The Rekall Framework is a completely open collection of tools, implemented in
Python under the GNU General Public License, for the extraction of digital
artifacts from volatile memory (RAM) samples. The extraction techniques are
performed completely independent of the system being investigated but offer
visibility into the runtime state of the system. The framework is intended to
introduce people to the techniques and complexities associated with extracting
digital artifacts from volatile memory samples and provide a platform for
further work into this exciting area of research.
Heimdal is an implementation of Kerberos 5, largely written in Sweden
(due to crypto export legal issues in the US at the time). It is freely
available under a three clause BSD style license.
Scanhill is a Microsoft Messenger Protocol Sniffer. Currently it can only
intercept Instant Text Messaging. Optionally, intercepted text messages can be
stored onto an RDMBS (Only mySQL is supported for now). Given that mySQL is
used, stored instant messages can be read through a browser interface that is
written in PHP language. Please see the INSTALL.txt file for instructions on
how to install, configure and run EnderUNIX scanhill.
ScanSSH supports scanning a list of addresses and networks for open proxies,
SSH protocol servers, Web and SMTP servers. Where possible ScanSSH, displays
the version number of the running services. ScanSSH protocol scanner supports
random selection of IP addresses from large network ranges and is useful for
gathering statistics on the deployment of SSH protocol servers in a company
or the Internet as whole.
The scrypt key derivation function was originally developed for use in
the Tarsnap online backup system and is designed to be far more secure
against hardware brute-force attacks than alternative functions such as
PBKDF2 or bcrypt.
SSHBlock is a daemon to monitor a syslog log for break-in attempts using
SSH, and to automatically block bad hosts by adding lines to /etc/hosts.allow
(TCP Wrappers). Several thresholds are pre-defined, to be able to block those
trying many attempts within a longer or shorter period.
SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted
network connections. Connections are transparently intercepted through a
network address translation engine and redirected to SSLsplit. SSLsplit
terminates SSL/TLS and initiates a new SSL/TLS connection to the original
destination address, while logging all data transmitted. SSLsplit is intended
to be useful for network forensics and penetration testing.
"... sslwrap is a simple Unix service that sits over any simple TCP service
such as POP3, IMAP, SMTP, and encrypts all of the data on the
connection using TLS/SSL. It uses ssleay to support SSL version 2 and
3. It can run out of inetd. It can also encrypt data for services
located on another computer.
It works with the servers you already have, and does not require any
modifications to your existing servers. ..."
Of course, it works with OpenSSL, too.
Sudoscript provides an audited shell using sudo(8) and script(1).
The front end script, sudoshell(1) contacts the daemon, sudoscriptd(8).
They agree on the location of a FIFO, which the daemon opens for read.
Sudoshell then runs script(1) with the FIFO as a typescript. The daemon
stamps each line of the script(1) output with a session id, then passes
the data over to another daemon. This daemon timestamps the data and stores
it in a log file which is /var/log/sudoscript. This daemon also keeps an eye
on the size of log files, and forks a rotator/compressor when it exceeds 2
MBytes.
tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and
encryption to create a secure private network between hosts on the Internet.
Because the tunnel appears to the IP level network code as a normal network
device, there is no need to adapt any existing software. This tunnelling
allows VPN sites to share information with each other over the Internet
without exposing any information to others.
A single tinc daemon can accept more than one connection at a time, thus
making it possible to create larger virtual networks, because some
limitations are circumvented.
Instead of most other VPN implementations, tinc encapsulates each network
packet in its own UDP packet, instead of encapsulating all into one TCP or
even PPP over TCP stream. This results in lower latencies, less overhead,
and in general better responsiveness and throughput.
LICENSE: GPL3 or later with execption to link with OpenSSL