Nikto 2 – Web Server Scanning Tool

Another one that has been a long time coming, but finally here it is! Nikto 2.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for items that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Version 2 adds a ton of enhancements, including:

• Fingerprinting web servers via favicon.ico files
• 404 error checking for each file type
• Enhanced false positive reduction via multiple methods: headers, page content, and content hashing
• Scan tuning to include or exclude entire classes of vulnerability checks
• Uses LibWhisker 2, which has its own long list of enhancements
• A “single” scan mode that allows you to craft an HTTP request manually
• Basic template engine so that HTML reports can be easily customized
• An experimental knowledge base for scans, which will allow regenerated reports and retests (future)
• Optimizations, bug fixes and more…

You can download Nikto 2 here:

nikto-current.tar.gz

Or read more here.

Inguma 0.0.6

Quite a few people seem to be interested in this tool, so here is the latest revision – Inguma 0.0.6.

For those that don’t know, Inguma is a free penetration testing and vulnerability discovery toolkit entirely written in python. Framework includes modules to discover hosts, gather information about, fuzz targets, brute force usernames and passwords, exploits, and a disassembler.

In this new version various things have been added like new modules and improvements in the existing ones. For example the Oracle modules. The Oracle payloads now uses the Cursor Injection method when possible so CREATE PROCEDURE system privilege is not needed to become DBA.

The support for InlineEgg, added in version 0.0.5.1, have been removed and a new completely free library have been added (PyShellCodeLib).

The static analysis framework OpenDis have been enhanced and now you can use the API exposed by OpenDis to write your own binary static analysis tools. As an example of the API, a tool to make binary diffs have been added. Take a look to the file $INGUMA_DIR/dis/asmdiff.py and to the README stored in the same directory.

New 5 exploits for Oracle Databases have been added and the module “sidguess” have been enhanced to retrieve the SID of the database instance from the Enterprise Manager/Database Control banner when possible.

The new modules added to the discover, gather and brute sections are the following:

• brutehttp: A brute forcer for HTTP servers.
• extip : A tool to known your external IP address. Very useful to check anonymous proxies.
• nmbstat : A tool to gather NetBIOS information.
• ipscan : A tool to make IP protocol scans. The tool check what IP protocols are enabled in the target.
• arppoison: A tool to poison target’s ARP cache

You can download Inguma 0.0.6 here:

Inguma 0.0.6

Or read more here.

Nmap Port Scanner 4.50

If for some odd reason you don’t already know what Nmap is, it is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

The changelog shows 320 changes since 4.00 with a lot of great stuff in this release! It has a brand new GUI and results viewer (Zenmap), a scripting engine allowing you to write your own scripts for high-performance network discovery (or use one of the 40 scripts shipped with it), the 2nd generation OS detection system (now with more than a thousand fingerprints), nearly 1,500 more version detection signatures, and a lot more!

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

More on Zenmap here:

Zenmap – the Nmap GUI

You can download the new Nmap here:

Nmap 4.50

Or read more here.

MSF eXploit Builder – Free Win32 Exploit Development Platform

The MSF-XB package also includes for your convenience:

Fuzzers

• TAOF, The Art Of Fuzzing v0.3.2
• ProxyFuzz v0.1, Rodrigo Marcos
• FileFuzz v1.0.2510.28439, iDefense
• FTPfuzz v1.0, Infigo
• WinFuzz v1.0.0.1, Fakehalo

Handy Tools

• Findjmp2, Class101
• branchseeker
• Faultmon
• mycrc
• Sysinternals (Microsoft) PStools
• wget.exe, GNU
• xCmd (remotexec clone)
• nc.exe
• A local database of opcodes/return addresses (Cross-platforms, 10 locales, fast and reverse queries)
• An ASCII table
• A lot of converters (Ascii, Hex, Byte, Unicode …)
• Malcode Analyst Pack v0.2
• Process Stalker, iDefense

REQUIREMENTS

• Please edit and customize the MSF-XB.INI file
• MSF-XB requires the Metasploit Framework installed to work properly (http://www.metasploit.com ): Version 3 is recommended
• MSF-XB requires a debugger to be installed (Immunity Debugger)

You can download MSF eXploit Builder here:

MSF-XB.EXE (84Mb)

MD5 41e83b8cb8d60d689bff191eb7842fc1
SHA1 1cb0e457c9fa59da8f147a96afb9c1a056a4e655

Or read more here.

fwtest – Firewall Testing Toolkit

The firewall test suite fwtest is a security auditing tool made up of two parts: the test control application fwtest and optionally one or two helper processes named fwagent. The test control application fwtest starts up the python interpreter with the given test script. The test script controls the packet data flow between two virtual interfaces A and B.

For this purpose the python interpreter is extended by commands which support the construction and transfer of arbitrary IP-packets. In this way it is possible to stimulate a firewall (or other relaying network nodes) connected between the interfaces A and B.

According to the interface-spec the virtual interfaces A and B are mapped on given physical interfaces on the same host the fwtest is running or to an interface on a remote host which runs the application fwagent. For the remote access the fwtest establishes a control TLS-protected connection to the fwagent on the specified host. You may use a ca structure or a fingerprint file to authenticate the peer. The shell script keymager.sh is distributed with this software to help you generate the necessary keys for both (ca structure and fingerprint) variants.

For both variants (one or two fwagents) the interfaces needs to be controlled by fwtest and fwagent on the link level. This is achieved by use of the berkely packet filter library pcap for reading and The Network Library libnet for writing of packets.

You can download fwtest source code here:

fwtest-0.5.2.tgz

Or read more here.

SSA Version 1.5.2

SSA (Security System Analyzer) is free non-intrusive OVAL-Compatible software. It provides security testers, auditors with an advanced overview of the security policy level applied.

Features :

• OVAL-compatible product
• SCAP (Security Content Automation Protocol)
• Perform a deep inventory audit on installed softwares and applications
• Scan and map vulnerabilities using non-intrusive techniques based on schemas
• Detect and identify missed patches and hotfixes
• Define a patch management deployment strategy using CVSS scores

Changelog for v.1.5.2

• Based on OVAL 5.3 build 20 (see OVAL project for more information)
• SSA now supports SCAP (Security Content Automation Protocol – http://nvd.nist.gov/scap.cfm)
• SSA now supports scan for missed patches (using SCAP format)
• Updated OVAL XML Viewer Plugin
• Updated database to 2039 definitions

Download it here:

SSA Version 1.5.2

Or read more here.

sqlninja 0.2.1-r1 – SQL Injection Tool for MS-SQL

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

It is written in perl and so far has been successfully tested on:

• Linux
• FreeBSD
• Mac OS X

Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
• Bruteforce of ’sa’ password (in 2 flavors: dictionary-based and incremental)
• Privilege escalation to sysadmin group if ’sa’ password has been found
• Creation of a custom xp_cmdshell if the original one has been removed
• Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)

What’s New

• A new flavor of bruteforce attack, performed remotely on the target DB Server by using its own CPU resources (use it with caution !)
• Detection of the authentication mode (mixed or Windows-only), which is useful to understand whether the bruteforce attack to the ’sa’ account can succeed or not
• Documentation is now in HTML format, which should make things much easier for new users
• Several bugfixes and minor improvements

You can download sqlninja 0.2.1-r1 here:

sqlninja 0.2.1-r1

Or read more here.

Medusa 1.4

Version 1.4 of Medusa is now available for public download!

What is Medusa? Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at Foofus.net.

The Key Features are as follows:

• Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
• Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
• Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

It currently has modules for the following services:

• CVS
• FTP
• HTTP
• IMAP
• MS-SQL
• MySQL
• NCP (NetWare)
• NNTP
• PcAnywhere
• POP3
• PostgreSQL
• rexec
• rlogin
• rsh
• SMB
• SMTP (AUTH/VRFY)
• SNMP
• SSHv2
• SVN
• Telnet
• VmAuthd
• VNC

It also includes a basic web form module and a generic wrapper module for external scripts.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. For a brief comparison, see here.

