Free thc probe software for linux

THC-Probe is the ultimate host scanner compilation for Linux, featuring nmap, snmpscan, netbios auditing tool and super-cool vh shell script.

INSTALL: just run "make install". Everything will be installed in /usr/local

RUN: just run "netprobe" and see the options.

Every host scanned will be saved as a "host.bla.com.probe" file in your current directory.

It does many stuff like snmp guessing, samba pw guessing and information gathering.

Nothing great and big, but it suits my needs.

fprobe is a small NetFlow probe which will listen on a network interface. It isusing libpcap, aggregate the traffic and export NetFlow V5 datagram to a remote collector for processing. A flow is identified by ip protocol, source ip, source port, destination ip, destination port.
Right now only ethernet interfaces are supported. Support for more media types (tunnel, ppp etc) will be added in nex versions.
/fprobe -t IP:PORT [ -i interface ] [ -s scan ] [ expression ]
-t IP:PORT NetFlow collector address
-i interface interface to listen for traffic (default eth0)
-s scan interval in seconds between two flow tables scans (Default: 10)
-c file file with MAC definitions
-p dont put the interface in promisc mode
-b go in background (daemon mode)
-l file log file name
expression a bpf expresion to filter traffic (See libpcap/tcpdump)
For example:
./fprobe -i eth2 -t 127.0.0.1:8182
This will sniff the traffic on interface eth2 and will send the NetFlow data to localhost (127.0.0.1) on UDP port 8182.
Internal flow table is parsed every scan seconds for expired flows which are sent to remote collector.
Enhancements:
- can handle IP fragments
- can set the snmp interface ID based on source/destination MAC address
- fixed uptime in exported flows
- new hash function for internal storage
- delay between udp datagrams emited

THC-Parasite v1.2 allows you to sniff on switched networks by performing ARP man-in-the-middle spoofing. Selective targets, DOS and various other features present.
Have you ever sniffed on a switch? Without special tools you will see no (no thats not true, but lets simplify that statement) which is not destined for your machine. This gives you 3 options to do to be able to sniff on the LAN.
1) ARP Spoofing
2) MAC Flooding
3) MAC duplicating
4) Routing attacks
5) hook your laptop to the uplink trunk
1+2+3 are possible with this tool
3 you can also do with any linux/solaris/etc. via the ifconfig command
4 I know no good tools for this (except icmp_redir)
5 needs physical access to the switch component.
For 2, there are already a few tools available, the best is the one by Dug Song as part of dsniff. See http://www.monkey.org/~dugsong/ For 1, you will only find tools which send fake ARP packets to defined single machines. This is not effective if you want to sniff the whole LAN. Thats what this tool is for, bypass the basic switch security to be able to see all traffic on the LAN.
With this tool you can NOT sniff on a different VLAN on the same switch! There are other ways to do this ...
Enhancements:
- made OpenBSD port (tcp/ip config via sysctl)
- made Solaris port (tcp/ip config via ndd)
- added sysctl support for Linux (before directly /proc writing was done)
- added -p percent option, to give a percent chance for every arp request being replied. this is a nice features for DOS.
- renamed LINUX_SPEED_HACK to SPEED_HACK as it works as well on Solaris and OpenBSD.

mrtg-mica-probe is a Telebit MicaBlazer modem usage probe.
mrtg-mica-probe is a modem usage probe for the ITK NetBlazer 6100 (formerly Telebit MicaBlazer) 3.32. It is used to monitor the number of used modem and ISDN lines.
The latest release of mrtg-mica-probe can always be found on the web at http://pwo.de/projects/mrtg/ or via anonymous ftp at ftp://ftp.pwo.de/pub/pwo/mrtg/mrtg-mica-probe/.
mrtg.cfg-mica shows some sample mrtg.cfg entries.
Enhancements:
- added documentation to workaround a Telebit bug that might prevent SNMP from starting correctly.

mrtg-ntap-probe can probe for Network Appliance NetCache caching appliance and NetApp Filer.

mrtg-ntap-probe retrieves the disk and file (inode) utilization by volume or quota tree name, so you do not need to find the right OID, which might change over time as you add and/or remove volumes and quota trees.

You need a recent release of mrtg 2.x, perl 5.003 or better, a NetApp NetCache appliance with NetCache release 5.1 or better and/or a Network Appliance Filer running Data Ontap 6.0 or better.

