Overview
Remote-Exploit: professional security research since 2001.
KeyKeriki
Now 1.5 years after releasing our whitepaper "27Mhz Wireless Keyboard Analysis Report" about wireless keyboard insecurities, we are proud to present the universal wireless keyboard sniffer: Keykeriki. This opensource hardware and software project enables every person to verify the security level of their own keyboard transmissions, and/or demonstrate the sniffing attacks (for educational purpose only).
The hardware itself is designed to be small and versatile, it can be extended to currently undetected/unknown keyboard traffic, and/or hardware extensions, for example, a repeating module or amplifier
SIPcrack
SIPcrack is a suite of tools to sniff and crack the digest authentications that are used within the SIP protocol.
The tools offer support for pcap files, wordlists and many more to extract all needed information and bruteforce the passwords for the sniffed accounts.
See the README and CHANGELOG file for more information.
Download: SIPcrack-0.4.tar.gz
SHA-1: 3d32c710a4c9bac8a5050ec5e06a6f8d8b015aab
Wyd
wyd is a password profiling tool that extracts words/strings from supplied files and directories. It parses files according to the file-types and extracts the useful information, e.g. song titles, authors and so on from mp3's or descriptions and titles from images.
It supports the following filetypes: plain, html, php, doc, ppt, mp3, pdf, jpeg, odp/ods/odp and extracting raw strings.
Download: wyd-0.2.tar.gz
SHA-1: 45d8bceb158f0f0864be77b0869cc463f6813dc0
saltymd5
saltymd5 is a small and simple tool that automates bruteforce / wordlist attacks against salted MD5 hashes. It supports dictionary input via named pipes and can therefore be used in combination with john.
See the README file for more information.
Download: saltymd5-0.2.tar.gz
SHA-1: 941945c973aedcff9cec7d6506c7c16230d36361
Busting The Bluetooth Myth
During the last year, rumours had come to my attention that apparently it is possible to transform a standard 30USD Bluetooth® dongle into a full-blown Bluetooth® sniffer. Thinking you absolutely need Hardware to be able to hop 79 channels 1600 times a second I was rather suspicious about these claims.
This paper is the result of my research into this area, answering the question whether it is possible or not.
Download: busting_bluetooth_myth.pdf
SHA-1: c6d6a15baa2410ded491b468c902eedea3b87b4c
CUPP v3
People spend a lot of time preparing for effective dictionary attack. Common User Passwords Profiler (CUPP) is made to simplify this attack method that is often used as last resort in penetration testing and forensic crime investigations. A weak password might be very short or only use alphanumeric characters, making decryption simple. A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money or password.
Going through different combinations and algorithms, CUPP can predict specific target passwords by exploiting human vulnerabilities. In password creation, as in many aspects of life, everybody tends to the original solution, but thanks to human nature, we all tend to originality in the same way, leading to almost absolute predictability.
Common User Passwords Profiler version 3 comes with some fixes and new options!
Download: cupp-3.0.tar.gz
SHA-1: 477e8e8c060f0da2e2039dc3af1ba4b17a421cd1
evade_disablecmd_vba_macro.zip
Word Macro to evade disableCMD policy setting. The zip file contains a .doc example file with the macro and a .reg file to set/delete the policy setting. The macro copies the cmd.exe and patches one byte to overcome the disablecmd policy setting. Nothing fancy but working.
Download: evade_disablecmd_vba_macro.zip
SHA-1: 4558149d59a88e748a38e22ef776ecefb09df506
Exe2vba_max
Word Macro to Include & Extract exe within Word. I needed to include an executable into a word macro. Unfortunately the metasploit tool exe2vba is built to integrate the exe into the macro code. That does not work on larger files because of limitation within word. My code is now extracting the exe from the word document itself. I randomized every variable and function name as well as the magic itself. The exe can be attached to existing documents as well. I will remove the code as soon as the metasploit team merges it into their codebase.
Download: exe2vba_msf_patch.tar.gz
SHA-1: 7dbd87510d6346fad5ed76df46f11a72d51cf315
BlueBugger
bluebugger is an implementation of the bluebug technique which was discovered by Martin Herfurt from the Trifinite Group. It can be used to dump data like phonebook and sms from vulnerable mobile phones.
It was tested with the following phones: Nokia 6310i, Nokia N72 and Sony Ericsson T68i.
Download: bluebugger-0.1.tar.gz
SHA-1:2ab01a8b00de145f33875beafc4053e10a217879
Psnuffle
Psnuffle is a credentials sniffer module for the metasploit framework.
It has been removed from our website because it is integrated into the metasploit svn now.
You can get it using the command:
svn co http://metasploit.com/svn/framework3/trunk/
bed
bed (aka 'Bruteforce Exploit Detector') is a plain-text protocol fuzzer that checks software for common vulnerabilities like buffer overflows, format string bugs, integer overflows, etc.
Supported protocols: finger, ftp, http, imap, irc, lpd, pjl, pop, smtp, socks4 and socks5
Co-Author: Eric Sesterhenn
Download: bed-0.5.tar.gz
SHA-1:22a56f64d49df3032f656d687544943018bb68e9
5NMP
5NMP is a SNMP scanner and brute-forcer for MS Windows. SNMP is the Simple Network Management Protocol. It is used by many if not most companies to manage and monitor their infrastructure. It is also often overlooked in terms of security and underestimated as an attack vector. RFC1157.
Download: 5NMP.tar.gz
SHA-1: 1d8310fb505d1f4270406f8d2059a23cf72adac1
Pirelli Discus DRG A225 WiFi Router
Default WPA2-PSK algorithm vulnerability.
Download: Pirelli_Discus_DRG_A225_WiFi_router.pdf
SHA-1:e6bb5aca7f11ab7bca445d282acace7e38056c34
LiquidFM Mod
Increase Quality by Adding an Antenna. Kensington's LiquidFM is a device that transmit audio from my Ipod to my car radio.
The transmission quality suffers especially in crowded areas. By adding an antenna to it, one could enhance the signal strength and therefore get a better sound into your card radio. Checkout the video tutorial for the details.
HotSpotter
Hotspotter passively monitors the network for probe request frames to identify the preferred networks of Windows XP clients, and will compare it to a supplied list of common hotspot network names.
If the probed network name matches a common hotspot name, Hotspotter will act as an access point to allow the client to authenticate and associate.
Download: hotspotter-0.4.tar.gz
SHA-1: c573a75dff6386e1dbb98bc3121f0daf4e297afe
Wellenreiter
Wellenreiter is a wireless network discovery and auditing tool. It is one of the easiest to use linux wireless scanning tools available. No card configuration has to be done anymore. The whole look and feel is pretty self-explainatory. It can discover networks (BSS/IBSS), and detect ESSID broadcasting or non-broadcasting networks as well as their WEP capabilities and the manufacturer information automatically.
The development of Wellenreiter has stopped.
Old Project Site: http://wellenreiter.sf.net
ICMPchat
icmpchat is a simple, encrypted chat that is based on the ICMP protocol. The used ICMP codes and types can be manually specified, e.g. ICMP_ECHO for one side and ICMP_ECHOREPLY for the other to hide the conversation.
The payload of the ICMP packet contains the actual data and is encrypted using the AES-256bit algorithm with a SHA-256bit hash of an user-given password.
Download: icmpchat-0.7.tar.gz
SHA-1: 45d8bceb158f0f0864be77b0869cc463f6813dc0
Archive/
Over the years, lots of small codes, papers, etc. have been created that are no longer considered important enough to have their own space on this page.
That is why we moved them into the Archive.