The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions maintained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!). Both source tarball and binary tarballs are included.
12647279df0a167a813e91d94627b92abe1cca879d0528921db39c1d55eb68d2
A simple command-line converter written in C language that converts input as string or integer. ASCII to Binary/Decimal/Octal/Hexadecimal, Binary to Decimal/Octal/Hexadecimal, Decimal to Binary/Octal/Hexadecimal. ROT13 feature. Compiled .exe binary and .c source code included.
796b2b5468e36b70369a5b34c11207ff3752be9c113d8246e7c8f0ec4e0d5490
Quick and dirty blanket fix for the Microsoft Windows ANI zero-day vulnerabilities. Prevents loading cursors from outside the Windows directory.
3b81a136644b11b0a7ff108dd16f0475eb209f61cc7f58f1aa3a32ab34040fd2
Tcpip_lib is a library for Windows 2000 which allows constructing custom packets, IP spoofing, attacks, and more.
7b7d28e20ce44df14654770a6d3f6f32a8a6f339e181759cd463f36a347cc8df
NetBIOS Enumeration Utility (NBTEnum) is a utility for Windows that can be used to enumerate NetBIOS information from one host or a range of hosts. The enumerated information includes the network transports, NetBIOS name, account lockout threshold, logged on users, local groups and users, global groups and users, and shares. If run under the context of a valid user account additional information is enumerated including operating system information, services, installed programs, Auto Admin Logon information and encrypted WinVNC/RealVNC passwords. This utility will also perform password checking with the use of a dictionary file. Runs on Windows NT 4.0/2000/XP/2003. PERL source included.
b45e9b8f0dfd57e2ccef45caba51ab4a9a17ce8fc9154b6a7eaae3fb6e43d23c
USBDumper is a tool that silently copies content of an inserted USB device onto your PC.
b885d63e34380e079b1298f2bdf8035717e187d83fe46fbed2678afea4f95855
This tool allows you to impersonate user credentials (with namedpipes) and execute a shell. One of the best features of this tool is that it includes some new attack vectors (payload generator with -t parameter) to force network users to connect to a remote host (desktop.ini, html code, lnk files, url files,pps,) so smbrelay can also be used.
9346dee563fb29b2b3df7d23637e8761553627b823a55102ab2f1771384d41cb
This tool is able to duplicate all Tokens stored in the system by calling NtQuerySystemInformation(). Duplicated Tokens allow users with local Administrator rights to execute code with credentials of every user that is logged on to the system locally or over network. Default mode only extracts tokens from the lsass process.
1a0435ffe70c05e1ac855b72e2791c48ef936b97e049469b6101088dd1cb7a06
This tool enumerates all processes and threads running and shows their Token owner information. Users with SE_DEBUG_NAME privilege should be able to inject code on a local process and execute code with their privileges. This could be useful to obtain an interactive shell (at port 8080) when an user session is locked.
1ac149ac191a602c8eba43f12c04a137a7aacdf4f3d5eb3938a05335167236e8
Echo Mirage is a generic network proxy. It uses DLL injection and function hooking techniques to redirect network related function calls so that data transmitted and received by local applications can be observed and modified. Windows encryption and OpenSSL functions are also hooked so that plain text of data being sent and received over an encrypted session is also available. Traffic can be intercepted in real-time, or manipulated with regular expressions and action scripts
d10e18c9e1b0a1c6efdff4557cbcb55a342a8fca721bd7feff6117b515a49f92
The Universal Hooker is a tool to intercept execution of programs. It enables the user to intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory. The Universal Hooker tries to create very simple abstractions that allow a user of the tool to write hooks for different API and non-API functions using an interpreted language (python), without the need to compile anything, and with the possibility of changing the code that gets executed when the hooked function is called in run-time.
c4c5521266fe2983724a4c92b2958cb6d08257a47ffcb13f06d3e5fa16107ad3
The Universal Hooker is a tool to intercept execution of programs. It enables the user to intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory. The Universal Hooker tries to create very simple abstractions that allow a user of the tool to write hooks for different API and non-API functions using an interpreted language (python), without the need to compile anything, and with the possibility of changing the code that gets executed when the hooked function is called in run-time.