If you have a Network Appliance service contract and access to their software tools library on now.netapp.com, you should also take a look at their mrtg-filer and mrtg-netcache packages!

mrtg-ping-probe project monitors round trip time and packet loss to another host. Still on my TODO list: add own min/max/avg rtt calculation, add perl ping module, add rping and rsh support...
mrtg-ping-probe is a ping probe for MRTG 2.x. It is used to monitor the round trip time and packet loss to networked devices. MRTG uses its output to generate graphs visualizing minimum and maximum round trip times or packet loss.
mrtg-ping-probe depends on the following software being installed on your system: perl (at least version 5.6.1), mrtg (I use version 2.8.8, though any mrtg 2.x version should work), and a ping program that displays a summary of the round trip times upon termination or timeout.
mrtg-ping-probe runs on AIX, BSD/OS 2.1, FreeBSD/2.2.x, IRIX/6.2, Linux, Mac OS X (Darwin 5.4), NetBSD, OpenBSD, OS/2, OSF1 V3.2, Solaris 1.1.2 (SunOS 4.1.4), Solaris 2.5.1 (SunOS 5.5.1), Solaris 7 (SunOS 5.7), Solaris 8 (SunOS 5.8), Solaris 9 (SunOS 5.9), HP-UX 9, Windows 98, and Windows 2000 (english, french, portugesee, and spanish locales).
If you install the Windows ping program that comes with Windows 98, Windows 2000, or WinSock 2.x, mrtg-ping-probe will also run on Windows 95 and Windows 4.0.
Support for additional systems is usually easy to add, as described in the file INSTALL.
Act responsible: do not use mrtg-ping-probe to ping devices without the owners permission. Just imagine 10,000 people would decide to ping your hosts ... mrtg-ping-probe is meant to be used within your network to get round trip time performance figures for your network.
Usage: mrtg-ping-probe [-hsvV] [-d deadtime] [-k count] [-l length] [-o ping_options] [-p [factor*]{min|max|avg|loss|integer}/[factor*]{min|max|avg|loss|integer}] [-r [rsh:][user@]host[:osname]] [-t timeout] host
Enhancements:
- new platforms supported: italian Windows 2000 locale.
- bugfixes: on Windows actually return deadtime when we lost all packets, not 0. the ping child process should actually be killed now on Unix platforms.
- changes: ***** Possible Incompatability ***** raised minimum required perl version to 5.6.1. lots of typos fixed.

THC-Snooze is a framework for network traffic analysis. THC-Snooze project can be used as a sniffer or a network based intrusion detection system.

It will watch the network traffic and invoke small programs ("modules" or "protocol dissectors"), which are easily written in a script language, to gather information from the data.

The possible applications for THCsnooze range from simple and advanced sniffing to passive network auditing. It is possible to write modules that will track a connection until a successful login occured. Or you can check if a client application establishes with a ssl enabled server (insecure) SSLv2 connections.

Getting Started:

So, let us imagine you want to write a module for snooze and you dont know the protocol. (I will illustrate these steps on a well known protocol so its maybe easier to understand why we are doing these steps).

First we need some sample data to analyze. We make a copy of the dump_tcp.lua file and change the first line to match our needs:

"-- :xxx_no_proto:1:tcp:" to "-- :xxx_no_proto:21:tcp:"

We start snoozed:

# snoozed -i en0 -M modules/ -b -c t0 -D 10
THCsnoozed-0.0.6 by THC
DEBUG: loading modules ...
...

After we got one or two connections sniffed and stored we quit snooze. Now, we can use hxdmp to view the logs (well, you can use your favourite text editor to do that):

$ ./hxdmp -c t0/127.0.0.1_31231_127.0.0.1_21_0001.complete
hxdmp - THCsnooze hexdump by THC

