PBNJ 1.14

PBNJ is a network tool that can be used to give an overview of an machine or multiple machines by identifying the details about the services running on them. PBNJ is different from other tools because it is based on using a scan from nmap parsed to amap. PBNJ parses the data from a scan and outputs to a CSV format file for each ip address scanned.

However, PBNJ is able to handle additional scans and parse the data while only looking for changes. For example, if a machine was updated with a newer version of OpenSSH than was running when the first scan was performed, the CSV file would contain the difference of the scan. Very useful for vulnerability assessment and penetration testing.

It is included in Backtrack http://www.remote-exploit.org/index.php/BackTrack

Depending on what you need, PBNJ can do various things. It is able to give a layout of a class network. It can also be run as an automated scanning tool parsing the data to CSV format files and growing an in-depth view of a network over time.

CHANGLOG for 1.14
—————-
* fixed bug that crashed PBNJ after scanning a machine with no ports open
* fixed –nodiff banner bug
* Added –delim option to allow custom delimination
–delim [ default set to comma ]
* quick install script for ubuntu and linux systems
* Makefile.PL setup which will install pbnj properly

Version 2.0 will be released sometime in August.

You can find PBNJ Here.

Paros Proxy 3.2.12

Paros 3.2.12 is released. This version is a maintenance release which fix a potental 100% cpu consumption issue. All users are recommended to upgrade to this version.

The changes are:

- Use newest external library for HTTP handling.

- Enable/disable spider to POST forms in options panel to avoid generating unwanted traffic (default to enable). This is requested by many users.

- Decrease the number of possible combinations crawled by spider on forms with multiple SELECT/OPTIONS. This make crawling less resource consuming and lower chance to affect application being scanned.

- Minor UI changes.

Paros labels itself as MITM Proxy + Spider + Scanner plus anything else you want it to be, it is a pretty neat piece of software.

It’s particularly useful for testing web applications and things such as insecure sessions.

Paros is free of charge and completely written in Java. Through Paros’s proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

These proxies have a different purpose than those personal type proxies like Proxomitron which are intended to protect you, clean adverts, block spyware and so on. Proxies like Paros and Burp are meant for examining the security of applications and web application auditing.

You do need Java Run Time Enviroment (JRE) 1.4 (or above) to install Paros.

You can download the latest version of Paros Here.

Sprajax – An Open Source AJAX Security Scanner

Denim Group Ltd. announced today the public release of Sprajax, an open source web application security scanner developed to assess the security of AJAX-enabled web applications.

Sprajax is the first web security scanner developed specifically to scan AJAX web applications for security vulnerabilities. Denim Group, an IT consultancy specializing in web application security, recognized that there were no tools available on the market able to scan AJAX. AJAX allows web-based applications a higher degree of user-interactivity, a feature with growing popularity among developers.

You can download Sprajax here.

As AJAX becomes more popular with developers, the security of AJAX-enabled web applications will be a growing concern,” says Dan Cornell, Principal at Denim Group. “Sprajax is a great tool for application security maintenance, and its availability as an open source application places it within reach for organizations of all sizes.

While expert security scans are more thorough and usually recommended, internal developers and security auditors can use this software to produce an initial vulnerability assessment. This can be invaluable, especially in the wake of government regulations regarding web application security. Organizations must take steps to protect sensitive data in public facing applications, and an assessment using a tool like Sprajax could be the first step

Sprajax homepage.

Source Code & Software Security Analysis with BogoSec

Bogosec is essentially a tool for finding security vulnerabilities in source code.

BogoSec aims to increase awareness regarding code security vulnerabilities, while encouraging developers to produce more secure code over time. By simplifying the code scanning process, BogoSec achieves a goal of allowing developers to scan their code regularly and more effectively.

BogoSec is a source code metric tool that wraps multiple source code scanners, invokes them on its target code, and produces a final score that approximates the security quality of the code. This article discusses the BogoSec methodology and implementation, and illustrates the output of BogoSec when run on a number of test cases, including Apache Web server, OpenSSH, Sendmail, Perl, and others.

