Metasploit Exploit Framework Version 3.0

Finally it’s out of BETA, Metasploit Framework Version 3.0 has been released and it’s a lot more Windows friendly.

The Metasploit Framework (“Metasploit”) is a development platform for creating security tools and exploits. Version 3.0 contains 177 exploits, 104 payloads, 17 encoders, and 3 nop modules. Additionally, 30 auxiliary modules are included that perform a wide range of tasks, including host discovery, protocol fuzzing, and denial of service testing.

Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

Metasploit runs on all modern operating systems, including Linux, Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on a wide range of hardware platforms, from massive Unix mainframes to the tiny Nokia n800 handheld. Users can access Metasploit using the tab-completing console interface, the command line scripting interface, or the AJAX-enabled web interface. The Windows version of Metasploit includes all software dependencies and a selection of useful networking tools.

Metasploit 3 is a from-scratch rewrite of Metasploit 2 using the Ruby scripting language. The development process took nearly two years to complete and resulted in over 100,000 lines of Ruby code.

Metasploit is now released under the Metasploit Framework License. This license allows anyone to use the framework for almost anything, but prevents commercial abuse and outright code theft. The Metasploit Framework License helps keep the platform stable and still allows module developers to choose their own licensing terms for their code (commercial or open source). For more information, please see the license document included in the distribution.

You can find more and download the latest Metasploit here:

http://framework.metasploit.com/

Labels: ,

JBroFuzz 0.5

OWASP JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. Written in Java, it allows for the identification of certain classess of security vulnerabilities, by means of creating malformed data and having the network protocol in question consume the data.

The purpose of this application is to provide a single, portable application that offers stable network protocol fuzzing capabilities. A number of frameworks as well as APIs exist for fuzzing; these require a certain skill level to understand and use, which often acts as a barrier when constrained by time.

The goal of the JBroFuzz project is straight forward: Create a simple, easy to use, stable network fuzzer for stateless protocols. JBroFuzz aims to offer a wide range of fuzzing capabilities as seen in the features below.

Fuzzing with JBroFuzz can take place on any part of a socket request by means of specifying one or more generators. These generators can are classified into two broad categories, those being recursive and replasive.

The current version (0.5) supports the ability to perform web enumeration over HTTP and HTTPS. By default, the following are included within the application:

  • A list of ~58000 popular directories
  • Basic cross site scripting (XSS) checks
  • Basic SQL injection (SQL) checks
  • Buffer overflows (BFO) checks
  • Format string errors (FSE) checks
  • Integer overflows (INT) checks

You can download the latest version of JBroFuzz from SourceForge JBroFuzz Download Page.

There is a Java version and a Windows Executable version available.

The flash tutorial available for download typically serves a very good starting point for any new user familiar or not so with fuzzing.

You can find out more here:

JBroFuzz Site

Labels: ,

ObiWaN

This Phenoelit tool called ObiWaN is written to carry out brute force security testing on Webservers.

The idea behind this is webservers with simple challenge-response authentication mechanism mostly have no switches to set up intruder lockout or delay timings for wrong passwords. In fact this is the point to start from. Every user with a HTTP connection to a host with basic authentication can try username-password combinations as long as he/she likes.

Like other programs for UNIX system passwords (crack) or NT passwords (l0phtcrack) ObiWaN uses wordlists and alternations of numeric or alpha-numeric characters as possible passwords. Since Webservers allow unlimited requests it is a question of time and bandwith to break in a server system.

The most interesting targets are web based administration frontends like Netscapes Server Administration. If you can break in, you are able to create accounts, stop the server and modify its content. Real fun.

You can read the full documentation here.

Various versions (including Windows, Linux and Solaris) of ObiWaN are available for download here:

ObiWan – Project 2068/11.1

Labels: , ,

Technika – Automate Common Exploit Tasks

Technika was developed for the computer security professionals to automate common exploitative task from the browser. It acts like a standard OS shell scripting environment. You can script everything from the currently viewed page just like Greasemonkey (spawn processes, unrestricted XMLHttpRequest connections and sockets). You can autorun bookmarklets and perform safe operations on the currently viewed resource.

You can install the Technika Firefox Extension here:

INSTALL Technika

Or you can explore the code here:

Technika on Google Code

Technika was successfuly used to implement several Web and System related exploits that run directly from the browser. Unfortunatley their source code cannot be shown here for obvious reasons.

