bLackhammer: 2006

TXDNS 2.0.0 – DNS Digger for Brute Force

TXDNS 2.0.0 has been released.

TXDNS is a Win32 aggressive multithreaded DNS digger. Capable of placing, on the wire, thousands of DNS queries per minute. TXDNS main goal is to expose a domain namespace trough a number of techniques:

Typos
TLD rotation
Dictionary attack
Brute force

This new version features a distributed model which further boosts TXDNS’s parallelism and performance. This model allows a TXDNS client to send jobs to a TXDNS server over a clear or encrypted TCP channel.

For example, to put a TXDNS host on listening mode:

> txdns -l

By default TXDNS listens on port 5353. On the client side you may postany query jobs by appending ‘-c xx.xx.xx.xx’ to the regular query syntax (where xx.xx.xx.xx is the host’s IP running TXDNS on listening mode), for example:

> txdns foo.com -rt -t -c xx.xx.xx.xx

Using -cr instead of -c will force the TXDNS server to redirect all output to the client, so basically you get the results from the server’s job right on the client console. Note that file system streams are not redirected, which means that any file switches (-f or -h) will still have the remote host as root reference.

To encrypt all the traffic between the client and the server just append ‘–key ‘ to the regular syntax on both the client and server.

A new –countdown option has been added as a very basic synchronization mechanism, and by default, any jobs, no matter remote or local will now delay for 5s before firing. If you want to bypass this countdown delay you’ll have to add ‘–countdown 0′.

You can read more and download at:

http://www.txdns.net

XSS Shell v0.3.9 – Cross Site Scripting Backdoor Tool

XSS Shell is a powerful XSS backdoor which allows interactively getting control over a Cross-site Scripting (XSS) vulnerability in a web application. Demonstrates the real power and damage of Cross-site Scripting attacks.

WHAT IS XSS SHELL ?

XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by XSS-Proxy (http://xss-proxy.sourceforge.net/). Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim, you can backdoor the page.

You can steal basic auth, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.

FEATURES

XSS Shell has several features to gain whole access over victim. Also you can simply add your own commands.

Most of the features can enable or disabled from configuration or can be tweaked from source code.

Features:

Regenerating Pages
Keylogger
Mouse Logger (click points + current DOM)

Built-in Commands:

Get Keylogger Data
Get Current Page (Current rendered DOM / like screenshot)
Get Cookie
Execute supplied javaScript (eval)
Get Clipboard (IE only)
Get internal IP address (Firefox + JVM only)
Check victim’s visited URL history
DDoS
Force to Crash victim’s browser

Online URL (Download, Screenshots, demo etc.):

http://ferruh.mavituna.com/article/?1338

Download :

http://www.portcullis-security.com/tools/free/XSSShell039.zip
or
http://ferruh.mavituna.com/xssshell/download/xssshellv039.zip

SinFP 2.0.4

SinFP is a new approach to OS fingerprinting, which bypasses limitations that nmap has.

Nmap approaches to fingerprinting as shown to be efficient for years. Nowadays, with the omni-presence of stateful filtering devices, PAT/NAT configurations and emerging packet normalization technologies, its approach to OS fingerprinting is becoming to be obsolete.

SinFP uses the aforementioned limitations as a basis for tests to be obsolutely avoided in used frames to identify accurately the remote operating system. That is, it only requires one open TCP port, sends only fully standard TCP packets, and limits the number of tests to 2 or 3 (with only 1 test giving the OS reliably in most cases).

SinFP 2.04 is now available, which for the first time, can now run under Windows ActivePerl.

More info here:

SinFP

SinFP has now more than 130 signatures in its database.

For Windows users, follow these instructions:

This was tested with ActivePerl 5.8.8.819, with PPM v4.0.

  # If you are behind a proxy:
 C:\> set http_proxy=http://username:password@proxy:port

 # Add gomor repository
 C:\> ppm repo add gomor http://www.gomor.org/files/ppm/repo-8xx

 # Disable all other repo, if you have many. Or only ActiveState repo
 # by default
 C:\> ppm repo 1 off
 ...
 C:\> ppm install Net-SinFP

 # Re-enable all other repo
 C:\> ppm repo 1 on
 ...

 Launch it:
 C:\> perl C:\perl\site\bin\sinfp.pl

If you have error messages about failing to load some .dll, go to www.microsoft.com. Then, in the search field, type in vcredist_x86.exe, download it and install it.

Backframe (Formerly Backweb) JavaScript Attack Console

There has been a recent release of Backframe (Formerly Backweb) Attack Console.

Backframe Attack Console was started as an experiment to create a full featured attack console for exploiting web browsers, web users and remote applications. Those who are familiar with XSS Proxy or even BEEF might already be familiar with the core principles of the project.

The console is based on simple client-server interaction. Both parts are required for successful operation. The server, also known as the attack channel, provides functionalities for establishing bi-directional communication with remote clients. On the other hand, the console is responsible for interacting with the channel providing the necessary toolkit for launching attacks against these clients.

The result of these core principles is an easy to use and understand web-client-oriented attack framework that keep the data, the presentation layer, and the underlying logic apart. This design is known as “the separation of concerns model”. This is highly effective practice which allows to easily extend upon the core elements.

Right now it is quite stable and it should work well with attack channels similar to the one described here:

Persistent Bi-directional Communication Channels

Check the AttackAPI project for the attack channel complete source code.

More information here:

Backframe

You can try out Backframe here:

Backframe Application

NMAP 4.20

This is just a simple warning to all NMAP users out there. If you’re registered on the announcement mailing list you already now this, otherwise, heads up.

NMAP 4.20 has been released with something that looks promising. 2nd generation OS detection. The changelog is available here.

Metasploit 3.0 Beta 3

The Metasploit Framework is an advanced open-source exploit development platform. The 3.0 tree represents a complete rewrite of the 2.0 codebase and provides a scalable and extensible framework for security tool development. The 3.0 Beta 3 release includes support for exploit automation, 802.11 wireless packet injection, and kernel-mode payloads.

Windows users are now presented with a RXVT console and an updated Cygwin environment, which greatly improves the usability of the 3.0 interface on the Windows platform.

The Metasploit Web Interface is still in development, but this release includes a preview of what the end functionality will look like. The web interface provides a “webtop” interface for interacting with the framework and uses aynschronous javascript to provide live searching. A early version of Metasploit IDE is also included with the web interface.

Downloads for all platforms can be found here:
– http://metasploit.com/projects/Framework/msf3/#download

The latest version can be pulled directly from Subversion:

$ svn co http://metasploit.com/svn/framework3/trunk/

Unix users may need to install the openssl zlib and dl ruby modules for the Framework to load. If you are using Ubuntu you will need to run the following commands:

# apt-get install libzlib-ruby
# apt-get install libopenssl-ruby
# apt-get install libdl-ruby

Unix users who wish to try the new web interface will need to install the ‘rubygems’ package and the ‘rails’ gem. Please see www.rubyonrails.com for more information and platform-specific installation instructions.

Users of other distributions or Unix flavors may want to grab the latest version of ruby from www.ruby-lang.org and build it from source. We highly recommend using Ruby version 1.8.4 or newer.Windows users will need to exit out of any running Cygwin-based applications before running the installer or using the Framework. The old 3.0 installation should be uninstalled prior to installing and using this version.

The release packages include Subversion repository information allowing you to synchronize your Beta 3 installation with the live development tree. The Windows installer includes a “MSFUpdate” menu item that uses Subversion to download the latest updates.Unix users will need to install the Subversion client change into the framework directory and execute ’svn update’.

On Unix systems, Subversion will complain about the self-signed certificate in use at metasploit.com. Please verify that the fingerprint matches the one below before accepting it:

Hostname: metasploit.com
Valid: from Jun 3 06:56:22 2005 GMT until Mar 31 06:56:22 2007 GMT
Issuer: Development The Metasploit Project San Antonio Texas US
Fingerprint: 1f:a2:8e:ad:14:57:53:75:b7:ab:de:67:e8:fa:17:49:76:f2:ee:ad

Metasploit 2.7

The Metasploit Framework is an advanced open-source exploit development platform. The 2.7 release includes three user interfaces, 157 exploits and 76 payloads.The Framework will run on any modern operating system that has a working Perl interpreter. The Windows installer includes a slimmed-down version of the Cygwin environment.