It’s been over a year since version 1.3 was released and there has been a bunch of changes. This release includes multiple bug fixes, several new modules and additional module functionality. A somewhat detailed report is available here

You can download Medusa 1.4 here:

medusa-1.4.tar.gz

Or read more here.

Inguma 0.0.5 – Penetration Testing Toolkit

Inguma is a free penetration testing and vulnerability discovery toolkit entirely written in python. Framework includes modules to discover hosts, gather information about, fuzz targets, brute force usernames and passwords, exploits, and a disassembler.

With new QT interface:

If you haven’t used it for a while there’s a WHOLE lot of new stuff, it was pretty basic when we first mentioned it but it’s fairly comprehensive now with the addition of a disassembler, a fuzzer, a bunch of libraries, exploits and brute-forcers.

Most of the bugs have been fixed so it’s pretty stable.

You can download Inguma 0.0.5 here:

inguma-0.0.5.1.tar.gz

Or read more here.

Pass-The-Hash Toolkit v1.1

The concept of passing the hash on Windows came about a while ago, now there’s a tool for it in it’s second revision (which fixed some problems with foreign language Windows versions and Windows 2003).

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).

Utilities in the toolkit:

IAM.EXE: Pass-The-Hash for Windows. This tool allows you to change your current NTLM credentials withouth having the cleartext password but the hashes of the password. The program receives a username, domain name and the LM and NT hashes of the password; using this it will change in memory the NTLM credentials associated with the current windows logon session.

WHOSTHERE.EXE: This tool will list logon sessions with NTLM credentials (username,domain name, LM and NT hashes). Logon sessions are created by windows services that log in using specific users, remote desktop connections, etc.

GENHASH.EXE: This is a small utility that generates LM and NT hashes using some ‘undocumented’ functions of the Windows API. This is a small tool to aid testing of IAM.EXE.

You can download Pass-The-Hash Toolkit v1.1 here:

Source:

pshtoolkit_src_v1.1.tgz

Binaries:

pshtoolkit_v1.1.tgz

Or you can read more here.

HttpBee – Web Application Hacking Toolkit

HttpBee is a swiss-army-knife tool for web application hacking. It is multi-threaded, embedded with scriptable engine and has both command-line and daemon mode (if executed in daemon mode, HttpBee can become an agent of a distributed framework).

This is a tool for more advanced users and there isn’t much documentation so if anyone feels like writing a more comprehensive guide or tutorial, please do so!

Installing

You will need lua 5.1.x. Grab it at http://www.lua.org/ftp/

You will also need pcre library.

There’s no ./configure script in HttpBee at the moment, so you will need to change Makefile directly before you build it. Look into CXXFLAGS and CFLAGS section. -DOS_X (or -DLINUX, or -DWINDOWS is basically a setting for your platform, plus, ajust the pathes).

Using

The folder ‘modules’ contains lua plugins that HttpBee uses to perform its assessment tasks. You can run HttpBee as ./httpbee -s path/to/modules/script.lua -t 255 -h localhost (specifying different number of parallel threads impacts performance)

Scripting

The way HttpBee’s scripting engine is implemented is relevant to HttpBee architecture itself. HttpBee maintains a pool of threads that it uses for parallel task execution. Therefore execution of HttpBee scripts is not linear. Instead, there are certain functions which are executed at certain steps of scanning process. The global scripting part is executed when the script is initially “scanned”, so HttpBee can pick up tags, description and other data from your script. init function will be executed only when your script is picked up and scheduled for execution (based on tags selection for example).

You can download HttpBee here:

httpbee-1.0rc1.tgz

Or read more here.

SSA Version 1.5.2

SSA (Security System Analyzer) is free non-intrusive OVAL-Compatible software. It provides security testers, auditors with an advanced overview of the security policy level applied.

Features :

• OVAL-compatible product
• SCAP (Security Content Automation Protocol)
• Perform a deep inventory audit on installed softwares and applications
• Scan and map vulnerabilities using non-intrusive techniques based on schemas
• Detect and identify missed patches and hotfixes
• Define a patch management deployment strategy using CVSS scores

Changelog for v.1.5.2

• Based on OVAL 5.3 build 20 (see OVAL project for more information)
• SSA now supports SCAP (Security Content Automation Protocol)
• SSA now supports scan for missed patches (using SCAP format)
• Updated OVAL XML Viewer Plugin
• Updated database to 2039 definitions

Download it here:

SSA Version 1.5.2

Or read more here.

Official release of SQL Power Injector 1.2

SQL Power Injector is a graphical application created in .NET 1.1 that helps the penetrating tester to inject SQL commands on a web page.

For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode).

Moreover this application will get all the parameters you need to test the SQL injection, either by GET or POST method, avoiding thus the need to use several applications or a proxy to intercept the data.

The emphasis for this release is maturity, stability and reliability with secondary goals of usability, documentation and innovation.

There’s also a nifty Firefox Extension now.

One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%.

Added to this it’s now possible to define a range list that will replace a variable (<<@>>) inside a blind SQL injection string and automatically play them for you. That means you can get all the database names from the sysdatabases table in MS SQL without having to input the dbid each time for example.

Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. No more time wasted to copy paste the session cookies after you logged… And of course you can make the easy SQL tests in your browser and you use the plugin once you want to search more thoroughly.

To make your life easier there is now a new feature that will search the diff between a positive condition (1=1) response with a negative condition (1=2) and display the list for you.

Last major addition is the extensive databases Help file (chm) that contains most of the information you need when you SQL inject. It covers the 5 DBMS supported by SQL Power Injector. You can find in it the system tables and views with their columns, environment variables, the useful functions and stored procedures. All this with some notes to how to use them and why it’s useful for SQL injection.

You can download the latest version here:

SQL Power Injector 1.2

Or read more here.

aircrack-ng – WEP and WPA-PSK Key Cracking Program

aircrack is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, thus making the attack much faster compared to other WEP cracking tools. In fact, aircrack is a set of tools for auditing wireless networks.

Aircrack-ng is the next generation of aircrack with lots of new features:

• Better documentation (wiki, manpages) and support (Forum, trac, IRC: #aircrack-ng on Freenode).
• More cards/drivers supported
• New WEP attack: PTW
• More OS and platforms supported
• Fragmentation attack
• Improved cracking speed
• WEP dictionary attack
• Capture with multiple cards
• New tools: airtun-ng, packetforge-ng (improved arpforge), wesside-ng and airserv-ng
• Optimizations, other improvements and bug fixing

Download the latest version of aircrack-ng here:

Linux – aircrack-ng-0.9.1.tar.gz

Windows – aircrack-ng-0.9.1-win.zip

Or you can read more here.

aircrack-ptw – Fast WEP Cracking Tool for Wireless Hacking

WEP is a protocol for securing wireless LANs. WEP stands for “Wired Equivalent Privacy” which means it should provide the level of protection a wired LAN has. WEP therefore uses the RC4 stream to encrypt data which is transmitted over the air, using usually a single secret key (called the root key or WEP key) of a length of 40 or 104 bit.

A history of WEP and RC4

WEP was previously known to be insecure. In 2001 Scott Fluhrer, Itsik Mantin, and Adi Shamir published an analysis of the RC4 stream cipher. Some time later, it was shown that this attack can be applied to WEP and the secret key can be recovered from about 4,000,000 to 6,000,000 captured data packets. In 2004 a hacker named KoReK improved the attack: the complexity of recovering a 104 bit secret key was reduced to 500,000 to 2,000,000 captured packets.

In 2005, Andreas Klein presented another analysis of the RC4 stream cipher. Klein showed that there are more correlations between the RC4 keystream and the key than the ones found by Fluhrer, Mantin, and Shamir which can additionally be used to break WEP in WEP like usage modes.

