Sniffing & Spoofing

Above is a network security sniffer designed for pentesters and security professionals to find vulnerabilities in network hardware through traffic analysis. It supports live interface listening and analysis of existing pcap files without generating noise on the network.

apple-bleee provides experimental scripts that demonstrate what information an attacker can extract from Apple devices by sniffing Bluetooth traffic. It requires a Bluetooth adapter for BLE messages and a Wi-Fi card with monitor mode for AWDL communication.

arping sends ARP and/or ICMP requests to a specified host and displays the replies. The host can be identified by hostname, IP address, or MAC address.

arpwatch monitors Ethernet/FDDI station activity by maintaining a database of MAC addresses and their associated IP pairs. It alerts system administrators via email on changes like new stations, flip-flops, or reused addresses.

bettercap is a complete, modular, portable and easily extensible MITM framework serving as a Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and attacks. It provides an all-in-one solution for security researchers, red teamers and reverse engineers.

bettercap-ui provides the web-based user interface for Bettercap, a powerful network security tool. It enables users to interact with Bettercap's features through a graphical web interface.

Calico is a networking and network security solution for Kubernetes, virtual machines, and bare-metal workloads. calicoctl is the command line tool used to manage Calico resources, policies, and node instances.

Chisel is a fast TCP/UDP tunnel over HTTP, secured via SSH. It provides a single executable for both client and server modes, useful for bypassing firewalls and secure network access.

Cryptcat is a lightweight version of netcat extended with Twofish encryption for secure data transfer across TCP or UDP network connections. It serves as a reliable back-end tool for network debugging, exploration, and scripted operations.

darkstat is a packet sniffer that runs as a background process and serves network traffic statistics to a web browser. It provides input and output IP traffic by machines, ports, and protocols, along with graphical views for last minute, hourly, daily, and monthly global traffic.

DHCPig is a DHCP exhaustion script that consumes all available IP addresses on a LAN, preventing new users from obtaining IPs. It also releases IPs in use, sends gratuitous ARP, and knocks Windows hosts offline.

dns2tcp is a set of tools to encapsulate TCP sessions inside DNS packets, creating a TCP-over-DNS tunnel. It allows tunneling traffic through firewalls that only permit DNS traffic.

DNSChef is a highly configurable DNS proxy for penetration testers and malware analysts. It allows faking DNS responses to redirect traffic to local machines for analysis and interception.

Driftnet captures and displays images from network traffic by listening to TCP streams. It is particularly useful on hosts with high web traffic volumes.

dsniff is a suite of tools for sniffing network traffic to detect cleartext insecurities. It includes utilities to sniff passwords, forge DNS replies, intercept ARP, and perform man-in-the-middle attacks on SSH and HTTP/HTTPS.

Ettercap is a multipurpose sniffer, interceptor, and logger for switched LANs supporting active and passive dissection of many protocols. It enables man-in-the-middle attacks, data injection, packet filtering, and comprehensive network analysis.

Spoof SSDP replies to phish for NTLM hashes on a network. Responds to SSDP multicast discover requests, posing as a generic UPNP device that appears in Windows Explorer.

Ferret-sidejack monitors network traffic and extracts interesting data from it. It can feed data to the hamster tool or output to text files for analysis with indexers and grep.

Fragrouter is a network intrusion detection evasion toolkit that manipulates IP fragments to bypass IDS systems. It supports various fragmentation techniques for testing and evasion purposes.

FTester is a tool for testing firewall filtering policies and Intrusion Detection System (IDS) capabilities. It simulates real TCP connections and employs evasion techniques for stateful inspection firewalls and IDS.

A software-defined radio receiver for Mode S transponder signals, including ADS-B reports from equipped aircraft. Supports multiple output formats like raw data, parsed text, SQLite, KML, SBS-1, and FlightGear.

Hamster is a sidejacking tool that acts as a proxy server, replacing your cookies with stolen session cookies to hijack others' sessions. Cookies are sniffed using the Ferret program.

HexInject is a versatile command-line packet injector and sniffer for raw network access. It facilitates creating shell scripts to read, intercept, and modify network traffic transparently.

Cross-platform command line tool for handling hosts files. Adds, removes, or lists mappings in the hosts file.

hping3 is a network tool for sending custom ICMP/UDP/TCP packets and displaying target replies like ping. It supports testing firewall rules, port scanning, network performance testing, and more.