Windows users are encouraged to update as soon as possible. A number of improvements were made that should make the Windows experience a little less painful and a lot more reliable. All updates to 2.6 have been rolled into 2.7, along with some new exploits and minor features.

You can download the new metasploit here:

– Unix: http://metasploit.com/tools/framework-2.7.tar.gz
– Win32: http://metasploit.com/tools/framework-2.7.exe

A demonstration of the msfweb interface is running live from:

– http://metasploit.com:55555/

This may be the LAST 2.x version of the Metasploit Framework. All development resources are now being applied to version 3.0. More information about version 3.0 can be found online at:

– http://metasploit.com/projects/Framework/msf3/

Exploit modules designed for the 2.2 through 2.6 releases should maintain compatibility with 2.7. If you run into any problems using older modules with this release, please let us know.

For more information about the Framework and this release in general, please refer to the online documentation, particularly the User Guide:

– http://metasploit.com/projects/Framework/documentation.html

Vulnerability Assessment and Operational Security Testing Methodology (VAOST) – version 0.2

Here is a newly released VA methodology, the author believes it to be more focused, and thus cost effective VA process. It may map to internal work, but it is probably more suited to external sites.

It’s gone through a couple of revisions so it’s a bit more polished now.

You can find the notes on the first version here.

Version 0.2 has been released after some community endorsement, there is still some work to do though, they hope to add the following shortly:

Pre stages to get management buy in
A complete worked example that shows the kind of results that can be produced
A more complete list of or supporting implementing software
A more complete list of attack tools for the authorisation checklist.
Better graphics
A standalone collection of the checklists

You can download VAOST version 0.2 here:

VAOST 0.2 (doc version)

The author welcomes your feedback and comments. The VAOST forum area where you can get the files will accept guest (ie un-registered) posts so you can add your comments there if you desire (note we will delete defamatory and rude posts to prevent our being sued!).

It is work in progress and we still have a long way to go, but hopefully, we can get there with your help.

The general VAOST forum can be found here.

AttackAPI 0.8 JavaScript Hacking Suite

AttackAPI provides simple and intuitive web programmable interface for composing attack vectors with JavaScript and other client (and server) related technologies. The current release supports several browser based attacking techniques, simple but powerful JavaScript console and powerful attack channel and associated API for controlling zombies.

The standalone components of the library can be found at the following locations:

One infrastructure tool is available here:

http://www.gnucitizen.org/projects/attackapi/build/inf/channel.php

I would recommend AttackAPI 0.8 to everyone who is interested in high-end hacking not because I wrote it but because it provides a good demonstration of what is possible today. That, I hope will take our awareness even further.

AttackAPI slowly moves to its 1.0 release where I am planning to standardize its core, fix discovered bugs and make it even more cross-platformed. Still, there is a long way to go but I am willing to take my chances. There are plans for 0.9 but I will keep them undisclosed for now.

So what 0.8 has to offer? There are a couple of things that worth attention. I will start in chronological order.

The Client interface can be used to enumerate the current client. It has functionalities to fingerprint the current operating system, installed plugins, the browser in use and the local NATed IP address and hostname. This tool is brilliant for doing the first steps of any targeted attack.

The Server, on the other hand, can be used to fingerprint the current server. It provides information about its domain, IP address, platform, server software and the application architecture. Its purpose is to identify what is currently available. That is important because the Web is very distributed and agile network and controlling dozens of infected clients is a mission on its own.

Full information on AttackAPI is available here:

AttackAPI 0.8

w3bfukk0r 0.2 Forced Browsing Tool

w3bfukk0r is a forced browsing tool, it basically scans webservers (HTTP/HTTPS) for a directory by using HTTP HEAD command and brute force mechanism based on a word list. Features:

HTTP/HTTPS(SSL) support
Banner grabbing
User-Agent faking
Proxy support (HTTP/S)
Reports found and non-existend directories

Example output:

w3bfukk0r http://nion.modprobe.de
Starting w3bfukk0r 0.2
Scanning http://nion.modprobe.de/ with 76 words from words.txt

Found http://nion.modprobe.de/tmp/ (HTTP 200)
Found http://nion.modprobe.de/blog/ (HTTP 200)
Found http://nion.modprobe.de/img/ (HTTP 200)
Found http://nion.modprobe.de/setup/ (HTTP 200)

Found 4 directories.
Server runs: Apache/2.0.54 (Debian GNU/Linux) PHP/5.1.4-0.1~bpo2

Scan finished (5 seconds).

Note: Not all webservers are handling HTTP status codes correctly, so if the webserver doesn’t care about RFCs the report generated by w3bfukk0r may include false positives. Maybe we’ll find a good method to detect those false positives.

You can download w3bfukk0r 0.2 here:

w3bfukk0r-0.2.tar.gz

Medusa version 1.3

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

Version 1.3 of Medusa is now available for public download.

Medusa currently has modules supporting: CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), PcAnywhere, POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC, and a generic wrapper module.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. For a brief comparison you can see here.

This release fixes several autoconf issues and a number of minor bugs.

You can find the Medusa homepage here and download Medusa here:

Medusa 1.3

Medusa was developed on Gentoo Linux and FreeBSD. Some limited testing has been done on other platforms/distributions (OpenBSD, Debian, Ubuntu, Darwin, Solaris).

Taof 0.1 Network Protocol Fuzzer

Taof is a GUI cross-platform Python generic network protocol fuzzer. It has been designed for minimizing set-up time during fuzzing sessions and it is especially useful for fast testing of proprietary or undocumented protocols.

Taof aids the researcher during the data retrieval process by providing a transparent proxy functionality that forwards and logs requests from a client to a server. After the data retrieval phase, Taof presents the logged requests and allows the user to specify the fuzzing points within the requests.

This is the first public release, and as it is in beta state, every comment/suggestion/request is more than welcome. Contact regarding the project can be made by posting to the web forums or directly mailing the project’s administrator.

Source code, windows binaries and guide are now available for download. Screenshots are also provided.

http://sourceforge.net/projects/taof

Wyd – Automated Password Profiling Tool

Wyd is a neat tool I found recently for Password Profiling.

In current IT security environments, files and services are often password protected. In certain situation it is required to get access to files and/or data even when they are protected and the password is unknown.

wyd.pl was born out of those two of situations:

A penetration test should be performed and the default wordlist does not contain a valid password
During a forensic crime investigation a password protected file must be opened without knowing the the password.

The general idea is to personalize or profile the available data about a “target” person or system and generate a wordlist of possible passwords/passphrases out of available informations. Instead of just using the command ’strings’ to extract all the printable characters out of all type of files, we wanted to eliminate as much false-positives as possible. The goal was to exlude as much “unusable” data as possible to get an effective list of possible passwords/passphrases.

At the moment the following file types are supported:

plain
html
doc
ppt
mp3
pdf

There is more info here.

You can download Wyd here:

Wyd – Latest Version

PMD

Continuing with the series of tools I’ve been posting on source code auditing and application security, here is PMD a Java Source Code Scanner.

PMD scans Java source code and looks for potential problems like:

Possible bugs – empty try/catch/finally/switch statements
Dead code – unused local variables, parameters and private methods
Suboptimal code – wasteful String/StringBuffer usage
Overcomplicated expressions – unnecessary if statements, for loops that could be while loops
Duplicate code – copied/pasted code means copied/pasted bugs

PMD is integrated with JDeveloper, Eclipse, JEdit, JBuilder, BlueJ, CodeGuide, NetBeans/Sun Java Studio Enterprise/Creator, IntelliJ IDEA, TextPad, Maven, Ant, Gel, JCreator, and Emacs.

You can read more about PMD at the homepage here.

You can download everything from here:

Download PMD

BobCat SQL Injection Tool

BobCat is a tool to aid a security consultant in taking full advantage of SQL injection vulnerabilities. It is based on a tool named “Data Thief” that was published as PoC by appsecinc. BobCat can list the linked severs, database schema, and allow the retrieval of data from any table that the current application user has access to.