00000000 32 32 30 20 6c 6f 63 61 6c 68 6f 73 74 20 46 54 | 220 loca lhost FT
00000010 50 20 73 65 72 76 65 72 20 28 74 6e 66 74 70 64 | P server (tnftpd
00000020 20 32 30 30 35 30 31 30 31 29 20 72 65 61 64 79 | 2005010 1) ready
00000030 2e 0d 0a 55 53 45 52 20 67 75 65 73 74 31 0d 0a | ...USER guest1..
00000040 33 33 31 20 50 61 73 73 77 6f 72 64 20 72 65 71 | 331 Pass word req
00000050 75 69 72 65 64 20 66 6f 72 20 67 75 65 73 74 31 | uired fo r guest1
00000060 2e 0d 0a 50 41 53 53 20 41 41 41 41 0d 0a 32 33 | ...PASS AAAA..23
00000070 30 2d 0d 0a 53 59 53 54 0d 0a 46 45 41 54 0d 0a | 0-..SYST ..FEAT..
00000080 50 57 44 0d 0a 20 20 20 20 57 65 6c 63 6f 6d 65 | PWD.. Welcome
00000090 20 74 6f 20 42 6f 78 30 30 31 21 0d 0a 32 33 30 | to Box0 01!..230
000000a0 20 55 73 65 72 20 67 75 65 73 74 31 20 6c 6f 67 | User gu est1 log
000000b0 67 65 64 20 69 6e 2e 0d 0a 32 31 35 20 55 4e 49 | ged in.. .215 UNI
000000c0 58 20 54 79 70 65 3a 20 4c 38 20 56 65 72 73 69 | X Type: L8 Versi
000000d0 6f 6e 3a 20 74 6e 66 74 70 64 20 32 30 30 35 30 | on: tnft pd 20050
000000e0 31 30 31 0d 0a 32 31 31 2d 46 65 61 74 75 72 65 | 101..211 -Feature
000000f0 73 20 73 75 70 70 6f 72 74 65 64 0d 0a 20 4d 44 | s suppor ted.. MD
00000100 54 4d 0d 0a 20 4d 4c 53 54 20 54 79 70 65 2a 3b | TM.. MLS T Type*;
00000110 53 69 7a 65 2a 3b 4d 6f 64 69 66 79 2a 3b 50 65 | Size*;Mo dify*;Pe
00000120 72 6d 2a 3b 55 6e 69 71 75 65 2a 3b 0d 0a 20 52 | rm*;Uniq ue*;.. R
00000130 45 53 54 20 53 54 52 45 41 4d 0d 0a 20 53 49 5a | EST STRE AM.. SIZ
00000140 45 0d 0a 20 54 56 46 53 0d 0a 32 31 31 20 45 6e | E.. TVFS ..211 En
00000150 64 0d 0a 32 35 37 20 22 2f 68 6f 6d 65 2f 67 75 | d..257 " /home/gu
00000160 65 73 74 31 22 20 69 73 20 74 68 65 20 63 75 72 | est1" is the cur
00000170 72 65 6e 74 20 64 69 72 65 63 74 6f 72 79 2e 0d | rent dir ectory..
00000180 0a | .

The red data is send from server to client; the green from client to server. We can see here that user guest1 is logging in with password AAAA. It is time to write a module that can extract this information from the logfile.

THC-vlogger is an advanced linux kernel based keylogger, enables the capability to log keystrokes of all administrator/users sessions via console, serial and remote sessions (telnet, ssh), switching logging mode by using magic password, stealthily sending logged data to centralized remote server.
THC-vloggers smart mode can automatically detect password prompts to log only sensitive user and password information.
Main features:
- Log keystrokes of all user sessions
Console, serial console
Telnet/SSH remote sessions
- Stealth mechanism
No syscall modifying, nearly impossible to detect
UDP packets of log data can not be seen from the box itself
- Multiple logging modes and methods
Support three logging modes
Switch between logging modes by specific keys sequence
Default toggle character is CTRL-]
- Dumb mode
Logs all keystrokes
- Smart mode
Ability to detect password prompt automatically to log only sensitive data such as user/password (ssh, telnet, su, sudo, ftp, ...)
- Normal mode
Stop logging mode
- Log methods
Log to files
Remote log over network
Transmits log data via UDP to a specified machine
System users neither see nor sniff log packets
Sniffers such as tcpdump on the box can not see the traffic
Bypass local network filtering/firewall rules
- Log data
Separated logging for each tty/session
Each tty has their own log buffer
Easier to track sessions
- Timestamps logging
Nearly support all special chars
Arrow keys (left, right, up, down), Home, Page Up, Page Down
F1 to F12, Shift+F1 to Shift+F12
ALT- and CTRL- combinations
Tab, Insert, Delete, End, Backspace, ...
Support line editing keys included CTRL-U and Backspace