The aircrack-ptw attack

The aircrack team were able to extend Klein’s attack and optimize it for usage against WEP. Using this version, it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets. For 60,000 available data packets, the success probability is about 80% and for 85,000 data packets about 95%. Using active techniques like deauth and ARP re-injection, 40,000 packets can be captured in less than one minute under good condition. The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7 GHz and can additionally be optimized for devices with slower CPUs. The same attack can be used for 40 bit keys too with an even higher success probability.

Countermeasures

We believe that WEP should not be used anymore in sensitive environments. Most wireless equipment vendors provide support for TKIP (as known as WPA1) and CCMP (also known as WPA2) which provides a much higher security level. All users should switch to WPA1 or even better WPA2.

You can download aircrack-ptw here:

aircrack-ptw-1.0.0.tar.gz

Or read more here.

Find an aircrack-ptw How To here.

FLARE – Flash Decompiler to Extract ActionScript

Flare processes an SWF and extracts all scripts from it. The output is written to a single text file. Only ActionScript is extracted, no text or images. Flare is freeware. Windows, Mac OS X and Linux versions are available.

The main purpose of decompiler is to help you recover your own lost source code. However, there are other uses, like finding out how a component works, or trying to understand poorly documented interface. Depending on where you live, some of them may be forbidden by law. It’s your responsibility to make sure you don’t break the law using Flare.

If you develop Flash applications for living, you probably know that your code is not secure in SWF. It’s not the existence of decompiler that makes your code insecure though, it’s design of SWF format. Although no ActionScipt is stored there, most of it can be recovered from bytecodes.

Most recent Flare version is 0.6.

Windows Explorer Shell Extension

Download flare06setup.exe. After installation right-click on any SWF file in Windows Explorer and choose Decompile from context menu. Flare will decompile somename.swf and store decomiled code in somename.flr in the same folder. somename.flr is a simple text file, you can open it with your favorite text editor. If Flare encounters problems during decompilation, it will display some warnings. If everything goes well, it will quit silently. That’s all, Flare has no other GUI. To unistall, execute Start>Programs>Flare>Uninstall.

Mac OS X Droplet

Get flare06.dmg. After mounting the disc image drop an SWF file onto the Flare icon in Finder. The decompiled ActionScript will be stored in SWF’s folder with FLR extension. Open it with your text editor. You can decompile multiple SWF files at once. The droplet is compiled on OS X 10.3. It should work on 10.2 and 10.4. There is no Flare for OS 9.

Command Line Versions

DOS/Windows binary: flare06doswin.zip
Mac OS X binary: flare06mac.tgz
Linux x86 binary: flare06linux.tgz
Linux x86 64-bit binary: flare06linux64.tgz
Solaris x86 binary: flare06solaris.tgz

There is no installation procedure for command line versions. Just create a folder named flare somewhere and unpack the archive there. To uninstall, delete the folder and you’re done.

Or read more here.

PIRANA – Exploitation Framework for Email Content Filters

PIRANA is an exploitation framework that tests the security of a email content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform.

PIRANA’s goal is to test whether or not any vulnerability exists on the content filtering platform.

This tool uses the excellent shellcode generator from the Metasploit framework!

You can download PIRANA here:

pirana-0.3.3.tar.gz

Or can read more here.

There is also an accompanying paper that explains what are the vulnerabilities of a SMTP content filter. It also presents what techniques were used in PIRANA to improve reliability and stealthiness.

You can download the paper here:

SMTP content filters.pdf

Pixy – New & Free Open-source XSS and SQL Injection Scanner for PHP Programs

Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities are present in many modern web applications, and are reported continuously on pages such as BugTraq. In the past, finding such vulnerabilities usually involved manual source code audits.

Unfortunately, this manual vulnerability search is a very tiresome and error-prone task.

Pixy is a Java program that performs automatic scans of PHP source code, aimed at the detection of XSS and SQL injection vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.

Features

• detection of SQL injection and XSS vulnerabilities in PHP source code
• automatic resolution of file inclusions
• computation of dependence graphs that help you understand the causes of reported vulnerabilities
• static analysis engine (flow-sensitive, interprocedural, context-sensitive)
• platform-independent (written in Java)

You can download directly here:

Download Pixy 3.0.

Or read more here:

http://pixybox.seclab.tuwien.ac.at/

w3af – Web Application Attack and Audit Framework

A pretty cool tool was released a while back called w3af ( Web Application Attack and Audit Framework ), a fully automated auditing and exploiting framework for the web. This framework has been in development for almost a year and has the following features:

Audit

• SQL injection detection
• XSS detection
• SSI detection
• Local file include detection
• Remote file include detection
• Buffer Overflow detection
• Format String bugs detection
• OS Commanding detection
• Response Splitting detection
• LDAP Injection detection
• Basic Authentication bruteforce
• File upload inside webroot
• htaccess LIMIT misconfiguration
• SSL certificate validation
• XPATH injection detection
• unSSL (HTTPS documents can be fetched using HTTP)

Discovery

• Pykto, a nikto port to python
• Hmap, http fingerprinting.
• fingerGoogle, finds valid user accounts in google.
• googleSpider, a spider that uses google.
• webSpider, a classic web spider.
• robotsReader
• urlFuzzer
• serverHeader, fetches server header
• allowedMethods, gets a list of allowed HTTP methods.
• crossDomain, get and parse the flash file crossdomain.xml
• error404page, generate a regular expression to match 404 pages.
• sitemapReader, read googles sitemap.xml and parse it.
• spiderMan, using a localproxy and a human, find new URLs for auditing.
• webDiff, find differences between a local and a remote directory.
• wsdlFinder, find and parse WSDL and DISCO files.

The framework is extended using plug-ins and is completely written in Python.

You can download w3af here:

w3af BETA 4

Or read more here.

rtpBreak – RTP Analysis & Hacking Tool

rtpBreak detects, reconstructs and analyzes any RTP [rfc1889] session through heuristics over the UDP network traffic. It works well with SIP, H.323, SCCP and any other signaling protocol. In particular, it doesn’t require the presence of RTCP packets (voipong needs them) that aren’t always transmitted from the recent VoIP clients.

The RTP sessions are composed by an ordered sequence of RTP packets. Those packets transport the Real Time data using the UDP transport protocol.

The RTP packets must respect some well defined rules in order to be considered valid, this characteristic allows to define a pattern on the single packet that is used to discriminate the captured network traffic from packets that can be
RTP and those that securely are not.

You can download rtpBreak here:

rtpbreak-1.0.tgz

Or read more here the English documentation is here.

mssql-hax0r v0.9 – Multi-purpose MS-SQL injection script

mssql-hax0r v0.9 is a Multi-purpose MS-SQL injection attack tool for advanced Microsoft SQL Server exploitation. Three modes of operation are currently available: info (Information Gathering), dump (Record Dump), and brute (Brute Force).

You may need to tweak the code a bit to make it fit your needs (i.e. modifying the injection string and/or the language used by the RDBMS).

TODO (v1.0):

• fix italian language support (test platform needed)
• info mode: add logins target (master..sysxlogins) [name,dbname,password]
• brute mode: automatic login grabbing feature?
• info mode: add sys target (xtype=’S')?
• info mode: implement better types/keys dumping
• add a command execution mode via master..xp_cmdshell?
• add a privileged testing mode for post-auth vulnerabilities

It’s a fairly early version, I’ve been watching it since v0.1 – it’s a little more polished now but it’s still definitely a tool for more advanced users.

I’m sure some of you will find it useful.

Grab it here:

mssql-hax0r

Inguma – Penetration Testing Toolkit

Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits for many products.

Inguma the word is the name of a Basque’s mythological spirit who kills people while sleeping and, also, the one who make the nightmares.

It was initially oriented to attack Oracle related systems but it can be used for any kind of setup.