The methods that BobCat incorprates are based on those discussed in the following papers:

advanced sql injection
more advanced sql injection
advanced sql injection
manipulating sql server usig sql injection

I suggest if you are interested in SQL injection at all, you read all of the above papers.

BobCat Requirements

Windows OS (Tested on XP SP2)
Access to MS SQL server/MSDE2000 (Tested on MSDE2000)
.Net Framework 2.0

ARPWatch-NG ARP Flooding/Spoofing Protection/Detection

If you are paranoid about people ARP spoofing or flooding on your network you can use ARPWatch-NG, ARPWatch-NG is a continue of the popular original ARPWatch from ftp://ftp.ee.lbl.gov/.

ARPWatch monitors MAC adresses on your network and writes them into a file, last know timestamp and change notification is included.

It can be used it to monitor for unknown (and as such, likely to be intruder’s) mac adresses or somebody messing around with your ARP/DNS tables.

There have been quite a few fixes lately, so it’s recommended of course to get the latest version!

arpwatch NG 1.5:

try to report error on startup better _ arp.dat _ ethercodes.dat [FIXED]

arpwatch NG 1.4:

try to report _all anomalities via the report function _not syslog [FIXED]

mode 2 _ make action list parseable [FIXED]

further static’fy local functions in arpwatch.c [FIXED]

ethercodes updated from nmap-4.11 and removed old ones [UPDATED]

arpwatch NG 1.2:

on make install also install man-pages [FIXED]

ethercodes updated from nmap-4.00 [UPDATED]

You can download the latest version of ARPWatch here.

LAPSE Sourcecode Analysis for JAVA J2EE Web Applications

LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java J2EE applications for common types of security vulnerabilities found in Web applications. LAPSE was developed by Benjamin Livshits as part of the Griffin Software Security Project.

LAPSE targets the following Web application vulnerabilities:

Parameter manipulation
SQL injections
Header manipulation
Cross-site scripting
Cookie poisoning
HTTP splitting
Command-line parameters
Path traversal

What should you do to avoid these vulnerabilities in your code? How do we protect Web applications from exploits? The proper way to deal with these types of attacks is by sanitizing the tainted input. Please refer to the OWASP guide to find out more about Web application security.

If you are interested in auditing a Java Web application, LAPSE helps you in the following ways:

Identify taint sources
Identify taint sinks
Find paths between sources and sinks

LAPSE is inspired by existing lightweight security auditing tools such as RATS, pscan, and FlawFinder. Unlike those tools, however, LAPSE addresses vulnerabilities in Web applications. LAPSE is not intended as a comprehensive solution for Web application security, but rather as an aid in the code review process. Those looking for more comprehensive tools are encouraged to look at some of the tools produced by Fortify or Secure Software.

Odysseus Proxy for MITM Attacks Testing Security of Web Applications

Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. Odysseus will intercept an HTTP session’s data in either direction and give the user the ability to alter the data before transmission.

For example, during a normal HTTP SSL connection a typical proxy will relay the session between the server and the client and allow the two end nodes to negotiate SSL. In contrast, when in intercept mode, Odysseus will pretend to be the server and negotiate two SSL sessions, one with the client browser and another with the web server.

As data is transmitted between the two nodes, Odysseus decrypts the data and gives the user the ability to alter and/or log the data in clear text before transmission.

Features

Multi-threaded native Win32 executable – The use of native Window code, combined with extensive multi-threading, means that Odysseus is fast. Speed was a primary development objective.
No external dependencies – Everything needed to intercept web requests (apart from a browser configured to use Odysseus as a proxy is included in the distribution archive. No additional downloads or installations are required.
Flexible & configurable – A wealth of configuration options means Odysseus should be flexible enough to meet the needs of nearly any web based application assessment.
Low desktop profile – Odysseus doesn’t clutter your desktop with redundant windows. A simple System Tray icon is all that is needed to access it’s many features. The various components of Odysseus appear and disappear as configured, or instructed, by the user.

You can download Odysseus here.

Change log is here and FAQ here.

pwdump 1.4.2 and fgdump 1.3.4

New versions of the ultracool tools pwdump (1.4.2) and fgdump (1.3.4) have been released.

Both versions provide some feature upgrades as well as bug fixes. Folks with really old versions of either program should definitely look at upgrading, since there are numerous performance improvements and full multithreading capabilities in both packages.

If you don’t know..what are pwdump6 and fgdump?

pwdump6 is a password hash dumper for Windows 2000 and later systems. It is capable of dumping LanMan and NTLM hashes as well as password hash histories. It is based on pwdump3e, and should be stable on XP SP2 and 2K3. If you have had LSASS crash on you using older tools, this should fix that.

fgdump is a more powerful version of pwdump6. pwdump tends to hang and such when antivirus is present, so fgdump takes care of that by shutting down and later restarting a number of AV programs. It also can dump cached credentials and protected storage items, and can be run in a multithreaded fashion very easily. I strongly recommend using fgdump over pwdump6, especially given that fgdump uses pwdump6 under the hood! You’ll get everything pwdump6 gives you and a lot more.

fgdump was born out of frustration with current antivirus (AV) vendors who only partially handled execution of programs like pwdump. Certain vendors’ solutions would sometimes allow pwdump to run, sometimes not, and sometimes lock up the box. As such, we as security engineers had to remember to shut off antivirus before running pwdump and similar utilities like cachedump. Needless to say, we’re forgetful sometimes…

So fgdump started as simply a wrapper around things we had to do to make pwdump work effectively. Later, cachedump was added to the mix, as were a couple other variations of AV. Over time it has grown, and continues to grow, to support our assessments and other projects. We are beginning to use it extensively within Windows domains for broad password auditing, and in conjunction with other tools (ownr and pwdumpToMatrix.pl) for discovering implied trust relationships.

fgdump is targetted at the security auditing community, and is designed to be used for good, not evil. Note that, in order to effectively use fgdump, you’re going to need high-power credentials (Administrator or Domain Administrator, in most cases), thus limiting its usefulness as a hacking tool. However, hopefully some of you other security folks will find this helpful.

Get pwdump here

Get fgdump here

FindBugs

FindBugs looks for bugs in Java programs. It is based on the concept of bug patterns. A bug pattern is a code idiom that is often an error. Bug patterns arise for a variety of reasons:

Difficult language features
Misunderstood API methods
Misunderstood invariants when code is modified during maintenance
Garden variety mistakes: typos, use of the wrong boolean operator

FindBugs uses static analysis to inspect Java bytecode for occurrences of bug patterns. Static analysis means that FindBugs can find bugs by simply inspecting a program’s code: executing the program is not necessary. This makes FindBugs very easy to use: in general, you should be able to use it to look for bugs in your code within a few minutes of downloading it. FindBugs works by analyzing Java bytecode (compiled class files), so you don’t even need the program’s source code to use it. Because its analysis is sometimes imprecise, FindBugs can report false warnings, which are warnings that do not indicate real errors. In practice, the rate of false warnings reported by FindBugs is less than 50%.

FindBugs requires JRE (or JDK) 1.4.0 or later to run. However, it can analyze programs compiled for any version of Java. The current version of FindBugs is 1.1.1, released on October 6, 2006.

More info & download here:

FindBugs

Inprotect 0.22.5

A new revision of Inprotect has just been released, 0.22.5 in order to fix bugs and implement feature requests submitted by the development team and users. Existing users are recommended to upgrade.

Inprotect is a web interface for Nessus and Nmap security scanners, released under GNU/GPL license. This version has the following enhancements:

Improved and fixed issues in the Search page.
Standardised fields displayed on the HTML and PDF reports.
Resolved issue where the Nessus risk rating is entered inconsistently by the plugin writers and risks were reported incorrectly in Inprotect.
Added username and Inprotect version at the top of the page.
Notes and Plugin Info pages now open as popups and Notes will refresh the report page if details are entered / changed.
Now cannot schedule a scan if a Nessus server is offline or none has been setup.
Inprotect’s Nmap NASL modifications have been signed and made available for download on the Nessus website.
Fixed numerous other bugs and feature requests (please see CHANGES for further details).

