Burp Proxy & Burp Suite – Attacking Web Applications

Another great thing is it’s cross platform, so you don’t have to learn different tools for Windows and Linux.

Basically Burp suite is an integrated platform for attacking web applications. It contains all of the burp tools (proxy, spider, intruder and repeater) with numerous interfaces between them designed to facilitate and speed up the process of attacking a web application. All plugins share the same robust framework for handling HTTP requests, authentication, downstream proxies, logging, alerting and extensibility.

Burp suite allows an attacker to combine manual and automated techniques to enumerate, analyse, attack and exploit web applications. The various burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.

Key features unique to burp suite include:

• Ability to “passively” spider an application in a non-intrusive manner, with all requests originating from the user’s browser.
• One-click transfer of interesting requests between plugins, e.g. from the proxy request history, or a web page form enumerated with burp spider.
• Extensibility via the IBurpExtender interface, which allows third-party code to extend the functionality of burp suite. Data processed by one plugin can be used in arbitrary ways to affect the behaviour and results of other plugins.
• Centrally configured settings for downstream proxies, web and proxy authentication, and logging.
• Plugins can run in a single tabbed window, or be detached in individual windows.
• All plugin and suite configuration is optionally persistent across program loads.
• Runs in both Linux and Windows.

I’ll try and do some tutorials for Burp later on and perhaps I’ll focus a bit more on Burp Proxy alone, as it’s an extremely powerful tool.

Burp suite is a Java application, and runs on any platform for which a Java Runtime Environment is available. It requires version 1.4 or later. The JRE can be obtained for free from Sun.

You can download Burp Suite below, both archives contain the same files, which will run under both Windows and Linux.

burpsuite_v1.01.zip
burpsuite_v1.01.tar.gz

Introducing WHCC

Web Hack Control Center is a GUI based web server vulnerability scanner or assessment tool. This application gives you the means to identify which security vulnerabilities exist on your web servers by scanning them for the most popular server exploits. WHCC contains a database of thousands of exploits for a variety of web servers. This release has 600+ more exploits than the last.

This tool can also act as your primary web browser, so basically it’s a scanner and browser packaged up into one (even though it’s just a wrapper for the rendering DLL’s from IE).

You might need some updates to run WHCC, the links are here:

MDAC_TYP.EXE 7,673 KB Microsoft Data Access Components (MDAC)
dcom95.exe 1,201KB (DCOM) for Windows 95
dcom98.exe 1,201 KB (DCOM) for Windows 98

You can find the latest version of WHCC and some info here.

It’s a pretty decent tool, a bit bloated though..due to all the Wincrap it uses. Still worth a look though, might give you a few ideas and lead you on the way to some cool ideas.

The direct download is here:

Web Hack Control Center 0.6.71

Technitium v4

Technitium MAC Address Changer v4 (TMACv4 C4) has been officially released.

Technitium MAC Address Changer allows you to change Machine Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample of information regarding each NIC in the machine. This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address. Technitium MAC Address Changer is a must tool in every security professionals tool box.
Technitium MAC Address Changer v4.0 is coded in Visual Basic 6.0.

Features

• Changes MAC address of Network Interface Card (NIC) including Wireless LAN Cards, irrespective of its manufacturer or its drivers.
• Has list of all known manufacturers (with corporate addresses) to choose from. You can also enter any MAC address and know which manufacturer it belongs to.
• Allows you to select random MAC address from the list of manufacturers by just clicking a button.
• Restarts your NIC automatically to apply MAC address changes instantaneously.
• Allows you to create Configuration Presets, which saves all your NIC settings and makes it very simple to switch between many settings in just a click and hence saves lot of time.
• Has command line interface which allows you to perform all the tasks from the command prompt or you can even create a DOS batch program to carry out regular tasks.
• Allows you to export a detailed text report for all the network connections.
• Displays all information you would ever need about your NIC in one view like Device Name, Configuration ID, Hardware ID, Connection Status, Link Speed, DHCP details, TCP/IP details etc.
• Displays total bytes sent and received through the NIC.
• Displays current data transfer speed per second.
• Allows you to configure IP Address, Gateway and DNS Server for your NIC quickly and instantaneously.

Visit http://tmac.technitium.com for more information and download links.

SIP Proxy – VoIP Security Testing Tool

SIP Proxy is an Open Source VoIP security test tool which has been developed by the students Philipp Haupt and Matthias Halimann during their diploma thesis and second student research project at the University of Applied Sciences Rapperswil.

With SIP Proxy you will have the opportunity to eavesdrop and manipulate SIP traffic. Furthermore, predefined security test cases can be executed to find weak spots in VoIP devices. Security analysts can add and execute custom test cases.

In the so called “Proxy Mode”, the application acts as a proxy between a VoIP PBX (e.g. Asterisk) and a UA (VoIP hard- or softphone). SIP traffic can be sniffed and dynamically manipulated with the help of regular expressions. Logged SIP messages can be modified and resent. In the “Test Case Mode” predefined security tests which are specified as XML files can be run against a specific target.