What are the discover and gather modules you may ask? Discover modules are used to detect networks and host; gather modules are used to determine what services are listening at the host, what operative system is being used, what service pack, etc…

Sadly at this time it doesn’t work at all on Win32, again the problem with RAW sockets and the Scapy library won’t work for Win32. If you are running Win2k you might have less problems.

It’s a very early version of the software and development seems to have been quiet lately, I hope more people can contribute to this project and get it moving again.

It certainly has promise!

You can download Inguma here:

inguma0.0.2.tar.gz

Or read more here.

Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

The tool is based on dictionaries and ranges, you choose where you want to bruteforce just by replacing the part of the URL or the POST by the keyword FUZZ.

It’s very flexible, here are some functionalities:

• Recursion (When doing directory bruteforce)
• Post data bruteforcing
• Output to HTML (easy for just clicking the links and checking the page, even with postdata!!)
• Colored output on all systems
• Hide results by return code, word numbers, line numbers, etc.
• URL encoding
• Cookies
• Multithreading
• Proxy support
• All parameters bruteforcing (POST and GET)
• Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more.

Example:

wfuzz.py -c -z file -f commons.txt --hc 404 --html http://www.mysite.com/FUZZ

This will bruteforce the site http://www.mysite.com/FUZZ in search of resources (directories, scripts, files,etc), it will hide from the output the return code 404 (for easy reading the results), it will use the dictionary commons.txt for the bruteforce.

It was created to facilitate the task in Web Applications assessments, it’s a tool by pentesters for pentesters.

You can download Wfuzz here:

Wfuzz 1.1 – Win32
Wfuzz 1.1 – Unix

Or read more here.

Dr. Morena – Firewall Configuration Testing Tool

Dr.Morena is a tool to confirm the rule configuration of a Firewall.

The configuration of a Firewall is done by combining more than one rule. Sometimes a rule configuration may reside in a place other than the basic rule configuration place. In such a case, it is difficult to confirm whether it is an intended configuration by the system administrators. (Is an unnecessary hole open, or is a necessary hole open?).

We prepare a computer which has two network interface for this tool. Then, each network interface is connected to each of the network interfaces on both sides of the Firewall. The packet the source IP address and the destination IP address is forged and sent to the Firewall from one network interface. The packet which passed through the Firewall is confirmed in the other network interface. The rule of the Firewall is confirmed from the packets which passed through the Firewall, and the packets which didn’t pass.

This tool can check the rules without depending on the way of the Firewall is configured.

There is two modules in Dr. Morena – similar to the Firewal Tester (FTester. The first module is a check engine, and the second module is a packet list making engine.

Checker, which is the check engine, makes the check packet according to given packet information, and sends and receives this packet. Also, the check engine confirms whether the packet passed through the firewall, and returns the checked result.

Ideally, it is good to be able to check all packets of all services from all Internet Protocol addresses to all Internet Protocol addresses when we check the rules of a firewall. However, it is impossible to check all packets in appropriate time. Therefore, it is necessary to check the firewall by using only some limited packets. However, efficiency is bad in the check which uses packets chosen at random. Then, it is necessary to check the firewall by using the packet intended for an important address and the service listed in the security policy etc. by priority.

ListMaker, which is the check packet list making engine, lists necessary packets for the check, from information classified according to the importance degree.

You can download Dr. Morena here as an rpm file:

drmorena-0.2.0-1.i386.rpm

Or read more here.

piggy – Download MS-SQL Password Brute Forcing Tool

Piggy is yet another tool for performing online password guessing against Microsoft SQL servers.

It supports scanning multiple servers using a dictionary file or a file with predefined accounts (username and password combinations).

It’s a pretty simple tool and has a Win32 binary verson – it is a command line tool however.

Piggy v1.0.1 by patrik@cqure.net
--------------------------------
usage: piggy [options]

options:
  -u [username] - Single username
  -p [password] - Single password
  -s [server]   - Single server
  -S [srvfile]  - File containing ip/hostnames
  -D [dicfile]  - File containing passwords
  -A [accounts] - File containing username;password combinations
  -N            - Do not check availability before scan
  -v verbose    - Verbose logging

You can download it here:

piggy-src-1_0_1.zip (Source code)
piggy-win32-1_0_1.zip (Binary version)

FTester – Firewall Tester and IDS Testing tool

The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.

The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets. The scripts both write a log file which is in the same form for both scripts. A diff of the two produced files (ftest.log and ftestd.log) shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall. Stateful inspection firewalls are handled with the ‘connection spoofing’ option. A script called freport is also available for automatically parse the log files.

Of course this is not an automated process, ftest.conf must be crafted for every different situation. Examples and rules are included in the attached configuration file.

The IDS (Intrusion Detection System) testing feature can be used either with ftest only or with the additional support of ftestd for handling stateful inspection IDS, ftest can also use common IDS evasion techniques. Instead of using the configuration syntax currently the script can also process snort rule definition file.

Features:

• Firewall testing
• IDS testing
• Simulation of real TCP connections for stateful inspection firewalls and IDS
• Connection spoofing
• IP fragmentation / TCP segmentation
• IDS evasion techniques

Requirements:

The following PERL modules are required: Net::RawIP, Net::PcapUtils, NetPacket

You can download FTester here:

ftester-1.0.tar.gz

Or you can read more here.

Sandcat by Syhunt – Web Server & Application Vulnerability Scanner

Sandcat allows web administrators to perform aggressive and comprehensive scans of an organization’s web server to isolate vulnerabilities and identify security holes.

The Sandcat scanner requires basic inputs such as host names, start URLs and port numbers to scan a complete web site and test all the web applications for security vulnerabilities.

This is a pretty nifty and complete tool, there is a ‘pro’ version available too.

Key Features

• Provides over 260 web application security checks, covering over 38 types of web security attacks — a target server can be local or remote
• Crawls web sites and detects cross-site scripting, directory transversal problems, attempts to execute commands and multiple other attacks
• Scans web servers for the SANS Top Twenty (C1), the OWASP Top 10 and the OWASP PHP Top 5 vulnerabilities
• Allows to scan for specific vulnerabilities, such as Fault Injection, SQL Injection and XSS (Cross-Site Scripting) vulnerabilities
• Allows to define a range or list of IP addresses to be scanned
• Allows to define multiple start URLs
• Allows to perform destructive and non-destructive scans
• Allows to edit the crawling depth: maximum number of links per server, maximum links per page, maximum URL length and maximum response size and more
• Allows to create user signatures for detecting application vulnerabilities
• Prevents logout
• Tests intrusion detection systems
• Exploits AJAX-based web applications
• Supports host authentication (basic and web form authentication)
• Supports OSVDB, NVD, CVE and CWE
• Stores and allows you to view the HTTP request and response for each successful test
• Automatically discovers and analyzes the server’s configuration to determine which tests are needed
• Analyzes robots.txt file and javascript
• Includes a Baseline Security Scanner — ensures security against outdated server software

Download Sandcat Standard Edition v3.08 here:

Download (EXE-Installer)
Download PDF Manual

Downloads Page.

Windows only I’m afraid.

Or you can read more here.

FG-Injector – SQL Injection & Proxy Tool

FG-Injector Framework is a set of tools designed to help find SQL injection vulnerabilities in web applications, and help the analyst assess their severity. It includes a powerful proxy feature for intercepting and modifying HTTP requests, and an inference engine for automating SQL injection exploitation.

Often web developers think that by disabling error messages in their code, SQL injection vulnerabilities stop being dangerous. When a SQL injection vulnerability doesn’t return errors messages it is known as a Blind Injection. The truth is that Blind Injections are just as dangerous as regular SQL Injections. By carefully selecting SQL sentences to inject, an attacker can retrieve information from the database of the vulnerable web application, one bit at a time. The end result is that the attacker can obtain the same data through the Blind SQL Injection that he/she would obtain from a regular -non-blind- SQL Injection.

