Hydrogen

Hydrogen is a professional grade "Remote Access Trojan" specifically designed for penetration testing, but useful for many other things as well. Its design allows for bouncing off of hosts quickly and easily ("puddle jumping") and it has been specifically designed for speed, portability, security, and extensibility. It is now available with a one-year support contract for $5000 USD. This includes an on-site training session from Immunity, and ongoing discussions on how to adapt Hydrogen technology to your needs. Customization contracts are also available.

Hydrogen's client runs on Linux. Hydrogen's server will run on Windows, Tru64, AIX, Linux, Solaris, and almost any other platform.

Download the GPL version here.

A brief FAQ on Hydrogen follows:

Q: When was Hydrogen first written/why is it called Hydrogen?
A: Hydrogen was first written in December of 2000, and is the predecessor to Helium, a technology included with Immunity CANVAS. It was originally used for pen-testing at @stake and given out to customers for training and other purposes. Dave Aitel retained commercialization rights to the product, and continues to support it to this day.

Q: What kind of cryptography does Hydrogen use? Has there been a peer review?
A: A simple RSA and twofish protocol is used. Chris Anley (currently of NGS) found a lack of entropy in the original implementation, which has since been fixed. Due to the cryptographic code in Hydrogen, Immunity only distributes Hydrogen to US Citizens and customers.

Q: Why would I, or my company, purchase a product that's under the GPL?
A: Support, training, and a guarantee you got the real thing. Immunity can help you integrate Hydrogen into your processes and methodologies, and help you extend Hydrogen-based technology to incorporate your future needs. Hydrogen is a complex technology used in sensitive places - Immunity is your best choice for support, even if you have an internal team. As many commercial and military organizations produce their own Hydrogen-like tools, Immunity felt it was the right time to come to the market with a mature tool, which can be adapted to their needs. The new software economy is about customization and support, in other words. We follow the tradition of mySQL and RedHat and other Open Source companies in this.

Q: If Hydrogen is GPL, and it was distributed, why wasn't it available before?
A: This is a complex question for lawyers and IANAL, but it wasn't widely distributed by the recipients of the original versions, especially if you don't count leaks ("Divineint", a Singapore-based Warez-kiddie has been trading an older Hydrogen source tree for years now. )

Q: What kind of protocol does Hydrogen use?
A: An asynchronous RPC-like protocol. It is extremely easy to add new functionality to the protocol. For example, you could (and previous users have) easily add a local exploit, a portscanner, a module loader, or another special-purpose call to the protocol. This extensibility is important to the product, because each penetration test is different. File downloading is extremely fast, even for very large files.

Q: What other uses does Hydrogen have?
A: Hydrogen has been used as a replacement to SSHD, as a forensics tool (nice to drop onto a box you think is compromized), as a quick TCP/UDP port redirection tool (when run on localhost), and to give to a client who wishes you to do a pen test internally on their network, when it would be logistically infeasable to do so.