30d173c3ac0c5fdffc35b8ba8b0f94d4420dc0d38002684c850ab21c7af36253
SMAC 2.0 is a MAC Address spoofer for Windows 2000, XP and 2003 systems. Users can generate random MAC Address and SMAC will validate MAC Address before spoofing. User can pre-define MAC addresses and load the MAC Address list. Spoofed MAC Address can sustain from reboots.
e5bf8406e7688144292d1bc4926eb70f7b4361675d40e88002e181fec233e2a3
Metacab (meta.cab) is a single, inclusive Microsft CAB file of remote administration tools. The CAB file and everything within can be decompressed, installed and used with only cmd.exe. Includes: WinPcap needed for Nmap, DCOM RPC overflow exploit, Simple bat file to ping sweep a Class D, HOD's PnP exploit, Netcat CAB, Nmap CAB, VNC CAB.
a60e89fa97790be36ccc7b36ffd87b0d805831141fe3a210635d0d96ec3b1660
Metacab (meta.cab) is a single, inclusive Microsft CAB file of remote administration tools. The CAB file and everything within can be decompressed, installed and used with only cmd.exe. Includes: WinPcap needed for Nmap, DCOM RPC overflow exploit, Simple bat file to ping sweep a Class D, HOD's PnP exploit, Netcat CAB, Nmap CAB, VNC CAB.
6df9395304d34d112ac357e0da78b215accb202c11a9b4c7dca9b8baf4a52189
lbture is a local Windows account password brute forcer. It supports dictionary attacks and resume. Works on Windows NT/2K/XP/2K3.
2e23ce3907d604374fa8106db4486b2dc4796f5e95b4f5da2429c873316b47dd
HookExplorer is a small GPL utility designed to scan a target process and identify any IAT or detours style hooks that may be installed by unknown code. Data is presented in an easy to digest format and allows for custom filters to help trim results.
a2974dd2576c60e648ff3dbe58452a21fcab10547eb4c36da4259c015fcd4ea1
Security Cloak is designed to protect against TCP/IP stack fingerprinting and computer identification/information leakage via timestamp and window options by modifying relevant registry keys. The settings used are based on the results of SYN packet analysis by p0f. While the OS reported by other OS detection scanners were not identical to those of p0f, testing against Nmap, xprobe2, queso and cheops showed that they were unable to identify the correct operating system/version after Security Cloak settings had been applied.
66e4dab7b1c77acc36e113c187db43fce3b3e2841a33f0be05bdce710d59e95b
Small bindshell (908 bytes for binary) for Windows compacted to 804 bytes with a little Headers modification. Both binary and Source code (VC++) included.
c24879c1a910a3cda9f80e94fd66cb18d753862ab5efbb173718dbd4591c8a19
Unofficial temporary fix for the critical Windows WMF vulnerability which Microsoft will patch on 1/10/06. Tested on Windows 2000, Windows XP, and Windows XP Professional 64 Bit. The author recommends switching to the official MS patch when it becomes available. Includes c++ source.
f039f0f7f62089f15c1b4bf49fa2d85fe6818e5786570d0b9566cd1d8f4db23b
MAC changing utility that can be used on Windows from the command line.
90c5fbc6757814acbd1f1a07456780bb3a9a61b9ef64a246eb092af41bd2f1e8
httprint is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask. httprint can also be used to detect web enabled devices which do not have a server banner string, such as wireless access points, routers, switches, cable modems, etc. httprint uses text signature strings and it is very easy to add signatures to the signature database. httprint can import web servers from nmap network scans, if they are saved in XML format. The current version adds the ability to save reports in CSV and XML formats, and features a completely new method of scoring by confidence ratings to minimize false positives. This version is the Windows release.
0269ed87702b8247197f1b02cc80cd8c4664eb533c6726c854917c0b1aec0d4b
XPFiremon is a system tray application that will monitor the settings and services associated with the Windows firewall to ensure they are running. If they are disabled a warning is popped up onto the screen and the system tray icon will turn red. The program allows the user to configure, start, and stop the firewall.
1fc4fa43f4d412ab36f7e288d5f816dadbe5f5d46fd643f8ba0309d71ed93a3b
This is a GUI for the windows TCP portscanning tool ipEye. ipEye GUI comes with a copy of ipEye, and include visual basic 6 source code.
c69d3f4736a110468704dae8d908b9cf710651ad7daa097a86b90d9832a2de03
Valhala Honeypot is a simple and easy-to-use honeypot for Windows. It provides servers like ftp, finger, telnet, smtp, etc.
75d30e8c33a80f66ae44b0f1f6d3fb8d70f9803ef7578c3d3e4827af2673b5ab