The Inference Engine Module of the FG-Injector Framework automates the generation and injection of SQL statements needed for exploitation of a Blind SQL Injection. This module will work also for regular injections using the same method. It can produce blind injections on web/app servers using MS SQL Server, MySQL, and PostgresSql DBMSs.

You can find the downloads here including 0.9 version Windows binary and 0.9a source code:

FG-Injector Framework Downloads

You can find full documentation here or just read more here.

sqlget v1.0.0

sqlget is a blind SQL injection tool developed in Perl, it lets you get databases schemas and tables rows. Using a single GET/POST you can access quietly the database structure and using a single GET/POST you can dump every table row to a csv-like file.

Databases supported:

• IBM DB2
• Microsoft SQL Server
• Oracle
• Postgres
• Mysql
• IBM Informix
• Sybase
• Hsqldb
• Mime
• Pervasive
• Virtuoso
• SQLite
• Interbase/Yaffil/Firebird (Borland)
• H2
• Mckoi
• Ingres
• MonetDB
• MaxDB
• ThinkSQL
• SQLBase

Evasion features:

• Full-width/Half-width Unicode encoding
• Apache non standard CR bypass
• mod_security bypass
• Random uppercase request transform
• PHP Magicquotes: encode every string using db CHR function or similar.
• Convert requests to hexadecimal values
• Avoid non-space replacing for /**/ or (\t) tab
• Avoid non || or + concatenation using db concat function or similar.
• Random user-agent
• Random proxy-server
• Random delay request

Common features:

• Database schemate download blacklist
• Cookie array support
• SSL support
• Proxy server support
• Database information dumped in csv format

You can find a demo here bypassing IBM ISS Proventia IPS:

ISR sqlget ISS Proventia Bypass

And you can download sqlget here:

ISR-sqlget v.1.0.0

Or read more here.

Proxmon – Proxy Log Monitoring Tool

ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you’re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression testing scenarios.

Formerly announced as ScarabMon as part of BlackHat EU 2007, proxmon monitors proxy logs and reports on security issues it discovers. ProxMon was also presented at CanSecWest 2007.

ProxMon handles routine tasks like

• Checking server SSL configuration
• Looking for directories that allow listing or upload

It’s real strength is that it also helps with higher level analysis such as

• Finding values initially sent over SSL that later go cleartext
• Finding Secure cookie values also sent in the clear
• Finding values that are sent to 3rd party sites

It’s key features are

• automatic value tracing of set cookies, sent cookies, query strings and post parameters across sites
• proxy agnostic
• included library of vulnerability checks
• active testing mode
• cross platform
• open source license
• easy to program extensible python framework

You can download ProxMon here (Prerequisites: Python):

proxmon-1.0.18.tar.gz
proxmon-1.0.18.exe

Selenium – JavaScript Web Application Security Testing Tool

Selenium is a test tool for web applications. Selenium tests run directly in a browser, just as real users do. And they run in Internet Explorer, Mozilla and Firefox on Windows, Linux, and Macintosh. No other test tool covers such a wide array of platforms.

• Browser compatibility testing. Test your application to see if it works correctly on different browsers and operating systems. The same script can run on any Selenium platform.
• System functional testing. Create regression tests to verify application functionality and user acceptance.

Try it out! Get started with Selenium IDE for your first taste of Selenium’s power. You can run Selenium IDE tests in any supported browser using Selenium Core.

Any Language! Want to write tests in your favorite programming language? Try Selenium Remote Control; it currently supports writing tests in Java, .NET, Perl, Python and Ruby.

Supported Platforms:

Windows:

• Internet Explorer 6.0
• Firefox 0.8 to 1.5
• Mozilla Suite 1.6+, 1.7+
• Seamonkey 1.0
• Opera 8

Mac OS X:

• Safari 1.3+
• Firefox 0.8 to 1.5
• Camino 1.0a1
• Mozilla Suite 1.6+, 1.7+
• Seamonkey 1.0

Linux:

• Firefox 0.8 to 1.5
• Mozilla Suite 1.6+, 1.7+
• Konqueror

Selenium uses JavaScript and Iframes to embed a test automation engine in your browser. This technique should work with any JavaScript-enabled browser. Because different browsers handle JavaScript somewhat differently, usually they have to tweak the engine to support a wide range of browsers on Windows, Mac OS X and Linux.

You can read more here.

ProxyFuzz

ProxyFuzz is a man-in-the-middle non-deterministic network fuzzer written in Python. ProxyFuzz randomly changes (fuzzes) contents on the network traffic. It supports TCP and UDP protocols and can also be configured to fuzz only one side of the communication. ProxyFuzz is protocol agnostic so it can randomly fuzz any network communication.

ProxyFuzz is a good tool for quickly testing network protocols and provide with basic proof of concepts. Using this tool you will be amazed by the poor quality of software and you will see clients and servers dying upon unexpected input, just be prepared to see the very weird behaviours.

Syntax of ProxyFuzz:

ProxyFuzz 0.1, Simple fuzzing proxy by Rodrigo Marcos

usage():

python proxyfuzz -l  -r  -p  [options]

[options]

               -w: Number of requests to send before start fuzzing

               -c: Fuzz only client side (both otherwise)

               -s: Fuzz only server side (both otherwise)

               -u: UDP protocol (otherwise TCP is used)

               -v: Verbose (outputs network traffic)

               -h: Help page

A demo of ProxyFuzz is available here.

The video shows ProxyFuzz proxying traffic between a VMWare Console and a VMWare Server. This is just a dumb example of the things you can do with this tool.

Download ProxyFuzz 0.1 Source Code

Download ProxyFuzz 0.1 Windows Binary

Or read more here.

The Kcpentrix Project – Penetration Testing Toolkit LiveDVD

The Kcpentrix Project was founded in May 2005 , KCPentrix 1.0 was liveCD designed to be a standalone Penetration testing toolkit for pentesters, security analysts and System administrators

What’s New in KcPentrix 2.0

Now release 2.0 is a liveDVD, It features a lot of new or up to date tools for auditing and testing a network, from scanning and discovering to exploiting vulnerabilities

Kcpentrix is based on SLAX 5, a Slackware live DVD, the Powerful modularity which Kcpentrix uses, allow it to be easily customised and include relevant modules.

It has switched to 2.6 kernel line and Zisofs compression was replaced by SquashFS, which provides better compression ratio and higher read speed.

You can download the ISO from Kcpentrix.com or Securitydistro.com here:

Kcpentrix v2.0

Or read more here.

Some of the key tools/software included:

ARP

arping-2.04
seringe
arp-sk
arpspoof

Backdoors

hbkdr.tar.gz
hbkdr.zip
sbd-1.37.tar.gz
ssheater-1.1.tar.gz
x86-linux-connectback.c
x86-linux-portbind.c

Bruteforce

adsmb-0.3
adsnmp-0.1
brutus-0.9.2
crackcvspass-v0.1
john-1.7.2
Online_Rainbow
onesixtyone-0.3.2
nat-1.0.4
mdcoll
lodowep
SIPcrack-0.1
smbat
TFTP-bruteforce
VNCcrack-0.9.1
wyd
crunch
md5crack.pl
ophcrack
thc-pptp-bruter
vncrack

Cisco

brute-enable-v.1.0.2
cisco-auditing-tool-v.1.0
cisco-global-exploiter
cisco-scanner-v.1.3
cisco-torch-0.4b
ciscopack
copy-router-config-v.0.1
eigrp-tools
ios-w3-vul
ios7decrypt-v.1.1
jitney-0.10

Database

sqlbrute.py
bsqlbf.pl
mysql_bftools
metacoretex-0.8.0
oat
oscanner_bin
checkpwd
sidguess
tnscmd10g.pl
bfora.pl
dbcool_audit.pl
oracletest.pl
tnsprobe.sh
oracle-scanner-v.1.0.6
oracle-dump-sids-v0.0.1
oat-v.1.3.1