To download, please visit:

Inprotect 0.22.5

For installation instructions, please see the INSTALL file if you are making a fresh installation or the UPGRADE file if you are updating from a previous version. N.B. Documentation is also available on the SourceForge site.

Please report any bugs through the SourceForge Bug Tracker.

Echo Mirage

Echo Mirage is a generic network proxy. It uses DLL injection and function hooking to redirect network related function calls so that data transmitted and received by local applications can be observed and modified.

Echo Mirage tries to be smart with the OpenSSL calls by monitoring ssl_set_fd() and ssl_connect() to determine when SSL is in use on a particular socket. When SSL is in use the encrypted stream is ignored and only the unencrypted data is processed. This doesn’t work for the windows SSL stuff because that functions in an entirely different way…

Traffic can be intercepted in real-time, or manipulated with regular expressions and action scripts.

Changes Since 1.0

Hooked RecvFrom, SendTo, WSAConnect, WSASend, WSASendTo and WSARecvFrom.
Fixed intermittent crash on uninject.
Fixed intermittent crash in thread termination.

You can download Echo Mirage here:

http://www.bindshell.net/tools/echomirage/

arp-sk

arp-sk is basically an ARP Traffic Generation Tool. It’s quite old but still very useful!

There are 2 basics mode:
– who-has: build a request ARP message.
– reply: build a reply ARP message (default)

Other advanced modes should come very soon
– arping: send a who-has to every host on the LAN to see who is here
– promisc: detection of boxes that are sniffing on the network using promiscuous mode of their network interface
– arpmim: perform Man in the Middle attack

Link level options

-s: set the source address of the packet.
Default : MAC address of the interface used to send the packets.

-d: set the destination address of the packet
Default: broadcast

These 2 options have a strong influence on the ARP message itself.
Here are the default according to these options:

– request

# ./arp-sk -i eth1 -w
+ Running mode "who-has"
+ IfName: eth1
+ Source MAC: 52:54:05:f4:62:30
+ Source ARP MAC: 52:54:05:f4:62:30
+ Source ARP IP : 192.168.1.1 (batman)
+ Target MAC: ff:ff:ff:ff:ff:ff
+ Target ARP MAC: 00:00:00:00:00:00
+ Target ARP IP : 255.255.255.255 (255.255.255.255)

– reply

# ./arp-sk -i eth1 -r
+ Running mode "reply"
+ IfName: eth1
+ Source MAC: 52:54:05:f4:62:30
+ Source ARP MAC: 52:54:05:f4:62:30
+ Source ARP IP : 192.168.1.1 (batman)
+ Target MAC: ff:ff:ff:ff:ff:ff
+ Target ARP MAC: ff:ff:ff:ff:ff:ff
+ Target ARP IP : 255.255.255.255 (255.255.255.255)

The only difference comes from the destiantion mac address from ARP message, since it has to be 00:00:00:00:00:00. For the reply mode, consistency is preserved and the destination MAC address used for the link layer is copied in the ARP message.

You can download arp-sk here:

arp-sk-0.0.16.tgz

BeEF

BeEF is the browser exploitation framework. Its purposes in life is to provide an easily integratable framework to demonstrate the impact of browser and cross-site scripting issues in real-time. The modular structure has focused on making module development a trivial process with the intelligence existing within BeEF.

The current version is 0.2.1 and is still a work in progress.

Modules Loaded

The ‘Load Modules’ area shows what modules are available. Clicking on them will load the module into the module console area. The modules are the parts of the application that provide code to be sent to the controlled browser. One of the main strengths of BeEF is the ease in with modules can be written. The require minimal effort to incorporate into the framework.

The module console area shows the modules input and configuration details. The following screenshot showthe input options for the Port Scanning Module.

Zombies

The ‘Zombies’ section of the sidebar displays basic details of the browser(s) under control of BeEF. All modules will execute within the zombies listed here.

Download

You can download BeEF here:

beef-v0.3.1.tgz (md5sum: 8e160e72c7b9f1c292b5894d6b8d672c)

SWAAT

Announcing a new web application source code analysis tool called the Securitycompass Web Application Analysis Tool or SWAAT.

You may know it as a static analysis tool.

Currently in its beta release, this .Net command-line tool searches through source code for potential vulnerabilities in the following languages:

Java and JSP
ASP.Net
PHP

Using xml-based signature files, it searches for common functions and expression which may lead to exploits. We believe that this tool will help you in your ongoing source code analysis efforts.

Please visit Security Compass to download SWAAT. Future releases of SWAAT would include plugins into popular IDEs such as Visual Studio .NET and Eclipse.

As the tool is still new, Security Compass appreciates any comments you have in functionality and desired features. Please send any feedback to swaat -at securitycompass.com.

The direct link to download SWAAT is HERE.

FIS v0.1

A useful tool for anyone working with PHP applications.

DESCRIPTION
————
FIS (File Inclusion Scanner) is a vulnerability scanner for PHP applications. Is scans PHP files mapping PHP/HTTP variables and then performs a security audit,in order to find out which of them are exploitable.

USAGE
——
php fis.php [local file] [remote file] [remote FIS ID file]

[local file]
————–
The local copy of the PHP source file used by FIS to map the variables for the audit.

[remote file]
————–
The remote copy of the source executed by a remote webserver, the file we will audit.

[remote FIS ID file]
———————-
The FIS ID file is used to check whether a variable is exploitable or not. It contains PHP code that simply echoes a unique MD5 hash used for identification.

INTENDED AUDIENCE
——————
FIS is intended to be used by penetration testers, not script kidies nor malicious users. It creates a lot of noise on the remote host and can be easily discovered with a simple glance at
the webserver logs, which makes it useless as a cracking tool.

FEATURES
———
FIS, currently, supports audits using only GET requests. COOKIE & POST support is not yet implemented.

LOGGING
———
FIS automatically logs extra audit information in “fis.log” in the working directory.

FIS Website

You can download FIS directly here.

LCP

LCP is freeware!

The main purpose of LCP program is user account passwords auditing and recovery in Windows NT/2000/XP/2003. General features of this product:

Accounts information import:

import from local computer;
import from remote computer;
import from SAM file;
import from .LC file;
import from .LCS file;
import from PwDump file;
import from Sniff file;

Passwords recovery:

dictionary attack;
hybrid of dictionary and brute force attacks;
brute force attack;

Brute force session distribution:

sessions distribution;
sessions combining;

Hashes computing:

LM and NT hashes computing by password;
LM and NT response computing by password and server challenge.

You can download LCP here.

Brutus Password Cracker

A lot of people come to Darknet looking for Brutus AET2 (brutus-aet2.zip) to download, but unfortunately due to some stupid Homeland security bullshit I actually had to remove the file or risk having no hosting left..

If you don’t know, Brutus is one of the fastest, most flexible remote password crackers you can get your hands on – it’s also free. It is available for Windows 9x, NT and 2000, there is no UN*X version available although it is a possibility at some point in the future. Brutus was first made publicly available in October 1998 and since that time there have been at least 70,000 downloads and over 175,000 visitors to this page. Development continues so new releases will be available in the near future.

Brutus was written originally to help me check routers etc. for default and common passwords.

Features

Brutus version AET2 is the current release and includes the following authentication types :

HTTP (Basic Authentication)
HTTP (HTML Form/CGI)
POP3
FTP
SMB
Telnet

Other types such as IMAP, NNTP, NetBus etc are freely downloadable from this site and simply imported into your copy of Brutus. You can create your own types or use other peoples.

The current release includes the following functionality :

Multi-stage authentication engine
60 simultaneous target connections
No username, single username and multiple username modes
Password list, combo (user/password) list and configurable brute force modes
Highly customisable authentication sequences
Load and resume position
Import and Export custom authentication types as BAD files seamlessly
SOCKS proxy support for all authentication types
User and password list generation and manipulation functionality
HTML Form interpretation for HTML Form/CGI authentication types
Error handling and recovery capability inc. resume after crash/failure.

You can download it here:

Brutus AET2

AttackAPI 0.5

AttackAPI provides simple and intuitive web programmable interface for composing attack vectors. The project was primary inspired by the JythonShell applet. At its very early stage AttackAPI was a single extensible web enabled python console with a few modules.