Hubble provides network, service, and security observability for Kubernetes using eBPF. It enables deep visibility into service communication and networking infrastructure transparently.

INetSim is a software suite for simulating common internet services in a lab environment. It is particularly useful for analyzing the network behavior of unknown malware samples.

Tool for tunneling IPv4 data through a DNS server. Usable where internet access is firewalled but DNS queries are allowed.

Internetwork Routing Protocol Attack Suite (irpas) is a collection of programs for advanced network operations, testing, and debugging. It includes tools for route injection, protocol spoofing, and security testing.

libfindrtp is a library required by multiple VoIP tools in Kali Linux. It provides essential functionality for handling VoIP-related network traffic.

Utility for manipulating the MAC address of network interfaces. Makes changing MAC addresses easier to thwart tracking by marketing firms and agencies.

mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server by replying to DHCPv6 messages and providing victims with a link-local IPv6 address.

mitmproxy is an interactive man-in-the-middle proxy for HTTP and HTTPS traffic. It allows inspection and editing of traffic flows on the fly via a console interface.

Multimac creates multiple MAC addresses on a single network adapter. It is a Linux virtual ethernet tap allocator for emulating multiple virtual interfaces with different MAC addresses on a LAN.

multimon-ng is a digital radio transmission decoder that supports multiple modes commonly found on VHF/UHF bands. It is the successor to multimon with improved compatibility for modern systems.

Ncat is a feature-packed networking utility that reads and writes data across networks using TCP and UDP. It serves as a reliable back-end tool for providing network connectivity to applications and users.

NetSED is a network packet-altering stream editor that modifies the contents of packets in real time as they are forwarded through the network. It supports tasks like protocol auditing, fuzzing, integrity testing, and content filtering.

netsniff-ng is a high performance Linux network sniffer for packet inspection. It uses zero-copy mechanisms to avoid kernel-to-userspace packet copying.

Netwox is a comprehensive networking toolbox with over 200 tools for sniffing, spoofing, scanning, and protocol testing. Netwag provides a graphical frontend for easily searching, constructing, and running these netwox tools.

ngrep is a pcap-aware tool that applies GNU grep features to network traffic, allowing extended regular expressions to match packet data payloads. It supports TCP, UDP, and ICMP across various interfaces and understands BPF filter logic like tcpdump.

ohrwurm is a small RTP fuzzer tested on SIP phones. It fuzzes RTP traffic between two hosts using MITM techniques.

Portspoof enhances OS security by making all 65535 TCP ports appear open and emulating services on them to deceive port scanners. It returns SYN+ACK for every connection attempt and generates fake banners using a database of service signatures.

Proxify is a Swiss Army Knife Proxy tool for HTTP/HTTPS traffic capture, manipulation, and replay. It supports intercepting, filtering, dumping, and replaying traffic into tools like Burp.

ptunnel tunnels TCP connections over ICMP echo request and reply packets, acting as a proxy to handle sockets and secured identification. It is useful in closed networking environments with firewalls and proxies.

Redsocks is a daemon that transparently tunnels any TCP connection via a remote SOCKS4, SOCKS5 or HTTP proxy server. It uses the system firewall's redirection facility for system-wide interception without relying on LD_PRELOAD libraries.

Responder is an LLMNR, NBT-NS and MDNS poisoner that captures credentials by responding to broadcast/multicast name resolution requests and acts as rogue authentication servers.

rtpbreak detects, reconstructs, and analyzes RTP sessions from packet captures or live network traffic. It generates output files for further analysis with tools like Wireshark or SoX without requiring RTCP packets or specific signaling protocols.

rtpflood is a command line tool used to flood any device that is processing RTP. It sends multiple RTP packets from a source IP and port to a target IP and port.

rtpinsertsound inserts audio into a specified RTP stream by spoofing packets. It supports mixing WAV files or tcpdump captures into live audio streams.

rtpmixsound mixes pre-recorded audio in real-time with the audio in a specified target RTP stream. It spoofs RTP packets to inject the mixed audio into the live stream.

Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer. It can replace tools like hping, most of nmap, arpspoof, and tcpdump.

Secure Socket Funneling provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS link to a remote computer. This package offers 32-bit and 64-bit Windows binaries for SSF.