If you want to persist some data, use Firefox, IE or Opera persistent objects. Your bookmarklets will remain portable across all browsers as long as you support them in your code. Technika is extremely light so go ahead and install it. If you want to use Technika command console, please install Firebug.

The extension is still in Alpha although it is mostly usable and quite stable.

You can read more on the home page here:

Technika

Labels: , ,

Stompy – The Web Application Session Analyzer Tool

A new tool dealing with web sessions was recently announced, it’s called stompy, a free tool to perform a fairly detailed black-box assessment of WWW session identifier generation algorithms. Session IDs are commonly used to track authenticated users, and as such, whenever they’re predictable or simply vulnerable to brute-force attacks, we do have a problem.

The tool has already revealed several problems in proprietary software platforms such as BEA WebLogic and Sun Java System Web Server (both have problems with their JSESSIONIDs).

Why bother?

Some session ID cookie generation mechanisms are well-studied and well-documented, and believed to be cryptographically secure (example: Apache Tomcat, PHP, ASP.NET builtins). This is not necessarily so for certain less researched enterprise web platforms – and almost never so for custom solutions that are frequently implemented inside the web application itself.

Yet, while there are several nice GUI-based tools designed to analyze HTTP cookies for common problems (Daves’ WebScarab, SPI Cookie Cruncher, Foundstone CookieDigger, etc), they all seem to rely on very trivial, if any, tests when it comes to unpredictability (“alphabet distribution” or “average bits changed” are top shelf); this functionality is often not better than a quick pen-and-paper analysis, and can’t be routinely used to tell a highly vulnerable linear congruent PRNG (rand()) from a well-implemented MD5 hash system (/dev/urandom).

What’s cool?

In order to have a fully automated, hands-off tool to reliably detect anomalies that are not readily apparent at a first glance stompy:

  • Automatically finds session IDs encoded as URLs, cookies, and in form inputs, then collects a statistically significant sample of data
  • Determines alphabet structure to transparently handle base64, uuencode, base32, hex, and any other sane encoding scheme without user intervention
  • Translates the data to isolated time-domain bitstreams to examine how SID bits at each position change in time,
  • Runs a suite of FIPS-140-2 PRNG evaluation tests on the sample
  • Runs an array of n-dimensional phase space tests to find deterministic correlations, PRNG hyperplanes, etc, etc.

Of course, the tool cannot prove the correctness of an implementation, and it is possible to devise predictable, cryptographically unsafe PRNGs that would pass these tests; still, the tool can find plenty of problems and oddities.

Stompy was updated due to feedback and:

  • It now supports SSL connections, custom-crafted requests including POSTs, and input from external sources (for evaluation of non-WWW tokens of any type)
  • It now uses GNU MP library to losslessly handle alphabets that do not directly map to binary (this is big)
  • Can run spatial correlation checks as well as temporal analysis of bitstreams in acquired samples
  • The output is much more readable, some minor bugs were fixed.

The latest version of Stompy can be downloaded here:

http://lcamtuf.coredump.cx/stompy.tgz

Labels: ,

A Collection of Web Backdoors & Shells – cmdasp cmdjsp jsp-reverse php-backdoor

Michael Daw has collected some WEB backdoors to exploit vulnerable file upload facilities and others. It’s a pretty useful library for a variety of situations, especially for those doing web application security audits and web app security.

Understanding how these backdoors work can also help security administrators implement firewalling and security policies to mitigate obvious attacks.

All these backdoors are publicly available. They have simply been packaged them together into wbc-v1.tar.gz.

The package includes:

Filename              Fizesize    MD5
cmd-asp-5.1.asp       1200        8baa99666bf3734cbdfdd10088e0cd9f
cmdasp.asp            1526        57b51418a799d2d016be546f399c2e9b
cmdjsp.jsp            725         b815611cc39f17f05a73444d699341d4
jsp-reverse.jsp       2451        8b0e6779f25a17f0ffb3df14122ba594
php-backdoor.php      2800        2b5cb105c4ea9b5ebc64705b4bd86bf7
simple-backdoor.php   328         f091d1b9274c881f8e41b2f96e6b9936

Note: readme.txt is also included in this package but not listed here.

You can download the package here:

wbc-v1.tar.gz

You can find the original page here:

Web Backdoor Compilation

Labels: ,
Subscribe to: Posts (Atom)