The 0.5 release of AttackAPI is purely JavaScript based. This is not a shift in the project ideologies but rather an extension. It all started with the JavaScript Port Scanner which was sort of proof of concept tool. The current release still implements the same Port Scanner but in much less code and with a lot more efficiency in mind. Among the port scanner there are a few other tools: HistoryDumper, NetworkSweeper, ExtensionScanner, to name a few.

A single module (194 lines of code) that contains the entire library set is available HERE.

Latest info is here:

AttackAPI

TCPReplay suite 3.0.beta10

Another good tool updated! TCPReplay suite 3.0.beta10 has been released.

For those that don’t know Tcpreplay is a suite of BSD licensed tools written by Aaron Turner for *NIX operating systems which gives you the ability to use previously captured traffic in libpcap format to test a variety of network devices. It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 headers and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS’s. Tcpreplay supports both single and dual NIC modes for testing both sniffing and inline devices.

Tcpreplay is used by numerous firewall, IDS, IPS and other networking vendors, enterprises, universities, labs and open source projects.

Beta10 contains a number of major enhancements as the code continues to stabilize for the 3.0 stable release. The big changes include removing Libnet as a requirement, tcpprep and tcprewrite no longer requiring root access and improved packet timings for tcpreplay. There are also a number of smaller enhancements and bug fixes.

Also a lot of time has been spent updating the online manual on the wiki which covers most if not all the features of tcpreplay, tcpprep and tcprewrite.

This should be the final beta release and it’s expected to have the first release candidate in a month or so. Please download and test!

You can download it here:

TCPReplay

The new Wikified manual is here.

Download: http://prdownloads.sourceforge.net/tcpreplay/tcpreplay-3.0.beta10.tar.gz?download

Wapiti

Wapiti allows you to audit the security of your web applications.

It performs “black-box” scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.

Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

Wapiti can detect the following vulnerabilities :

File Handling Errors (Local and remote include/require, fopen, readfile…)
Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
XSS (Cross Site Scripting) Injection
LDAP Injection
Command Execution detection (eval(), system(), passtru()…)
CRLF Injection (HTTP Response Splitting, session fixation…)

Wapiti is able to differentiate ponctual and permanent XSS vulnerabilities. Wapiti prints a warning everytime it founds a script allowing HTTP uploads. A warning is also issued when a HTTP 500 code is returned (useful for ASP/IIS). Wapiti does not rely on a vulnerability database like Nikto do. Wapiti aims to discover unknown vulnerabilities in web applications. It does not provide a GUI for the moment and you must use it from a terminal.

Efficiency

Wapiti is developed in Python and use a Python library I made called lswww. This web spider library does the most of the work.
Unfortunately, the html parsers module within Python only works with well formated html pages so lswww fails to extract informations from bad-coded webpages.

You can read more here:

Wapiti

eEye Duster

Duster is the Dead/Uninitialized Stack Eraser, an injectable DLL that causes uninitialized stack and heap memory in its host process to be wiped over with a specific value. It is intended as a crude tool to assist in the run-time discovery of uninitialized memory usage problems by increasing the chances that the host process will raise an exception when a value in uninitialized memory is used. To use Duster, just inject it into the target process (using the DLLInject utility), or add it to AppInit_DLLs (possible but not recommended).

Duster is a quick and dirty implementation of its concept, and as such, it has a number of limitations:

Stack wiping is accomplished by overwriting all memory between the stack commit “ceiling” and ESP, whenever RtlAllocateHeap, RtlReAllocateHeap, or RtlFreeHeap is called, an exception occurs, or a system call is dispatched, which seriously limits the execution flow “granularity” with which stack wiping occurs. Additionally, system call dispatch hooking is accomplished by replacing specific “INT 2Eh” or “MOV EDX, 7FFE0300h” instructions, the first of which currently relies upon a two-byte privileged instruction which is handled specially by the exception handler hook, resulting in some overhead but mostly making it difficult to use a debugger in conjunction with Duster on Windows 2000.

Heap wiping, in addition to a limited amount of heap and argument validation, is performed whenever a heap block is allocated or freed. This is roughly a subset of the functionality provided by the Windows heap manager in debug mode, with the most significant deficiency on Duster’s part being that it does not wipe memory following a call to RtlReAllocateHeap.

You can download here:

Duster

SpikeSource Spike PHP Security Audit Tool

Spike is an Open Source tool based on the popular RATS C based auditing tool implemented for PHP.

The tool Spike basically does static analysis of php code for security exploits, PHP5 and call-time pass-by-reference are currently required, but a PHP4 version is coming out this week.

This tool is especially welcomed by Darknet as there aren’t many static analysis tools out there that are free, and there are very few tools for auditing PHP code..which as we all known tends to be coded quite insecurely at times (just look at phpBB and PhpNUKE).

You can find the latest version here:

Spike PHP Audit Tool

BASE 1.2.6

BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

I used to LOVE ACID, and I have to say BASE has taken it one step further, it’s a superb project.

A number of bugs have been fixed including some that affected IE and the setup system for BASE. A couple of interface tweaks have also been done to make it more user friendly.

The developers are currently looking for more people willing to test the BASE releases as they work on them. If you are interested, feel free to contact base@secureideas.net

The BASE team have also started coding the 2.x code base. If you have any ideas or feedback regarding that rewrite, please forward them to the BASE developers list which is a public mailing list.

You can download the new version of BASE at:

http://sourceforge.net/projects/secureideas

Technitium v3.1

Technitium MAC Address Changer, which allows you to change Machine Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver.

It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has an MAC address hard coded in its circuit by its manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Networks (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address.

Technitium MAC Address Changer v3.1 is a must tool in every security professionals tool box.

Technitium MAC Address Changer v3.1 is coded in Visual Basic 6.0.

There are some famous commercial tools available in the market for as much as US$19.99, but Technitium MAC Address Changer is available for FREE. (We don’t charge for just changing an registry value! Also knowing how this works doesn’t require extensive research as some commercial tool providers claim!)

You can download the MAC Address Changer here:

MAC Changer v3.1

WebScarab

WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.

In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.

WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.

As WebScarab is a framework more than an actual tool it’s very extensible. Each feature above is implemented as a plugin, and can be removed or replaced. New features can be easily implemented as well.

There is a long list of current features.

The new version has a couple of bug fixes, a logo finally!

And a new memory utilisation widget that runs across the bottom (it does have some memory leaks).

Absinthe Blind SQL Injection Tool

Absinthe is a gui-based tool that automates the process of downloading the schema & contents of a database that is vulnerable to Blind SQL Injection.

Absinthe does not aid in the discovery of SQL Injection holes. This tool will only speed up the process of data recovery.

Features:

Automated SQL Injection
Supports MS SQL Server, MSDE, Oracle, Postgres
Cookies / Additional HTTP Headers
Query Termination
Additional text appended to queries
Supports Use of Proxies / Proxy Rotation
Multiple filters for page profiling
Custom Delimiters

More Information here:

Absinthe (Documentation)

Universal Hooker

The Universal Hooker is a tool to intercept execution of programs. It enables the
user to intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory.

Why is it ‘Universal’? There are different ways of hooking functions in a program, for example, it can be done by setting software breakpoints (int 3h), hardware breakpoints (cpu regs), or overwriting the prologue of a function to jump to a ’stub’, etc. All the methods mentioned above, specially the latter, usually require the programmer of the code creating the hook to have certain knowledge of the function it is intercepting. If the code is written in a programming language like C/C++, the code will normally need to be recompiled for every function one wants to intercept, etc.

The Universal Hooker tries to create very simple abstractions that allow a user of the tool to write hooks for different API and non-API functions using an interpreted language (python), without the need to compile anything, and with the possibility of changing the code that gets executed when the hooked function is called in run-time.

The Universal Hooker builds on the idea that the function handling the hook is the one with the knowledge about the parameters type of the function it is handling. The Universal Hooker only knows the number of parameters of the function, and obtains them from the stack (all DWORDS). The hook handler is the one that will interpret those DWORDS as the types received by the function.

The hook handlers are written in python, what eliminates the need for recompiling the handlers when a modification is required. And also, the hook handlers (executed by the server) are reloaded from disk every time a hook handler is called, this means that one can change the behavior of the hook handler without the need to recompile the code, or having to restart the application being analyzed.

