provide a holistic picture of the current state of the target AD environment.

Malware Analysis

  • RECmd – RECmd is the command line component of Registry Explorer and opens up a remarkable capability to script and automate registry data collection. Tool that assists in finding Registry Malware Persistence with RECmd
  • Timeline Explorer – a program that started out as a means to view mactime and Plaso generated CSV timelines without the need to use Excel. From these two formats, it has expanded into a tool that supports a wide variety of file formats generated by forensic tools in addition to any random CSV or Excel file you may run across.
  • ApateDNS – A must when undertaking dynamic memory analysis. This tool is perfect for controlling DNS responses though an easy-to-use GUI.
  • FLARE VM – FLARE VM is a Windows-based security distribution for malware analysis, incident response, and penetration testing.

DFIR

  • EVT Log Parser – EVT LogParser is a free event log parser that allows you to filter output according full text search in the message text.
  • Event Log Explorer – Event Log Explorer is an effective software solution for viewing, analyzing and monitoring events recorded in Microsoft Windows event logs. Event Log Explorer greatly simplifies and speeds up the analysis of event logs (security, application, system, setup, directory service, DNS and others).
  • RDP Cache Forensics – RDP Bitmap is a puzzle like cache of photos. During the RDP session the system takes snapshots of the screen. These pics however are not the whole screen but rather only pieces of the screen. Chances are you will not have every piece either. This tool is not perfect, but it is a good start.
  • Highlighter – A utility designed primarily for security analysts and system administrators. Highlighter provides a user with three views of the file being analyzed: highlight interesting keywords and remove lines with “known good” content, full-content view that shows all content and the full structure of the file, rendered as an image that is dynamically editable through the user interface, histogram view that displays patterns in the file over time; usage patterns become visually apparent and provide the examiner with useful metadata that is not available in other text viewers/editors
  • PDBExtract – enables you to explore symbolic type information as extracted from Microsoft programming database files. This tool is primarily for reverse engineering of Windows-based applications and for exploring the internals of Windows kernel components.
  • Heap Inspector – is a heap visualization and analysis tool that collects a process’ heaps using both API and raw methods.