Enumeration

dnswalk
DNSBruteforce.py
dns-ptr
dnsenum
dnsmap
dns-predict-v.0.0.2
fingergoogle-1.1
googrape-v.0.1
gooscan-v0.9
goog-mail.py
qgoogle.py
google-search
dnspython-1.3.2
dnslib.py
httplib.py
inet-enum.py
isr-form-1.0
ldap-enum-v.003
ldapbrowser
list-urls
lsrtunnel-0.2.1
mibble-2.6
mibble-2.7
nmbscan-1.2.4
nstx
relayscanner
revhosts
smb-enum
smtp-vrfy
snmpenum.pl
httprint_301

Firewall

ftester-1.0
Morena
hping2

Forensics

autopsy-2.06
sleuthkit
sleuthkit-2.03

Fuzzers

bed
bed-v.0.5
cirt-fuzzer
clfuzz
fuzzer-1.1
fuzzer-1.2
fuzzer-mod
mistress
Peach
pirana-0.2.1
snmp-fuzzer-0.1.1
spike

Misc-tools

find_ddos3.1
fping-2.4b2
ipgenv2

Proxies

3proxy_0_5_2
paros
penproxy-0.4.10

Scanners

banshee-3.3
dcom_scanner
hydra-5.3
knocker-0.7.1
lsrscan-1.0
ike-scan
amap
nikto-1.35
pbnj
nbtscan
nmap
nmapfe
sinfp.pl
VNC_bypauth

Sniffers

aimsniff-0.9d
aimsniff-1.0beta
PHoss
xspy
dsniff
p0f
wireshark

Spoofing

netsed

Tunnelling

3proxy
iodine-0.3.2
proxytunnel-1.6.3

Web

asp-audit
metoscan04
proxyfinder-1.0
sqlibf
sqlinject-1.1
wal
easy-scraper.pl
hacker_webkit.tar.gz
mysql-miner.pl
put.pl

Wireless

aircrack-2.2-beta1
aircrack-ng-0.6.2
airpwn-1.3
airsnarf-0.2
asleap-1.4
wifitap
hotspotter-0.4
fakeap-0.3.2
cowpatty-2.0
wep_crack
wep_decrypt

sqlninja 0.1.2

sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment.

It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered. It is written in PERL and runs on Unix-like boxes.

Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability)
• Bruteforce of ’sa’ password
• Privilege escalation to ’sa’ if its password has been found
• Creation of a custom xp_cmdshell if the original one has been disabled
• Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames

What’s New?

• Test mode, that checks whether the configuration is correct and the injection is successful
• Debug option, which allows to print SQL commands and raw HTTP request/response data. Useful when things are not working and you want to see what’s going on under the hood
• Files are uploaded to %TEMP%, bypassing possible write restrictions
• A simplified way to configure the injection parameters
• Interactive config file generation

You can find it, together with a flash demo of its features, at the address:

http://sqlninja.sourceforge.net

Trinity Rescue Kit

Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.

It is possible to boot TRK in three different ways:

• As a bootable CD which you can burn yourself from a downloadable isofile
• From a USB stick/disk (optionally also a fixed disk), installable from Windows or from the bootable TRK cd
• From network over PXE, which requires some modifications on your local network.
  TRK is a complete commandline based distribution, apart from a few tools like qtparted, links, partition image and midnight commander

It’s recommend to keep a copy of TRK in your toolkit, we at Darknet do find it useful, especially for reseting passwords and fixing messed up file systems.

A summary of the main features:

• easily reset windows passwords
• 4 different virusscan products integrated in a single uniform commandline with online update capability
• full ntfs write support thanks to ntfs-3g (all other drivers included as well)
• clone NTFS filesystems over the network
• wide range of hardware support (kernel 2.6.19.2 and recent kudzu hwdata)
• easy script to find all local filesystems
• self update capability to include and update all virusscanners
• full proxyserver support.
• run a samba fileserver (windows like filesharing)
• run a ssh server
• recovery and undeletion of files with utilities and procedures
• recovery of lost partitions
• evacuation of dying disks
• UTF-8 international character support

You can download the latest TRK 3.2 here:

Trinity Rescue Kit: Download

Phrack 64

Finally a new Phrack! Phrack 64 has been released a while back at the end of May, and it’s been quite a wait.

At the beginning in 1985, Phrack started as an anarchy magazine. You can learn from the first issues how to create your own bomb or how to seriously take advantage of the world that surrounds us. You can learn from the first issues how the hacking started, in which state of mind were the editors of the magazine when the will of communicating was stronger than keeping all the fun for yourself. When you could teach so many peoples who deserved to make make fun as well. Nothing of Phrack was ever about making money or harming anyone, since Hacking is about freedom of speech and intellectual curiosity. Hackers regulate the digital exchanges happening on the network and it will never stop, because you cannot catch us, and you certainly cannot catch us all.

Before Phrack, Hacking was already existing and even all serious companies, agencies, and groups of influence in the world dealing with information privacy and security felt concerned with the topic. Hackers were the founders of the system itself, and the system decomposed into multiple entities. Students and self-made hackers followed their way in the society that often did not integrate them how they deserved to be, so harshly that nowadays Hacking is forbidden in most of the countries of our planet. The system is getting private. Some of the humans have more rights than others. Some have interests to keep, others are simply waiting for their turn.

In the last decade, Phrack took a very annoying industry-oriented editorial policy and the original spirit was in our opinion not respected. The good old school spirit as we like had somehow disappeared from the process of creating the magazine. That is why the underground got split with a major dispute, as some part of the scene was unhappy with this new way of publishing. We clearly needed to bring together again all the relevant parties around the spirit of hacking and the values that make the Underground. The Underground is neither about making the industry richer by publishing exploits or 0day information, nor distributing hacklogs of whitehats on the Internet, but to go further the limits of technology ever and ever, in a big wave of learning and sharing with the people ready to embrace it. This is not our war to fight peoples doing this for money but we have to clearly show our difference.
It is also getting more urgent that hackers use the technology to make the world a fair place to live in, and we will not let politics decide without us what is good to do. Hackers needs to express their concerns and regulate the information despite the rules imposed by self-claimed authorities, and this is the real subject of our actions.
Because of this, the Phrack Magazine always was an alternative recipient for all the Hacking community knowledge that get renewed continuously. The content is evolving in a patchwork made of multiple disciplines. Of course, programming takes a central place, but software and hardware systems evolve together, so does our protocol suite and its extensions. Reverse Engineering and Cryptography are made more and more desirable even in the mainstream society. Our own body has turned into an experimentation system that brings new perspectives on the judgment that define who we are.

Phrack will always exist and will never discriminate the origin of its contributors. The magazine is where information is the rule and discrimination does not exist, provided you complete the disruptive compliance attitude that define the Hacking identity itself.

Be original, keep the underground renewing.

Contribute to Phrack.

You can read Phrack 64 at http://phrack.org/ or get the tar.gz in original style here:

64.tar.gz

Fuzzled – PERL Fuzzing Framework

Someone else noticed this, and wondered where is the Perl framework to complete the family? With that in mind he spent the last few months working on something that should fill the gap – Fuzzled.

Fuzzled is a powerful fuzzing framework. Fuzzled includes helper functions, namespaces, factories which allow a wide variety of fuzzing tools to be developed. Fuzzled comes with several example protocols and drivers for them.

All in PERL!

It’s a pretty comprehensive framework with a lot of functionality, so do check it out and let us know what you think.

Fuzzled v1.0 can be found here.

You can download Fuzzled directly here:

Fuzzled-1.0.tar.gz

Priamos Project – SQL Injector and Scanner

You can search for SQL Injection vulnerabilities and inject vulnerable string to get all Database names, Tables and Column data with the injector module.

You should only use PRIAMOS to test the security vulnerabilities of your own web applications (obviously).

The first release of PRIAMOS contain only SQL Server Database module.