What can you do with it?

Fuzz in runtime without implementing protocol, just modify the packets
Interactive fuzzing using an hex editor
Poor’s man http/https proxy
Many things, check out the documentation

You can download it here:

Universal Hooker (Documentation)

arp-scan

NTA-Monitor has released the arp-scan detection and fingerprinting tool under the open source (LGPL license) concept.

It has been tested under various Linux based operating systems and seems to work fine.

This will only compile on Linux systems. You will need a C compiler, the “make” utility and the appropriate system header files to compile arp-scan. It uses autoconf and automake, so compilation and installation is the normal ./configure; make; make install process.

You can download arp-scan here:

http://www.nta-monitor.com/tools/arp-scan/download/arp-scan-1.4.tar.gz

Please read the main pages arp-scan(1), arp-fingerprint(1) and get-oui(1) before using this tool.

sqlninja 0.1.0 alpha – MS-SQL Injection Tool

sqlninja is a little toy that has been coded during a couple of pen-tests done lately and it is aimed to exploit SQL Injection vulnerabilities on web applications that use Microsoft SQL Server as their back-end.

It borrows some ideas from similar tools like bobcat, but it is more targeted in providing a remote shell even with paranoid firewall settings.

It is written in perl and runs on UNIX-like boxes.

Here’s a list of what it does so far:

Upload of nc.exe (or any other executable) using the good ol’ debug script trick
TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
Direct and reverse bindshell, both TCP and UDP
DNS-tunneled pseudoshell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames

Being an alpha version and since it was originally supposed to be just a quick&dirty toy for a pentest, there are lots of bugs waiting to be found and fixed so go ahead and download it !

More tunneling options (e.g.: HTTP, SMTP, …) will be added in the future together.

You can read more and download sqlninja here:

http://sqlninja.sourceforge.net/

FireMaster 2.1

FireMaster version 2.1 has been released with its new features and new speed.

Firemaster is the Firefox master password recovery tool. If you have forgotten the master password, then using FireMaster you can find out the master password and get back your lost signon information. It uses various methods such as dictionary, hybrid and brute force techniques to recover the master password from the firefox key database file.

Since its initial release in Jan 1, 2006 its speed has increased exponentially and currently it is operating at a speed of 50,000 passwords/sec to 100,000 passwords/sec depending upon low end or high end machine.

How it Works?

There is no way to recover the master password as it is not stored at all. Firemaster uses the same technique which has been used by firefox to check if the master password is correct, but in more optimized way. The entire operation goes like this.

Firemaster generates passwords on the fly through various methods.
Then it computes the hash of the password using known algorithm.
Next this password hash is used to decrypt the known encrypted string for which plain text ( i.e. “password-check” ) is known.
Now if the decrypted string matches with known plain text ( i.e. “password-check” ) then the generated password is the master password.

Firefox stores the details about encrypted string, salt, algorithm and version information in key database file key3.db in the user’s profile directory. So you can just copy this key3.db to different directory and specify the corresponding path to Firemaster. You can also copy this key3.db to any other high end machine for faster recovery operation.

More details are available here:

FireMaster

Yersinia 0.7

Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

It’s a very useful for any network based penetration testing or vulnerability assessment. There isn’t many tools working on Layer 2 and this is ‘the’ one.

Attacks for the following network protocols are implemented (but of course you are free for implementing new ones):

Spanning Tree Protocol (STP).
Cisco Discovery Protocol (CDP).
Dynamic Trunking Protocol (DTP).
Dynamic Host Configuration Protocol (DHCP).
Hot Standby Router Protocol (HSRP).
802.1q.
Inter-Switch Link Protocol (ISL).
VLAN Trunking Protocol (VTP).

Details of the attacks here.

Yersinia version 0.7 with 802.1x support has just been release, in addition to this lots of bugfixes and a new GTK interface.

The entire core has been redeveloped to support easy addition of new protocols and attacks, and with the new GTK interface the tool is ready for the masses.

You can download it directly here:

Yersinia 0.7

SinFP v2.00 Released

New for 2.00:

complete rewrite
sinfp.db completely reworked
new tests based on comparison between probe and response (TCP seq/ack comparison, IP ID value comparison)
new matching algorithm, works like a search engine (a problem of finding intersection, by applying a deformation mask on keywords) much more efficient than in 1.xx branch
possibility to manually pass a matching mask to change at will the matching algorithm
passive fingerprinting much more acurate thanks to new matching algorithm
possibility to launch P1P2P3 probes, or only P1P2 probes, or only P2 probe
match IPv6 signatures against IPv4 ones
API changes, not compatible with 1.xx version anymore
DB schema changes, not compatible with 1.xx version anymore
many bugfixes

To read more you can check out the SinFP Homepage.

You can download SinFP directly here.

SQL Power Injector v1.1

SQL Power Injector is a graphical application created in .Net 1.1 that helps the penetrating tester to inject SQL commands on a web page.

For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal Mode).

Moreover this application will get all the parameters you need to test the SQL injection, either by GET or POST method, avoiding thus the need to use several applications or a proxy to intercept the data.

Features

Supported on Windows, Unix and Linux operating systems
SQL Server, Oracle, MySQL and Sybase/Adaptive Server compliant
SSL support
Load automatically the parameters from a form or a IFrame on a web
page (GET or POST)
Detect and browse the framesets
Option that auto detects the language of the web site
Find automatically the submit page(s) with its method (GET or POST)
displayed in a different color
Single SQL injection
Blind SQL injection
Comparison of true and false response of the page or results in
the cookie
Time delay
Response of the SQL injection in a customized browser
Fine tuning parameters injection
Can parameterize the size of the length and count of the expected
result to optimize the time taken by the application to execute the SQL
injection
Multithreading
Option to replace space by empty comments /**/ against IDS or filter
detection
Automatically encode special characters before sending them
Automatically detect predefined SQL errors in the response page
Automatically detect a predefined word or sentence in the response page
Real time result
Possibility to inject an authentication cookie
Can view the HTML code source of the returned page
Save and load sessions in a XML file

You can find out more here:

SQL Power Injector

Download the latest version now.

Oedipus

Oedipus is an open source web application security analysis and testing suite written in Ruby by Penetration Testers for Penetration Testers. It is capable of parsing different types of log files off-line and identifying security vulnerabilities. Using the analyzed information, Oedipus can dynamically test web sites for application and web server vulnerabilities.

Oedipus can be broken down into 4 main components:

1. Analyzer

Capable of parsing several different types of log files, such as Burp, Paros, etc, identifying potential security vulnerabilities using pattern matching – An Oedipus input file is also produced.

2. Scanner

Parsers the Oedipus or IEnterceptor file, feeding each request to a dynamically loaded predefined security plug-in on the fly.

3. Reporter

Using the results from the Analyzer and the Scanner, Oedipus produces several well formatted reports designed for the Penetration Tester. The Scanner report can be interactively used to verify the results of the potential vulnerabilities discovered.

4. Tools

Using the above identified security vulnerabilities, a number of tools are provided to analyze and potentially exploit the vulnerability.

You can read more at:

Oedipus or Download Oedipus Now

PBNJ 1.14

PBNJ is a network tool that can be used to give an overview of an machine or multiple machines by identifying the details about the services running on them. PBNJ is different from other tools because it is based on using a scan from nmap parsed to amap. PBNJ parses the data from a scan and outputs to a CSV format file for each ip address scanned.

However, PBNJ is able to handle additional scans and parse the data while only looking for changes. For example, if a machine was updated with a newer version of OpenSSH than was running when the first scan was performed, the CSV file would contain the difference of the scan. Very useful for vulnerability assessment and penetration testing.

It is included in Backtrack http://www.remote-exploit.org/index.php/BackTrack

Depending on what you need, PBNJ can do various things. It is able to give a layout of a class network. It can also be run as an automated scanning tool parsing the data to CSV format files and growing an in-depth view of a network over time.

