Free thc software for linux

THC-Probe is the ultimate host scanner compilation for Linux, featuring nmap, snmpscan, netbios auditing tool and super-cool vh shell script.

INSTALL: just run "make install". Everything will be installed in /usr/local

RUN: just run "netprobe" and see the options.

Every host scanned will be saved as a "host.bla.com.probe" file in your current directory.

It does many stuff like snmp guessing, samba pw guessing and information gathering.

Nothing great and big, but it suits my needs.

THC-Hydra is the best parallized login hacker: for Samba, FTP, IMAP, Telnet, POP3, HTTP Auth, LDAP, MySQL, VNC, ICQ, NNTP, Socks5, PCNFS, Cisco and more.

Includes SSL support and is part of Nessus. Visit the project web site to download Win32, Palm and ARM binaries.

Number one of the biggest security holes are passwords, as every password security study shows. Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.

Currently this tool supports:

TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable, LDAP2, Cisco AAA (incorporated in telnet module).

This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.

This tool is for legal purposes only!

If this tool is used as part of a commercial service (e.g. pentest), name, version and web address of this tool must be mentioned in the report.

If this tool is incorporated into a commercial tool (means: it costs money, has license costs or upgrade fees, etc.) or called by it, the name, version and web address of this tool must be mentioned in the report output of the tool. Addtionally, a commercial version, key file, etc. must be made available to the author free of charge.

THC-Shagg is a modular application to bruteforce check digit algorithms. THC-Shagg project can be used to gain information about serial numbers that use check digit algorithms.

Once THC-Shagg has analysed a set of serial numbers and found matching check digit algorithms, it is able to generate complete new serial numbers using a saved file containg the matched states.

This page demonstrates the use of THC-Shagg in "daily" life and lists some serial numbers, that have been successfully analysed using Shagg.

Development & Contributions

Youve found some serial numbers and were able to analyse the check digit algorithms using Shagg. Youve some new ideas, you know something about fresh or still un-implemented check digit algorithms. Contribute! And help us making THC Shagg more powerful. Feel free to drop an email to Plasmoid, plasmoid@thc.org.

If you are interested in joining THC, why not write some new classes for THC-Shagg or extend the current version to analyse Web session IDs or other serial numbers? The documented programming API to all classes and interfaces is available online. The source code for THC-Shagg is bundled with the current release, so that you can compile it yourself, if you want to.

How it works:

A check digit algorithm uses the digits of a serial number to construct a check digit, it is not necessary that the digits are numeric values, they can be extended to alpha-numeric values. THC-Shagg currently implements the following algorithms:

Full name Internal name
-------------------------------- ----------------
binary Modulus 7 DR Modulus 7
binary Modulus 9 DR Modulus 9
weighted Modulus 10 DR Modulus 10 Basic
weighted Modulus 10 Luhn Modulus 10 Luhn
weighted Modulus 10 IBM Modulus 10 CC
weighted Modulus 11 DSR Modulus 11

Future releases will implement more algorithms. To get a list of all available algorithms use the -A. For simplicity this version mixes binary and weighted algorithms, DR and DSR algorithms, future version of THC-Shagg may include separate options for binary, weighted, DR and DSR algorithms. As this is the first release, only the most common algorithms have been implemented.

For details on the concept of each algorithms consult the source code of THC-Shagg or browse the web, there are some good information covering these algorithms.

Most of the algorithms above operate using so called weights. Weights are just a sequence of numbers that are multiplied with the individual digits of the serial number to be checked. THC-Shagg generates all weights up to a specified length and checks the serial numbers against all of these weight using all algorithms.

Example: All weights up to length 3

1,2,3,4,5,6,7,8,9,
01,02,03,04,05,06,07,08,09,10,...99
001,002,003,004,005,006,007,...999

THC-Shagg ignores all weights that only consist of zeros because they result in fault-positives and are not used in check digit algorithms.

In order to find the position of a check digit, THC-Shagg splits the serial numbers into partitions. A partition has a head and a tail, these parts are ignored during analysis of the serial numbers. THC-Shagg generates all partitions up to a specified minimum length where length is the length of the part to be analyzed. The programs checks the serial number against these partitions using weights and algorithms.

THC-RWWWShell is proof-of-concept Perl program for the paper "Placing Backdoors through Firewalls".
It allows communicating with a shell through firewalls and proxy servers by imitating webtraffic. The master/slave relation is reversed, therefore no listening ports are used on the target machine.
THC-RWWWShell was verified to work on Linux, Solaris, AIX and OpenBSD
BUGS: some Solaris machines: select(3) is broken, wont work there on some systems Perls recv is broken (AIX, OpenBSD) ... we cant make proper receive checks here. Workaround implemented.
Enhancements:
- HTTP 1.0 protocol compliance (finally)

THC-LEAPcracker suite contains tools to break the NTChallengeResponse encryption technique e.g. used by Cisco Wireless LEAP Authentication.

Also tools for spoofing challenge-packets from Access Points are included, so you are able to perform dictionary attacks against all users.

THC-Snooze is a framework for network traffic analysis. THC-Snooze project can be used as a sniffer or a network based intrusion detection system.

It will watch the network traffic and invoke small programs ("modules" or "protocol dissectors"), which are easily written in a script language, to gather information from the data.

The possible applications for THCsnooze range from simple and advanced sniffing to passive network auditing. It is possible to write modules that will track a connection until a successful login occured. Or you can check if a client application establishes with a ssl enabled server (insecure) SSLv2 connections.