You can watch a demo video here and find out more here:

http://www.priamos-project.com/

If you want something to test you can create your own local vulnerable test platform using this script:

Download Vulnerable ASP page and Database script

You can download PRIAMOS here:

PRIAMOS.v1.0.zip

SQLBrute – SQL Injection Brute Force Tool

SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries (there is some code in there for pycurl, but it is disabled because it isn’t finished).

For error based SQL injection, SQLBrute should work, if you can either:

• Get an identifiable difference between adding the exploit strings AND 1=1 and AND 1=2 to your SQL injection point (usually works if the query is normally valid)
• Get an identifiable difference between adding the exploit strings OR 1=1 and OR 1=2 to your SQL injection point (usually works if the query is normally invalid)

For time based SQL injection, SQLBrute should work if you can use exploit syntax similar to ;waitfor delay ‘0:0:5′ to generate a time delay in Microsoft SQL Server.

Here is the options printed from SQLBrute when you run it with no options:

    Usage: ./sqlbrute.py options url
           [--help|-h]
           [--verbose|-v]
           [--server|-d oracle|sqlserver]
           [--error|-e regex]
           [--threads|-s number]
           [--cookie|-k string]
           [--time|-n]
           [--data|-p string]
           [--database|-f database]
           [--table|-t table]
           [--column|-c column]
           [--where|-w column=data]
           [--header|-x header::val]

Full details and usage notes can be found here:

Using SQLBrute to brute force data from a blind SQL injection point

You can download SQLBrute here:

sqlbrute.py

SQLiX Project – SQL Injection Scanner

SQLiX, coded in Perl, is a SQL Injection scanner, able to crawl, detect SQL injection vectors, identify the back-end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn’t need to reverse engineer the original SQL request (using only function calls).

SQLiX is a SQL Injection scanner which attempts to fill the gap between what commercial software available on the market can do and what can really be done to detect and identify SQL injection.

Current injection methods used by commercial web assessment software are based on error generation or statement injections.

Error Generation

The error generation method is quite simple and is based on meta characters like single quotes or double quotes. By injecting these characters in the original SQL request, you generate a syntax error which could result in an SQL error message displayed in the HTTP reply. The main issue with this technique is the fact that it’s only based on pattern matching. There is no way to handle multiple languages or complex behaviors when the error message is filtered by the server-side scripts.

Statement Injection

The second method used is statement injection. Let’s look at an example:

The target URL

http://target.example.com/news.php?id=25.

The scanner will try to compare the HTML content of the original request with the HTML content of

http://target.example.com/news.php?id=25%20or%201=1

http://target.example.com/news.php?id=25%20or%201=0

If the request (1) provides the same result as request (0) and request (2) doesn’t, the scanner will conclude that SQL injection is possible. This method works fine, but is very limited by the syntax of the original request. If the original request contains parentheses, store procedures or function calls, this method will rarely work. Worse, if the variable is used by multiple SQL requests, all with different syntaxes, there is no automatic way to make them all work simultaneously.

Another global issue concerning SQL injection is the fact that pen testers frequently conclude that a given SQL injection vulnerability can’t be exploited. By concluding this incorrect statement they are inviting their customers to not patch the vulnerability.

You can download here:

OWASP SQLiX v1.0

Documentation and examples are here:

OWASP SQLiX Project

Technitium v4.5

Technitium MAC Address Changer v4.5 has been released.

Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample of information regarding each NIC in the machine. Every NIC has an MAC address hard coded in its circuit by its manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Networks (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address. Technitium MAC Address Changer is a must tool in every security professionals tool box.

Technitium MAC Address Changer v4.5 is coded in Visual Basic 6.0.

Features

+= Changes MAC address of Network Interface Card (NIC) including Wireless LAN Cards, irrespective of its manufacturer or its drivers.

+= Has list of all known manufacturers (with corporate addresses) to choose from. You can also enter any MAC address and know which manufacturer it belongs to.

+= Allows you to select random MAC address from the list of manufacturers by just clicking a button.

+= Restarts your NIC automatically to apply MAC address changes instantaneously.

+= Allows you to create and edit Configuration Presets, which saves all your NIC settings and makes it very simple to switch between many settings in just a click and hence saves lot of time.

+= Has command line interface which allows you to perform all the tasks from the command prompt or you can even create a DOS batch program to carry out regular tasks.

+= Allows you to export a detailed text report for all the network connections.

+= Displays all information you would ever need about your NIC in one view like Device Name, Configuration ID, Hardware ID, Connection Status, Link Speed, DHCP details, TCP/IP details etc.

+= Displays total bytes sent and received through the NIC.

+= Displays current data transfer speed per second.

+= Allows you to configure IP Address, Gateway and DNS Server for your NIC quickly and instantaneously.

+= Allows you to enable/disable DHCP instantaneously.

+= Allows you to Release/Renew DHCP IP address instantaneously.

+= Displays DHCP lease obtained and lease expires time.

+= Allows you to configure Interface Metric instantaneously.

+= Quick keyboard shortcuts for most operations.

+= Supports all Microsoft(R) Windows(TM) NT based versions in all languages.

+= All reported bugs in previous 4.0 version removed. (Thanks to all your feedbacks)

Visit http://tmac.technitium.com for more information and download links.

Foundstone Blast – TCP Network Service Stress Test Tool

Foundstone Blast v2.0 is a small, quick TCP service stress test tool. Blast does a good amount of work very quickly and can help spot potential weaknesses in your network servers.

Features:

/trial switch adds the ability to see how the buffer looks before sending it
/v switch adds verbose option – off by default
/nr switch turns off initial receive after initial connect – HTTP services don’t send and initial response, Mail services do
The /nr switch fixes the effect of HTTP timeouts when sending GET strings
/dr adds double LF/CR’s to buffers(useful for GET requests) off by default

Usage:

blast xxx.xxx.xxx.xxx port startsize endsize /t rcvtimeout /d senddelay /b beginmsg /e endmsg /noret

Examples:

blast 134.134.134.4 110 600 680 /t 7000 /d 300 /b user
blast 134.134.134.4 110 600 680 /t 7000 /d 300 /b user /e endchars
blast 134.134.134.4 110 600 680 /noret

/t == timeout delay in milliseconds to wait for server response
/d == delay before each send
/noret means to send raw data with no newline chars that a pop server expects at end
/b is a way to add cust text to begin of buf
/e is an alternate way to end each buf
/v switches on verbose output – off by default
/nr turns off initial receive after initial connect (useful for HTTP GET)
/dr adds double LF/CR’s to buffers (useful for HTTP GET)

You can read more and find Founstone Blast for download here:

Foundstone Blast v2.0

Nemesis – Packet Injection Suite

Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting.

Nemesis can natively craft and inject packets for:

• ARP
• DNS
• ETHERNET
• ICMP
• IGMP
• IP
• OSPF
• RIP
• TCP
• UDP

Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected.

Unix-like systems require: libnet-1.0.2a, and a C compiler (GCC)
Windows systems require: libnetNT-1.0.2g and either WinPcap-2.3 or WinPcap-3.0

Download it here:

Source code: nemesis-1.4.tar.gz (Build 26)
Windows binary: nemesis-1.4.zip (Build 26) (includes LibnetNT)

You can read more here:

Nemisis at Sourceforge

ISIC – IP Stack Integrity & Stability Checker

ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.) It generates piles of pseudo random packets of the target protocol. The packets be given tendencies to conform to. Ie 50% of the packets generated can have IP Options. 25% of the packets can be IP fragments… But the percentages are arbitrary and most of the packet fields have a configurable tendency.

The packets are then sent against the target machine to either penetrate its firewall rules or find bugs in the IP stack.

ISIC also contains a utility generate raw ether frames to examine hardware implementations.

Other novel uses people have found for ISIC include IDS testing, stack fingerprinting, breaking sniffers and barraging the IRC kiddie.