CHANGLOG for 1.14
—————-
* fixed bug that crashed PBNJ after scanning a machine with no ports open
* fixed –nodiff banner bug
* Added –delim option to allow custom delimination
–delim [ default set to comma ]
* quick install script for ubuntu and linux systems
* Makefile.PL setup which will install pbnj properly

Version 2.0 will be released sometime in August.

You can find PBNJ Here.

Paros Proxy 3.2.12

Paros 3.2.12 is released. This version is a maintenance release which fix a potental 100% cpu consumption issue. All users are recommended to upgrade to this version.

The changes are:

- Use newest external library for HTTP handling.

- Enable/disable spider to POST forms in options panel to avoid generating unwanted traffic (default to enable). This is requested by many users.

- Decrease the number of possible combinations crawled by spider on forms with multiple SELECT/OPTIONS. This make crawling less resource consuming and lower chance to affect application being scanned.

- Minor UI changes.

Paros labels itself as MITM Proxy + Spider + Scanner plus anything else you want it to be, it is a pretty neat piece of software.

It’s particularly useful for testing web applications and things such as insecure sessions.

Paros is free of charge and completely written in Java. Through Paros’s proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

These proxies have a different purpose than those personal type proxies like Proxomitron which are intended to protect you, clean adverts, block spyware and so on. Proxies like Paros and Burp are meant for examining the security of applications and web application auditing.

You do need Java Run Time Enviroment (JRE) 1.4 (or above) to install Paros.

You can download the latest version of Paros Here.

Sprajax – An Open Source AJAX Security Scanner

Denim Group Ltd. announced today the public release of Sprajax, an open source web application security scanner developed to assess the security of AJAX-enabled web applications.

Sprajax is the first web security scanner developed specifically to scan AJAX web applications for security vulnerabilities. Denim Group, an IT consultancy specializing in web application security, recognized that there were no tools available on the market able to scan AJAX. AJAX allows web-based applications a higher degree of user-interactivity, a feature with growing popularity among developers.

You can download Sprajax here.

As AJAX becomes more popular with developers, the security of AJAX-enabled web applications will be a growing concern,” says Dan Cornell, Principal at Denim Group. â€œSprajax is a great tool for application security maintenance, and its availability as an open source application places it within reach for organizations of all sizes.

While expert security scans are more thorough and usually recommended, internal developers and security auditors can use this software to produce an initial vulnerability assessment. This can be invaluable, especially in the wake of government regulations regarding web application security. Organizations must take steps to protect sensitive data in public facing applications, and an assessment using a tool like Sprajax could be the first step

Sprajax homepage.

Source Code & Software Security Analysis with BogoSec

Bogosec is essentially a tool for finding security vulnerabilities in source code.

BogoSec aims to increase awareness regarding code security vulnerabilities, while encouraging developers to produce more secure code over time. By simplifying the code scanning process, BogoSec achieves a goal of allowing developers to scan their code regularly and more effectively.

BogoSec is a source code metric tool that wraps multiple source code scanners, invokes them on its target code, and produces a final score that approximates the security quality of the code. This article discusses the BogoSec methodology and implementation, and illustrates the output of BogoSec when run on a number of test cases, including Apache Web server, OpenSSH, Sendmail, Perl, and others.

Bogosec seems to use:

* Flawfinder
* ITS4
* RATS

The CERT Coordination Center (CERT/CC) reported 5,990 vulnerabilities in 2005 compared with 171 in 1995. Many software security vulnerabilities occur because of poor programming practices. Some vulnerabilities are algorithmically detectable by static source code scanners designed for identifying potential security issues. As the number and severity of potential security holes per line of code increase, it is reasonable to believe that the overall quality of the source code in terms of security decreases. BogoSec metrics are computed values that attempt to reflect relative ratings of source code security quality for comparative purposes.

The motivation behind BogoSec is to influence developers to produce more secure source code over time. Various scanners exist that point developers to potentially insecure sections of code, but developers are often reluctant to use such scanners because of a seemingly high degree of false positive output as well as the difficulties associated with use. BogoSec attempts to reduce the penalty of false positives while broadening the scope of the source scan by using multiple independent scanners. This produces high-level metrics that allow developers and users alike to comparatively judge the quality of the source code in terms of security.

You can download the full 23 page article here (PDF Warning).

You can find the BogoSec project here.

OSSEC HIDS – Open Source Host-based Intrusion System

OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response.

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Solaris and Windows.

This is the first version offering native support for Windows (XP/2000/2003). It includes as well a new set of log analysis rules for sendmail, web logs (Apache and IIS), IDSs and Windows authentication events.

The correlation rules for squid, mail logs, firewall events and authentication systems have been improved, now detecting scans, worms and internal attacks.

The active-responses were also refined, with support to IPFW (FreeBSD) added.

The installation process was re-organized, now including simpler configuration options and
translation on 6 different languages (English, Portuguese, German, Turkish, Polish and Italian).

You can download the Unix and Windows versions here.

Read more Here.

The full changelog is here.

SinFP – Next Generation OS Detection Tool

OS Fingerprinting is an important part of any penetration test or hack as it allows you focus your efforts a lot more effeciently when point testing, rather than throwing everything at a machine like a script kiddy would. So let’s introduce a new option, other than p0f and xprobe2.

SinFP is a new approach to OS fingerprinting, which bypasses limitations that nmap has.

Nmap approaches to fingerprinting as shown to be efficient for years. Nowadays, with the omni-presence of stateful filtering devices, PAT/NAT configurations and emerging packet normalization, its approach to OS fingerprinting is becoming to be obsolete.

SinFP uses the aforementioned limitations as a basis for tests to be obsolutely avoided in used frames to identify accurately the remote operating system. That is, it only requires one open TCP port, sends only fully standard TCP packets, and limits the number of tests to 2 or 3 (with
only 1 test giving the OS reliably in most cases).

Features list:

full OS fingerprinting suite, built as a Perl module
active fingerprinting
passive fingerprinting (with signature matching made against active ones)
works the same over IPv4 and IPv6 (yes, IPv6 fingerprinting)
online mode
offline mode (especially useful when you have a pcap file)
heuristic matching algorithm to avoid the need to write new signature for a target stack which has some TCP option deactivated, or changed window size

To read more you can check out the SinFP Homepage.

You can download SinFP directly here.

Medusa Password Cracker Version 1.1

Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at Foofus.net. It currently has modules for the following services: CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), PcAnywhere, POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC, and a generic wrapper module.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. There is a Comparison between Medusa and THC-Hydra Here.

This release adds several new modules, additional OS support, and fixes numerous bugs. A somewhat detailed report is available here:

http://www.foofus.net/jmk/medusa/ChangeLog

You can download Medusa Here:

Medusa 1.1 Download

Author Note:

Medusa was developed on Gentoo Linux and FreeBSD. Some limited testing has been done on other platforms. If people wish to contribute patches to fix portability issues, I’d be happy to accept them. There are probably lots of bugs which have yet to surface. Please let me know if you encounter issues, fix a bug or just find the application useful.

More information on Medusa Here.

Paros Proxy 3.2.11

Paros 3.2.11 has been released. This version is a maintenance release with a useful feature requested by various users. All users are recommended to upgrade to this version.

Paros labels itself as MITM Proxy + Spider + Scanner plus anything else you want it to be, it is a pretty neat piece of software.

It’s particularly useful for testing web applications and things such as insecure sessions.

Paros is free of charge and completely written in Java. Through Paros’s proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.

These proxies have a different purpose than those personal type proxies like Proxomitron which are intended to protect you, clean adverts, block spyware and so on. Proxies like Paros and Burp are meant for examining the security of applications and web application auditing.

You do need Java Run Time Enviroment (JRE) 1.4 (or above) to install Paros.

You can download the latest version of Paros Here.

3.2.11 Release Notes

Paros Proxy 3.2.10

Paros labels itself as MITM Proxy + Spider + Scanner plus anything else you want it to be, it is a pretty neat piece of software.

It’s particularly useful for testing web applications and things such as insecure sessions.

Paros is free of charge and completely written in Java. Through Paros’s proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

These proxies have a different purpose than those personal type proxies like Proxomitron which are intended to protect you, clean adverts, block spyware and so on. Proxies like Paros and Burp are meant for examining the security of applications and web application auditing.