Getting Started:

So, let us imagine you want to write a module for snooze and you dont know the protocol. (I will illustrate these steps on a well known protocol so its maybe easier to understand why we are doing these steps).

First we need some sample data to analyze. We make a copy of the dump_tcp.lua file and change the first line to match our needs:

"-- :xxx_no_proto:1:tcp:" to "-- :xxx_no_proto:21:tcp:"

We start snoozed:

# snoozed -i en0 -M modules/ -b -c t0 -D 10
THCsnoozed-0.0.6 by THC
DEBUG: loading modules ...
...

After we got one or two connections sniffed and stored we quit snooze. Now, we can use hxdmp to view the logs (well, you can use your favourite text editor to do that):

$ ./hxdmp -c t0/127.0.0.1_31231_127.0.0.1_21_0001.complete
hxdmp - THCsnooze hexdump by THC

00000000 32 32 30 20 6c 6f 63 61 6c 68 6f 73 74 20 46 54 | 220 loca lhost FT
00000010 50 20 73 65 72 76 65 72 20 28 74 6e 66 74 70 64 | P server (tnftpd
00000020 20 32 30 30 35 30 31 30 31 29 20 72 65 61 64 79 | 2005010 1) ready
00000030 2e 0d 0a 55 53 45 52 20 67 75 65 73 74 31 0d 0a | ...USER guest1..
00000040 33 33 31 20 50 61 73 73 77 6f 72 64 20 72 65 71 | 331 Pass word req
00000050 75 69 72 65 64 20 66 6f 72 20 67 75 65 73 74 31 | uired fo r guest1
00000060 2e 0d 0a 50 41 53 53 20 41 41 41 41 0d 0a 32 33 | ...PASS AAAA..23
00000070 30 2d 0d 0a 53 59 53 54 0d 0a 46 45 41 54 0d 0a | 0-..SYST ..FEAT..
00000080 50 57 44 0d 0a 20 20 20 20 57 65 6c 63 6f 6d 65 | PWD.. Welcome
00000090 20 74 6f 20 42 6f 78 30 30 31 21 0d 0a 32 33 30 | to Box0 01!..230
000000a0 20 55 73 65 72 20 67 75 65 73 74 31 20 6c 6f 67 | User gu est1 log
000000b0 67 65 64 20 69 6e 2e 0d 0a 32 31 35 20 55 4e 49 | ged in.. .215 UNI
000000c0 58 20 54 79 70 65 3a 20 4c 38 20 56 65 72 73 69 | X Type: L8 Versi
000000d0 6f 6e 3a 20 74 6e 66 74 70 64 20 32 30 30 35 30 | on: tnft pd 20050
000000e0 31 30 31 0d 0a 32 31 31 2d 46 65 61 74 75 72 65 | 101..211 -Feature
000000f0 73 20 73 75 70 70 6f 72 74 65 64 0d 0a 20 4d 44 | s suppor ted.. MD
00000100 54 4d 0d 0a 20 4d 4c 53 54 20 54 79 70 65 2a 3b | TM.. MLS T Type*;
00000110 53 69 7a 65 2a 3b 4d 6f 64 69 66 79 2a 3b 50 65 | Size*;Mo dify*;Pe
00000120 72 6d 2a 3b 55 6e 69 71 75 65 2a 3b 0d 0a 20 52 | rm*;Uniq ue*;.. R
00000130 45 53 54 20 53 54 52 45 41 4d 0d 0a 20 53 49 5a | EST STRE AM.. SIZ
00000140 45 0d 0a 20 54 56 46 53 0d 0a 32 31 31 20 45 6e | E.. TVFS ..211 En
00000150 64 0d 0a 32 35 37 20 22 2f 68 6f 6d 65 2f 67 75 | d..257 " /home/gu
00000160 65 73 74 31 22 20 69 73 20 74 68 65 20 63 75 72 | est1" is the cur
00000170 72 65 6e 74 20 64 69 72 65 63 74 6f 72 79 2e 0d | rent dir ectory..
00000180 0a | .

The red data is send from server to client; the green from client to server. We can see here that user guest1 is logging in with password AAAA. It is time to write a module that can extract this information from the logfile.

Grenzgaenger is a Socks like hacker tool for tunneling nmap, netcat and exploits transparently through systems into protected networks.

THC-Grenzgaenger tool is in ALPHA state!

Please dont use it for anything illegal. Just play around with it, and it would be nice if you would give me feedback.

Image the following:

You are here this is a firewall this is a DMZ server where
| allowing only port 443 you able to put a tool on
| | |
v v v
*** *** ***
***-------------------------***------------------+-------***
*** *** | ***
|
+-> +-------***
| |
many more DMZ server --+-> +-------***
| |
+-> +-------***

and you would like to reconnaissance on that DMZ as you have been able to
get at least one server there.
Interactive login maybe a no-go, as it might be a Win95 machine, chrooted
environment on linux, or some weird old HP-UX 9.0 machine were all the cool
tools dont compile.

This is were Grenzgaenger comes into play.
It allows you to use many tools on your local console, as if you *would*be*
having your laptop hooked up to the DMZ.

I currently just verified that the stuff is working on my SuSE Linux 8.1.
Your experience may vary.

How to use it:

Run the first tunnel proxy server on your own machine:

./ggd

Do the same on the target machine. Use the -p option to choose a different listening port than 443.

Edit the gg shell script and change the

GG_TUNNEL="127.0.0.1:444:test"

value to point to the target machine.

e.g.
GG_TUNNEL="192.168.13.3:443:test"

In the session where you want to use the proxy, just do:

gg command options

e.g.
gg netcat 192.168.13.3 23