Fuzzing technology, which is a kind of black-box testing, can be applied to find weak spots in VoIP devices. There are many more specific modules which can be used within such a test case. For example Wordlist- or Bruteforce attacks. While running a test case, feedback is given by displaying a grahical report which can be exported in a printable PDF document afterwards.

With the help of SIP Proxy, several software bugs and configuration faults in specific VoIP devices have already been discovered.

You can find out more and download SIP Proxy at the SourceForge page here:

http://sourceforge.net/projects/sipproxy

Wep0ff – Wireless WEP Key Cracker Tool

Wep0ff is new tool to crack WEP-key without access to AP by mount fake access point attack against WEP-based wireless clients.

It uses combination of fragmentation and evil twin attacks to generate
traffic which can be used for KoreK-style WEP-key recovery.

This tool can be used to mount fake access point attack against WEP-based wireless clients.

This code tested patched madwifi-old drivers with athraw support, but also works with madwifi-ng. With madwifi-ng you need to create two virtual interfaces: one in master mode (for fake AP) and second in monitor mode (to listen on).

How to Use:
1. Setup fake AP with KARMA tools or iwconfig

iwpriv ath0 mode 2
iwconfig ath0 mode master essid foo enc 1122334455 channel 7
echo 1 > /proc/sys/dev/ath0/rawdev
echo 1 > /proc/sys/dev/ath0/rawdev_type
ifconfig ath0
up ifconfig ath0raw up

2. Start this program (./wep0ff ath0raw 00:01:02:03:04:05)
3. Wait until client connect to fake access point
4. Launch airodump-ng to collect packets
5. Launch aircrack-ng to recover WEP key

You can download it here:

Wep0ff

SPIKE Proxy

SPIKE Proxy is part of the SPIKE Application Testing Suite, It functions as an HTTP and HTTPS proxy, and allows the web developer or web application auditor low level access to the entire web application interface, while also providing a bevy of automated tools and techniques for discovering common problems. These automated tools include:

• Automated SQL Injection Detection
• Web Site Crawling (guaranteed not to crawl sites other than the one being tested)
• Login form brute forcing
• Automated overflow detection
• Automated directory traversal detection

Not all web applications are built in the same ways, and hence, many must be analyzed individually. SPIKE Proxy is a professional-grade tool for looking for application-level vulnerabilities in web applications. SPIKE Proxy covers the basics, such as SQL Injection and cross-site-scripting, but it’s completely open Python infrastructure allows advanced users to customize it for web applications that other tools fall apart on. SPIKE Proxy is available for Linux and Windows.

Note: that SPIKE Proxy requires a working install of Python and pyOpenSSL on Linux. This is included in the Windows distribution.

You can download SPIKE here:

Download for Linux | Download for Windows

Limited information can be found here:

Immunity Free Software

Nmapview – Graphical Interface (GUI) for Nmap on Windows

Finally a replacement for the way outdated and rather crappy NmapFE!

Unfortunately sometimes we do have to actually use Windows, and Nmap cleverly overcame the problems with raw sockets on Windows SP2 by using ATM frames instead, so it’s cool.

Now we just need a decent GUI so it fits into the whole scheme of things, and here we have it, Nmapview! NmapFE was ancient, outdated and no longer had all the options.

Also bear in mind NmapView required the Microsoft .NET Framework 2.0 to work and obviously you need a working Nmap which means having Winpcap.

Features of NmapView:

• Automatic composition of the string of command based on selection of checkbox, textbox, ecc
• Automatic selection of checkbox and textbox, etc. based on tightens of insert comand string.
• In the composition commands, the options of version 4.20 of Nmap are previewed all.
• Supported version NSE (Nmap Scripting Engine) by Diman Todorov.
• Of every option or parameter one detailed description through ToolTipHelp is supplied.
• The configuration parameters that preview text are history between the various sessions. (The story memory use Windows user login section)
• The option and the parameters are distributed in logical section (Target specification, Host Discover, Scan Techniques, etc.) based on the documentation of Fyodor.

You can Download NmapView v0.4 here.

You can find full info on NmapView here.

AttackAPI 2.0 Alpha

AttackAPI provides simple and intuitive web programmable interface for composing attack vectors with JavaScript and other client (and server) related technologies. The current release supports several browser based attacking techniques, simple but powerful JavaScript console and powerful attack channel and associated API for controlling zombies.

AttackAPI 2.0 branch is a lot better then the 1.x. Now it is a lot easier to code JavaScript attack
vectors. There are also quite a few improvements that will become obvious once you start using it.

The demonstrations do not outline all AttackAPI features so spend some time over the source code. The documentation is on its way. Any code and doc contributions will be greatly appreciated.

Full information on AttackAPI 2.0 Alpha can be found here:

http://www.gnucitizen.org/projects/attackapi/

You can also check the SVN for more information:

http://www.gnucitizen.org/svn/attackapi

MTR

MTR was written by Matt Kimball, with contributions by many people. Take a look at the “AUTHORS” file in the distribution. Roger Wolff took over maintenance of MTR in october 1998.

MTR combines the functionality of the ‘traceroute’ and ‘ping’ programs in a single network diagnostic tool.