Bogosec seems to use:

* Flawfinder
* ITS4
* RATS

The CERT Coordination Center (CERT/CC) reported 5,990 vulnerabilities in 2005 compared with 171 in 1995. Many software security vulnerabilities occur because of poor programming practices. Some vulnerabilities are algorithmically detectable by static source code scanners designed for identifying potential security issues. As the number and severity of potential security holes per line of code increase, it is reasonable to believe that the overall quality of the source code in terms of security decreases. BogoSec metrics are computed values that attempt to reflect relative ratings of source code security quality for comparative purposes.

The motivation behind BogoSec is to influence developers to produce more secure source code over time. Various scanners exist that point developers to potentially insecure sections of code, but developers are often reluctant to use such scanners because of a seemingly high degree of false positive output as well as the difficulties associated with use. BogoSec attempts to reduce the penalty of false positives while broadening the scope of the source scan by using multiple independent scanners. This produces high-level metrics that allow developers and users alike to comparatively judge the quality of the source code in terms of security.

You can download the full 23 page article here (PDF Warning).

You can find the BogoSec project here.

OSSEC HIDS – Open Source Host-based Intrusion System

OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response.

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Solaris and Windows.

This is the first version offering native support for Windows (XP/2000/2003). It includes as well a new set of log analysis rules for sendmail, web logs (Apache and IIS), IDSs and Windows authentication events.

The correlation rules for squid, mail logs, firewall events and authentication systems have been improved, now detecting scans, worms and internal attacks.

The active-responses were also refined, with support to IPFW (FreeBSD) added.

The installation process was re-organized, now including simpler configuration options and
translation on 6 different languages (English, Portuguese, German, Turkish, Polish and Italian).

You can download the Unix and Windows versions here.

Read more Here.

The full changelog is here.

SinFP – Next Generation OS Detection Tool

OS Fingerprinting is an important part of any penetration test or hack as it allows you focus your efforts a lot more effeciently when point testing, rather than throwing everything at a machine like a script kiddy would. So let’s introduce a new option, other than p0f and xprobe2.

SinFP is a new approach to OS fingerprinting, which bypasses limitations that nmap has.

Nmap approaches to fingerprinting as shown to be efficient for years. Nowadays, with the omni-presence of stateful filtering devices, PAT/NAT configurations and emerging packet normalization, its approach to OS fingerprinting is becoming to be obsolete.

SinFP uses the aforementioned limitations as a basis for tests to be obsolutely avoided in used frames to identify accurately the remote operating system. That is, it only requires one open TCP port, sends only fully standard TCP packets, and limits the number of tests to 2 or 3 (with
only 1 test giving the OS reliably in most cases).

Features list:

• full OS fingerprinting suite, built as a Perl module
• active fingerprinting
• passive fingerprinting (with signature matching made against active ones)
• works the same over IPv4 and IPv6 (yes, IPv6 fingerprinting)
• online mode
• offline mode (especially useful when you have a pcap file)
• heuristic matching algorithm to avoid the need to write new signature for a target stack which has some TCP option deactivated, or changed window size
  

To read more you can check out the SinFP Homepage.

You can download SinFP directly here.

Medusa Password Cracker Version 1.1

Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at Foofus.net. It currently has modules for the following services: CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), PcAnywhere, POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC, and a generic wrapper module.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. There is a Comparison between Medusa and THC-Hydra Here.

This release adds several new modules, additional OS support, and fixes numerous bugs. A somewhat detailed report is available here:

http://www.foofus.net/jmk/medusa/ChangeLog

You can download Medusa Here:

Medusa 1.1 Download

Author Note:

Medusa was developed on Gentoo Linux and FreeBSD. Some limited testing has been done on other platforms. If people wish to contribute patches to fix portability issues, I’d be happy to accept them. There are probably lots of bugs which have yet to surface. Please let me know if you encounter issues, fix a bug or just find the application useful.

More information on Medusa Here.