You do need Java Run Time Enviroment (JRE) 1.4 (or above) to install Paros.

You can download the latest version of Paros Here.

Ophcrack 2.2 Password Cracker

Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman’s original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds.

Changes:

(feature) support of the new table set (alphanum + 33 special chars – WS-20k)
(feature) easier configuration for the table set (tables.cfg)
(feature) automatic definition of the number of tables to use at the same time (batch_tables) by queriying the system for the size of the memory
(feature) speed-up in tables reading
(feature) cleaning of the memory to make place for table readahead (linux version only)
(feature) improved installer for windows version
(fix) change of the default share for pwdump4 (ADMIN$)

Get it at http://sourceforge.net/projects/ophcrack

Sealing Wafter – Defend Against OS Fingerprinting for OpenBSD

One way to defend against OS fingerprinting from tools such as nmap, queso, p0f, xprobe etc is to change the metrics that they base their analysis on.

One way to do this with OpenBSD is to use Sealing Wafter.

Goals of Sealing Wafter:

To reduce OS detection based on well known fingerprints network stack behavior.
To have the ability to load custom rules into the stack.
To unload, modify, reload the kernel module with on the fly rules. (great feature at packet parties)
To learn how the magic of tcpip stacks work.

What Sealing Wafter currently provides:

Hide from Nmap Syn/Xmas/Null scans, as well as the specific fingerprinting packets.
Ability to see what your stack is receiving without the need to drop your network device into promisc mode.
Complete control over rules that you can load on the fly todeal with specific incoming packets.
Initial support for several OS passive detection has been added for SYNs.

Weaknesses in current Sealing Wafter:

Full connection scans. e.g. nmap -sT will still find open ports. this is because I have yet to find anything that seperates a real tcp connection vs an nmap full connection. (most likely isn’t one.)
Can be very verbose when under heavy load. I have run this on my heaviest web servers, and have not noticed any major overhead.

Download the c code for the LKM here: Sealing Wafter

kArp – Linux Kernel Level ARP Hijacking/Spoofing Utility

Introduction

kArp is a linux patch that allows one to implement ARP hijacking in the kernel, but control it easily via userland. You may configure, enable and disable kArp via ProcFS or the sysctl mechanism.

kArp is implemented almost on the device driver level. Any ethernet driver (including 802.11 drivers) is supported. The kArp code is lower than the actual ARP code in the network stack, and thus will respond to ARP requests faster than a normal machine running a normal network stack, even if the machine we’re spoofing has a CPU twice as fast as ours!

Functionality

ARP Hijacking - Enabling ARP spoofing allows a user to spoof an ARP response to a specific victim host. Due to the low level at which the code exists, our spoofed packet is guaranteed to arrive at the victim’s network stack prior to the response of the machine we’ve impersonated.
ARP Hijacking the Impersonated – Enabling this function via arp_send_to_spoofed allows us to spoof the victim’s information to the impersonated machine as well, helping to solidify the MiM attack. However, this functionality may kill the speed of our spoofed frame to the victim, so it isn’t enabled by default.
ARP Flooding – Enabling this function via arp_flood causes the kernel to send a flood of random source and destination MAC addresses via a broken ARP frame. On some switches this will fill its internal MAC table, or overflow it. Often, the result of this attack is forcing the switch to fall back to dumb hub mode, allowing us to sniff the wire without a MiM attack.

Warning

kArp was written to beat the race in responding to an ARP Request from a target (victim) machine. It is *not* meant as an tool to flood a victim with ARP information. This means that some operating systems (MacOSX) that ingest unsolicited ARP responses may still obtain the actual MAC address of the machine we’re impersonating. Linux, however, only accepts the fastest response. If you want to flood a machine with fake ARP responses, use a userland tool.

For now, the URL is:

http://aversion.net/~north/karp/

pwdump6 version 1.2 BETA

Version 1.2 (Beta) of the pwdump6 software has been released.

There are three major changes from the previous version:

Uses “random” named pipes (GUIDs) to allow concurrent copies of the client to run. This is predominately for the next version of fgdump, which will be multithreaded.
Will turn off password histories if the requisite APIs are not available (there are instances in which this is the case) – pwdump will no longer simply refuse to grab the hashes that it can.
Data is now encrypted over the named pipe using the Blowfish algorithm. More information on this is available on the website.

pwdump is a very useful tool for grabbing the password hashes directly from Windows (you do need Administrator access, so in some situations you need to escalate your priveleges first).

It is still useful though, as normally with Admin access on a Windows box you can’t get the SAM file as it’s locked by the OS, the only way normally is to boot using a Security LiveCD and save it to a USB drive or e-mail it to yourself.

You can grab the latest version of pwdump here.

Windows Rootkits

Windows Rootkits are a big rarity in this modern web hacking tehnology…
I won’t speak exactly about rootkits, because it’s impropriate to call them that way… why? Well rootkits are programs that aid you in getting access to root level users…

So in the case we are using Windows "rootkits" we should call them admkits (admin kits [©copyrighted to me of course])…. So let’s cut the **** and get down to serious business.

Note: the following admkits are from www.packetstormsecurity.org, there also could be others available on the net… not just the following 4

_ROOT_040

Windows NT Rootkit v0.04 alpha – Hides processes, files, directories, has k-mode shell using TCP/IP – you can telnet into rootkit from remote. Hides registry keys – (keyboard patch disabled in this build.) Includes execution redirection.

Fake Netstat

Fake Netstat is a windows copy of netstat which can hide certain network connections. Requires renaming the original netstat.

NT BindShell

Ntbindshell is a lightweight (24k compiled) cmd.exe backdoor for Windows. Full C source included. Provides two modes of operation – standard (listening mode) or reverse-connect mode. Includes the ability to install itself as a system service, providing a shell with LocalSystem privileges.

reverseTelnet

Reverse telnet redirector / port redirector and front end console for Windows. Perfect for firewall bypassing from inside out. Can be used for bouncing connections, piping or relaying data, or as a quick MIM chat server. Windows executable form only.

More information of course can be found in the readme files from the archive…

BackTrack

BackTrack is the result of the merging of two Innovative Penetration Testing live Linux distributions namely Whax and Auditor.

Combining the best features from both distributions, and paying special attention to small details, this is probably the best version of either distributions to ever come out.

Based on SLAX (Slackware), BackTrack provides user modularity. This means the distribution can be easily customised by the user to include personal scripts, additional tools, customised kernels, etc.

A full list of the tools in BackTrack are available now.

You can download BackTrack now.

Nmap 4.01

Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source.

Things that we consider userful in the extensive announcement are:

Added the ability for Nmap to send and properly route raw ethernet frames containing IP datagrams rather than always sending the packets via raw sockets. This is particularly useful for Windows, since Microsoft has disabled raw socket support in XP. Nmap tries to choose the best method at runtime based on platform, though you can override it with the new –send-eth and –send-ip options.
Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests to determine whether hosts on a LAN are up, rather than relying on higher-level IP packets (which can only be sent after a successful ARP request and reply anyway). This is much faster and more reliable (not subject to IP-level firewalling) than IP-based probes. It is now used automatically for any hosts that are detected to be on a local ethernet network, unless –send-ip was specified.
Overhauled UDP scan. Ports that don’t respond are now classified as “open|filtered” (open or filtered) rather than “open”. The (somewhat rare) ports that actually respond with a UDP packet to the empty probe are considered open. If version detection is requested, it will be performed on open|filtered ports. Any that respond to any of the UDP probes will have their status changed to open. This avoids the false-positive problem where filtered UDP ports appear to be open, leading to terrified newbies thinking their machine is infected by back orifice.
Integrated tons of new OS detection fingerprints. The database grew more than 50% from 1,121 to 1,684 fingerprints. Notable additions include Mac OS X 10.4 (Tiger), OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along with a new “robotic pet” device type category), the latest Linux 2.6 kernels, Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64 UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO 3.8.X, and Solaris 10. Of course there are also tons of new broadband routers, printers, WAPs and pretty much any other device you can coax an ethernet cable (or wireless card) into!

There is also a completely new man page, you can view it online too.

Fyodor has also given an interview on the release on Nmap 4.

About Me

Categories

Blog Archive

Labels