Warning:

ISIC may break shit, melt your network, knock out your firewall, or singe the fur off your cat

You can read more and download ISIC from Packet Factory here:

http://www.packetfactory.net/Projects/ISIC/ (Direct download)

Ubuntu Ultimate Edition

Basically Ubuntu Ultimate Edition is Ubuntu Edgy Eft with a whole lot of software pre-added.

Sadly the author had to removed Java, Flash and Acrobat reader due to licensing agreements. But don’t worry as there is a custom repository in the release which includes all of these and much more.

• SMP Support (dual core CPUS) / works with single core as well
• 121 Additional Updates
• New Grub boot screen
• New theme and animated bootscreen
• New GDM theme
• New splash screen & wallpaper
• Updated Beryl
• Capture card support – TVTime / ATI-All-in-wonder
• Gaim Beta 6 – prebuilt with plugins.
• GKRealm – Realtime hardware monitor
• MGM – Moaning Goat Meter
• Newer Amarok then can be obtained from edgy repos
• Hardinfo – System information
• GTKPod – Ipod Sync software
• HTop – Process viewer
• Sysinfo – System information
• IPodder – Ipod sync software
• XSensors – Hardware sensor software
• Addition networking and wireless tools
• Gpixpod – Photo sync software for Ipod
• IPodslave – an iPod IO slave
• Xpenguins – Thanks Maddog

Current version is 1.2 which has a whole bunch of new software and fixed an issues with Dual Core processors.

Please use torrents if you can or mirror first, unfortunately Ubuntu Ultimate 1.2 can not be downloaded locally due to bandwidth consumption, if you have some space to host a mirror please let the authors know.

You can find out more at:

Ubuntu Ultimate Edition

Ubuntu Ultimate 1.2 TORRENT

Ubuntu Ultimate 1.2 Mirror

VoIP Security Testing Tools List from VoIPSA

The VoIP Security Alliance (VOIPSA) is pleased to announce the public release of its VoIP security tool list. Check it out at:

http://www.voipsa.org/Resources/tools.php

This VoIP Security Tool List provides categories, descriptions and links to current free and commercial VoIP security tools.

This list was developed to address the current void of VoIP security testing resources and sites, for vendors and VoIP users alike. It is separated into the following seven broad categories:

• VoIP Sniffing Tools
• VoIP Scanning and Enumeration Tools
• VoIP Packet Creation and Flooding Tools
• VoIP Fuzzing Tools
• VoIP Signaling Manipulation Tools
• VoIP Media Manipulation Tools
• Miscellaneous Tools

The key objectives of the list are as follows:

1. Provide links to tools that help test the efficacy of implemented best practices outlined by VOIPSA’s Best Practices Project.
2. Facilitate the open discussion of VoIP security tool information to help users better audit and defend their VoIP devices and deployments.
3. Provide vendors the information needed to proactively test their VoIP devices’ ability to function and withstand real-world attacks.

VoIPSA Resources.

Scapy – Interactive Network Packet Manipulation

What is Scapy?

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.

What makes Scapy different from most other networking tools

First, with most other tools, you won’t build someting the author did not imagine. These tools have been built for a specific goal and can’t deviate much from it. For example, an ARP cache poisoning program won’t let you use double 802.1q encapsulation. Or try to find a program that can send, say, an ICMP packet with padding (I said padding, not payload, see?). In fact, each time you have a new need, you have to build a new tool.

Second, they usually confuse decoding and interpreting. Machines are good at decoding and can help human beings with that. Interpretation is reserved to human beings. Some programs try to mimic this behaviour. For instance they say “this port is open” instead of “I received a SYN-ACK”. Sometimes they are right. Sometimes not. It’s easier for beginners, but when you know what you’re doing, you keep on trying to deduce what really happened from the program’s interpretation to make your own, which is hard because you lost a big amount of information. And you often end up using tcpdump -xX to decode and interpret what the tool missed.

Third, even programs which only decode do not give you all the information they received. The network’s vision they give you is the one their author thought was sufficient. But it is not complete, and you have a bias. For instance, do you know a tool that reports the padding ?

You can grab the latest version here for Linux:

Scapy.py for Linux

And Windows here:

Scapy.py for Windows

Or…

Scapy 1.1.1 tarball (not always up to date)
Scapy’s debian package (not always up to date)
Scapy’s RPM package (not always up to date)

You can read more and find examples, presentations and so on here:

http://www.secdev.org/projects/scapy/

Sguil – Intuitive GUI for Network Security Monitoring with Snort

Sguil (pronounced sgweel) is probably best described as an aggregation system for network security monitoring tools. It ties your IDS alerts into a database of TCP/IP sessions, full content packet logs and other information. When you’ve identified an alert that needs more investigation, the sguil client provides you with seamless access to the data you need to decide how to handle the situation. In other words, sguil simply ties together the outputs of various security monitoring tools into a single interface, providing you with the most information in the shortest amount of time.

Sguil uses a database backend for most of its data, which allows you to perform SQL queries against several different types of security events.

How is sguil different from Snort + ACID or Snort + BASE?

ACID & BASE are both web-based IDS alert management systems. They let you browse and search alerts, but don’t offer very much in the way of data-mining that would allow you to answer questions like, “Was this an attack attempt or a false positive?”, “Was the attempt successful?” or “What other machines did the attacker try to crack once he got into this one?”. They rely on you to do the research necessary to determine the severity of the situation.

Sguil’s design centers on providing convenient, quick access to a host of supporting information, which both saves you time and helps you make better decisions. Incidentally, because sguil uses a dedicated client instead of running through a web browser, you get a richer, more responsive user interface as well.

You can find snort here:

http://www.snort.org/

You can read more and download Sguil here:

http://sguil.sourceforge.net/

SSA 1.5.1

A new version of SSA (Security System Analyzer) has been released – version 1.5.1.

SSA is a scanner based on OVAL, the command line tool provided by MITRE is not very easy to use so the guys at Security Database decided to write a GUI to make it simple to use and understand and then free the security testers community to take advantage of it.

+Based on OVAL 5.2 build 11 (bugs fixed)
– Corrected bug in EntityComparator::ParseVersionStr(). Added error checking to the function to enusre that the input version strings are in a valid format.
-Removed VC7 project from source distributions.

Now SSA relies on CPE (common Platform Enumeration) names to display inventories.

+ SSA now supports VISTA definitions.

+ Added Menu Help
-PDF documentation : link to SSA PDF doc.
-OVAL Concept documentation : link to OVAL FAQS.
-CPE Concept documentation : link to CPE docs.
-[New Security-Database Feature]: Submit a bug about SSA
-Security-Database Vulnerability Search : Search information into our cross linked Vulnerability database

+ Fixed bugs into scan() function
-Handle exception: Error while parsed corrupted XML File
-Handle exception: Error while using unsupported schema

+ Fixed a latency in function “stop/reload”

+ Fixed the PATH bug. Now SSA can be installed in any directory.

You can download the latest version here:

SSA 1.5.1

ProTech Security Distribution

Techm4sters e-mailed us recently to let us know about their new security distro called ProTech, we haven’t had time to download it and test it yet but it certainly looks promising.

- What is PROTECH? Protech is a very light live security distribution based on Ubuntu Linux.

- Is this like Nubuntu? It is similar, yes! But we wanted something friendlier to the end-user and so we tried a different approach and tested new tools. You’ll see that there are many differences amongst them. Many ideas have been taken from NUbuntu as well as other security distributions to try to make the most complete, reliable and easiest tool for your use. I hope you can appreciate our work.

If you have chance to check it out, do let us know what it’s like and if it’s comparable to BackTrack 2.0, which was released fairly recently.

Protech is based on the latest Ubuntu feisty, it is an beta, the final version should be released later in April or in May.

ProTech is currently using Fluxbox for the GUI because of its light weight. It has a large collection of security software installed and can work both as a LiveCD or a hard disk installation.

There some good info on Getting Started here.

And you can download the latest release of ProTech here:

Protech-x86-beta.iso