SentryPeer is a SIP peer-to-peer honeypot for VoIP that collects bad IP addresses and phone numbers from fraudulent actors attempting calls. It enables peer-to-peer sharing of this data while allowing users to retain ownership and control over their collected information.

SIPp is a free Open Source test tool and traffic generator for the SIP protocol. It includes basic SipStone user agent scenarios and supports custom XML scenario files for complex call flows.

sipsak is a small command line tool for developers and administrators of Session Initiation Protocol (SIP) applications. It can be used for simple tests on SIP applications and devices.

SniffJoke is a transparent TCP connection scrambler that delays, modifies, and injects fake packets into transmissions to make them nearly impossible for passive wiretapping tools like IDS or sniffers to read correctly.

Snort is a libpcap-based packet sniffer and logger that operates as a lightweight network intrusion detection system. It uses rules-based logging to detect attacks including buffer overflows, stealth port scans, CGI attacks, and SMB probes, with real-time alerting to syslog, files, or Windows via Samba.

Spooftooph automates spoofing or cloning of Bluetooth device Name, Class, and Address. This allows a Bluetooth device to hide in plain sight by matching information of another device.

ssldump is an SSLv3/TLS network protocol analyzer that dumps and analyzes network traffic for SSLv3/TLS connections. It decodes the traffic and, with appropriate keying material, decrypts and displays application data.

sslsniff is an SSL/TLS man-in-the-middle attack tool that dynamically generates certificates for intercepted domains. It supports silent interceptions via attacks like null-prefix or OCSP.

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. It transparently intercepts connections, terminates SSL/TLS, and logs all transmitted data.

sslstrip is a tool that transparently hijacks HTTP traffic on a network, watches for HTTPS links and redirects, and maps those links into look-alike HTTP links or homograph-similar HTTPS links.

Universal TLS encryption wrapper for network daemons. Adds TLS functionality to non-TLS aware services without code changes.

Multi-protocol packet injector tool for *nix systems supporting 15 protocols including TCP, UDP, ICMP, and routing protocols. Capable of high-performance flooding up to 1,000,000 packets per second with CIDR support.

tcpdump is a command-line network traffic analyzer that dumps traffic on a network. It examines various packet types including IPv4, IPv6, TCP, UDP, and others.

tcpflow captures TCP connection data streams and stores them in separate files for protocol analysis or debugging. Unlike tcpdump which shows packet summaries, tcpflow reconstructs the actual data flows.

TCP stream sniffer and connection tracker that uses libpcap to track, reassemble, and reorder TCP streams. It can save captured flows to files or display them in the terminal with various modes like hexdump, ASCII, printable characters, raw, or colorized.

Tcpreplay replays saved tcpdump files at arbitrary speeds to test NIDS performance by replicating real network traffic. It allows control over replay speed and supports editing packets for comprehensive network device testing.

tundeep is a Layer 2 VPN/injection tool that resides almost entirely in user space on the victim, requiring only pcap. It supports client and server modes for binding or connecting over IP and port.

UDPTunnel tunnels UDP packets bi-directionally over a TCP connection. It enables multi-media conferences to traverse firewalls allowing only outgoing TCP connections and supports security tests in networks.

Provides legacy integration for VLAN configuration with ifupdown and a compatibility wrapper for the deprecated vconfig program using ip(route2) commands. Supports VLAN (802.1q) interface management on Kali Linux.

VoIP Hopper is a security tool that performs VLAN hop tests and VoIP infrastructure security assessments. It enables rapid testing of VLAN security and VoIP network configurations through CDP sniffing and spoofing.

vopono runs applications through VPN tunnels using temporary network namespaces. It enables running select applications through different VPNs simultaneously while keeping the main connection normal.

vpnc is a Cisco-compatible VPN client for connecting to Cisco 3000 VPN Concentrators and EasyVPN equipment. It operates entirely in userspace using the tun driver.

Wireshark is a network protocol analyzer that captures and interactively inspects network traffic. It provides both graphical (wireshark) and console (tshark) interfaces for packet analysis.

xspy is an X server sniffer that sniffs keystrokes on remote or local X-Windows servers. It connects to an X display to monitor and capture input activity.

Yersinia is a framework for performing layer 2 attacks by exploiting weaknesses in various network protocols. It serves as a tool for analyzing and testing deployed networks and systems.