As MTR starts, it investigates the network connection between the host MTR runs on and a user-specified destination host. After it determines the address of each network hop between the machines, it sends a sequence ICMP ECHO requests to each one to determine the quality of the link to each machine. As it does this, it prints running statistics about each machine.

You can get MTR from the BitWizard FTP site at ftp://ftp.bitwizard.nl/mtr/.

You can find more info and binary packages at the MTR Site.

LMCrack – Windows LanMan Hash Cracking Tool

As a security consultant, job functions include Penetration Testing and Vulnerability Assessments. The aim of these types of engagements is to demonstrate risk to the customer. One of the steps involved in demonstrating risk is password auditing (“cracking”) in order to assess the strength and quality of passwords in use in the environment.

On a Windows network this invariably means dumping and cracking the Windows SAM file. The SAM file holds username, user ID (SID) and hashed passwords for all users. There are already many tools in existence to crack the SAM file such as L0phtCrack and Cain & Abel amongst others.

These tools, as brilliant as they are, require a set amount of time to effectively audit a SAM file, often 8 hours or more for programs such as L0pht. While this is extremely fast given the amount of processing involved, for someone in my position limited by the commerciality of time constraints, this can often be too slow. It is for this reason that I decided to write LMCrack.

The design goal of LMCrack was to walk a large key space based on a dictionary style attack rather than on a comprehensive brute force attack and to complete the task in under 5 minutes. The result is a program that utilises a database of pre-computed hashes, which can search an effective key space of 3 trillion passwords in less than 60 seconds with an average success rate of 50+%.

As stated previously the design goal of LMCrack was to identify weak passwords in the shortest time possible. Where weak passwords are defined as any dictionary word or lame permutation of a dictionary word (e.g. password5).

LMCrack works by searching for a password hash against a database of pre-computed hashes. The pre-computed hashes are derived from multiple dictionaries of real words rather than random character sequences. The pre-computed hashes are indexed to speed up the hash searching against the database.

The current version of LMCrack parses a SAM file extracted using PWDump (although future versions may crack LanMan hashes sniffed off the wire). Each 32-byte hash is split into two 16-byte halves and each half is searched for against the database of pre-computed hashes independently of the other half . As the hash is composed of two halves, cracking the password will often result in a partial password being found where one 16-byte hash exists in the database and the other 16-byte hash does not.

LMCrack is not intended to replace any existing password cracking tools and the output files are compatible as input for other cracking tools. LMCrack outputs 5 files at the completion of a cracking run:

• cracked.txt – a file containing the successfully cracked username and passwords delimited by a colon,
• cracked.dic – a file contaning all of the dictionary words found,
• partial.dic – a file containging the partial password fragments,
• newpwdump.txt – a rewritten PWDump file with the successfully cracked accounts removed,
• stats.txt – the cumalative statistics for all cracking runs.

You can download LMCrack here:

LMCrack v0.2.1 (35MB)

More info about LMCrack here.

Cain & Abel

Cain & Abel is easily one of our favourite password crackers here at Darknet, especially because it’s oldskool but still under development, unlike most other projects which have been abandoned as time passed.

Cain & Abel has some awesome stuff built in like native network sniffing and network password grabbing.

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol’s standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some “non standard” utilities for Microsoft Windows users.

Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. Please carefully read the License Agreement included in the program before using it.

The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.

You can download Cain & Abel v4.9.4 for Windows NT/2000/XP here:

Cain & Abel 4.9.4 or Cain & Abel 4.9.4 (mirror 1)

You can find the online user manual here:

Cain & Abel online user manual.

eEye Launches 0-Day Exploit Tracker

0-day as basically stated in the article is an exploit not known publicly or available publicly well before any patches are available, some private groups often have exploits for a year or more before someone else discovers them, makes them public and they inevitably get fixed.

Like the famous remote exploit in Windows RPC, private groups had that for almost 2 years before it became public.

Security firm eEye has created what’s described as the industry’s first site designed solely to track zero-day vulnerabilities, flaws where exploits are available prior to the release of security patches.

eEye’s zero-day tracking site provides detailed information on flaws and remediation strategies to users. The site will be maintained by security researchers at eEye Research, who have a track record of unearthing new security bugs, and is essentially an eEye gig rather than a cross-industry effort.

It’s a good idea even if it’s not an industry effort it’s solely an eEye effort, I’m glad someone has done it and eEye has a strong capable team, so it should be fairly relevant if it’s kept up to date.

However, eEye invites other interested parties to contribute suggestions on flaws that merit inclusion on its list. eEye said it created the site, which includes information on how long flaws have remained unfixed, in response to the growing number of zero-day exploits.

In other security tracking news, security notification firm Secunia has released a tool designed to determine insecure versions of popular software packages (such as browsers, IM clients, and media players) on consumer’s PC.

Secunia’s Software Inspector provides users with advice on what to do if they are running insecure software packages.

Both eEye zero-day tracking site and Secunia’s Software Inspector are available free of charge.

You can find the site here:

eEye Zero Day Tracker

Source: The Register