See also Peenemuende project: forensics:
Operating System
For workshops a LiveCD solution.
Arudius 0.5 (LiveCD): http://www.fosstools.org/
Taxonomy
To imagine some kind of taxonomy - exploratory tools, (active/passive)probes, reconstruction, interpretative, visualisation, decryption and encryption, a beginning to making sense.
That this taxonomy could also follow and to some extent critique (or allow for a philosophical examination of) the OSI model of networking as follows:
[ref: http://catalyst.washington.edu/help/computing_fundamentals/networking/osi.html ]
Physical layer - hardware
Transport layer - signal tools
Further layers - protocol examination, encryption and decryption/steganography. [again active and passive]
And above this: visualisation and making sense of data sets, toolkits, frameworks and languages
Assembling tools below according also to:
1] background/framework
2] collection/logging
3] decoding and interpretation
4] visualisation/recoding/fiction
Software:
with short descriptions:
xoscope: http://xoscope.sourceforge.net/
x*oscope is a digital oscilloscope that uses a sound card (via /dev/dsp or EsounD) and/or Radio Shack ProbeScope (Cat. No. 220-0310) a.k.a osziFOX as the signal input.
Wireshark (ethereal): http://www.wireshark.org/
network protocol analyser (formerly known as ethereal)
Wireshark is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file. Wireshark's native capture file format is libpcap format, which is also the format used by tcpdump and various other tools.
Scapy: http://www.secdev.org/projects/scapy/
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.
Kismet: http://www.kismetwireless.net/
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.
GeoIP: http://www.maxmind.com/app/c
LGPL Database matching IP with country code
PyPcap, dpkt: http://code.google.com/p/pypcap/ ← Packet capture and dissection library
- Packaged for Debian here: http://selectparks.net/~julian/share/repo/debian/unstable/
- Standalone packet logger (Linux) w/GeoIP matching: http://selectparks.net/~julian/share/pcap_collate.tar.gz
simplified object-oriented Python extension module for libpcap
gdb: http://sourceware.org/gdb/
local and remote examination of execution, memory snooping, modification, paring.
Tempest for Eliza: http://www.erikyyy.de/tempest/ ← Intended as reference software.
[see also: http://www.eskimo.com/~joelm/tempest.html ]
Also: wavemon, baudline, further spectrum analysis [http://www.wireless.org.au/%7ejhecker/specan/]
visualisation and examination: baudline also (raw), octave, gnuplot, python visualisation (scipy, others).
Hardware/equipment:
Cantenna materials=pigtail, N connectors, photo-diodes and amplifiers, spectrum analysis tools (DIY or wi-spy)
[detailed references and schematics to fill in]
Reference Material, Hardware
LED pulse transduction/parsing: http://www.mee.tcd.ie/~bruckerj/projects/forwardcomp.html
Live Membrane modulation parsing:
- CRT Phreaking: http://jya.com/emr.pdf
- Flat Panel Phreaking: http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf
Reading Memory out of hardware context:
- Electromagnetic Induction attacks on semiconductors: http://www.cl.cam.ac.uk/~rja14/Papers/SISW02.pdf
Silence on a Wire/other references:
expand this list with references:
netstat, netcat (nc), ntop, nmap, ngrep, tcpdump, snort, hping2, dsniff,
nemesis (command-line packet injection): http://nemesis.sourceforge.net/
iwspy and plotting: