SQLiX Project – SQL Injection Scanner

SQLiX, coded in Perl, is a SQL Injection scanner, able to crawl, detect SQL injection vectors, identify the back-end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn’t need to reverse engineer the original SQL request (using only function calls).

SQLiX is a SQL Injection scanner which attempts to fill the gap between what commercial software available on the market can do and what can really be done to detect and identify SQL injection.

Current injection methods used by commercial web assessment software are based on error generation or statement injections.

Error Generation

The error generation method is quite simple and is based on meta characters like single quotes or double quotes. By injecting these characters in the original SQL request, you generate a syntax error which could result in an SQL error message displayed in the HTTP reply. The main issue with this technique is the fact that it’s only based on pattern matching. There is no way to handle multiple languages or complex behaviors when the error message is filtered by the server-side scripts.

Statement Injection

The second method used is statement injection. Let’s look at an example:

The target URL

http://target.example.com/news.php?id=25.

The scanner will try to compare the HTML content of the original request with the HTML content of

http://target.example.com/news.php?id=25%20or%201=1

http://target.example.com/news.php?id=25%20or%201=0

If the request (1) provides the same result as request (0) and request (2) doesn’t, the scanner will conclude that SQL injection is possible. This method works fine, but is very limited by the syntax of the original request. If the original request contains parentheses, store procedures or function calls, this method will rarely work. Worse, if the variable is used by multiple SQL requests, all with different syntaxes, there is no automatic way to make them all work simultaneously.

Another global issue concerning SQL injection is the fact that pen testers frequently conclude that a given SQL injection vulnerability can’t be exploited. By concluding this incorrect statement they are inviting their customers to not patch the vulnerability.

You can download here:

OWASP SQLiX v1.0

Documentation and examples are here:

OWASP SQLiX Project

Labels: , ,

Technitium v4.5

Technitium MAC Address Changer v4.5 has been released.

Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample of information regarding each NIC in the machine. Every NIC has an MAC address hard coded in its circuit by its manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Networks (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address. Technitium MAC Address Changer is a must tool in every security professionals tool box.

Technitium MAC Address Changer v4.5 is coded in Visual Basic 6.0.

Features

+= Changes MAC address of Network Interface Card (NIC) including Wireless LAN Cards, irrespective of its manufacturer or its drivers.

+= Has list of all known manufacturers (with corporate addresses) to choose from. You can also enter any MAC address and know which manufacturer it belongs to.

+= Allows you to select random MAC address from the list of manufacturers by just clicking a button.

+= Restarts your NIC automatically to apply MAC address changes instantaneously.

+= Allows you to create and edit Configuration Presets, which saves all your NIC settings and makes it very simple to switch between many settings in just a click and hence saves lot of time.

+= Has command line interface which allows you to perform all the tasks from the command prompt or you can even create a DOS batch program to carry out regular tasks.

+= Allows you to export a detailed text report for all the network connections.

+= Displays all information you would ever need about your NIC in one view like Device Name, Configuration ID, Hardware ID, Connection Status, Link Speed, DHCP details, TCP/IP details etc.

+= Displays total bytes sent and received through the NIC.

+= Displays current data transfer speed per second.

+= Allows you to configure IP Address, Gateway and DNS Server for your NIC quickly and instantaneously.

+= Allows you to enable/disable DHCP instantaneously.

+= Allows you to Release/Renew DHCP IP address instantaneously.

+= Displays DHCP lease obtained and lease expires time.

+= Allows you to configure Interface Metric instantaneously.

+= Quick keyboard shortcuts for most operations.

+= Supports all Microsoft(R) Windows(TM) NT based versions in all languages.

+= All reported bugs in previous 4.0 version removed. (Thanks to all your feedbacks)

Visit http://tmac.technitium.com for more information and download links.

Labels: ,

Foundstone Blast – TCP Network Service Stress Test Tool

Foundstone Blast v2.0 is a small, quick TCP service stress test tool. Blast does a good amount of work very quickly and can help spot potential weaknesses in your network servers.

Features:

/trial switch adds the ability to see how the buffer looks before sending it
/v switch adds verbose option – off by default
/nr switch turns off initial receive after initial connect – HTTP services don’t send and initial response, Mail services do
The /nr switch fixes the effect of HTTP timeouts when sending GET strings
/dr adds double LF/CR’s to buffers(useful for GET requests) off by default

Usage:

blast xxx.xxx.xxx.xxx port startsize endsize /t rcvtimeout /d senddelay /b beginmsg /e endmsg /noret

Examples:

blast 134.134.134.4 110 600 680 /t 7000 /d 300 /b user
blast 134.134.134.4 110 600 680 /t 7000 /d 300 /b user /e endchars
blast 134.134.134.4 110 600 680 /noret

/t == timeout delay in milliseconds to wait for server response
/d == delay before each send
/noret means to send raw data with no newline chars that a pop server expects at end
/b is a way to add cust text to begin of buf
/e is an alternate way to end each buf
/v switches on verbose output – off by default
/nr turns off initial receive after initial connect (useful for HTTP GET)
/dr adds double LF/CR’s to buffers (useful for HTTP GET)

You can read more and find Founstone Blast for download here:

Foundstone Blast v2.0

Labels: ,

Nemesis – Packet Injection Suite

Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting.

Nemesis can natively craft and inject packets for:

  • ARP
  • DNS
  • ETHERNET
  • ICMP
  • IGMP
  • IP
  • OSPF
  • RIP
  • TCP
  • UDP

Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected.

Unix-like systems require: libnet-1.0.2a, and a C compiler (GCC)
Windows systems require: libnetNT-1.0.2g and either WinPcap-2.3 or WinPcap-3.0

Download it here:

Source code: nemesis-1.4.tar.gz (Build 26)
Windows binary: nemesis-1.4.zip (Build 26) (includes LibnetNT)

You can read more here:

Nemisis at Sourceforge

Labels: , , ,

ISIC – IP Stack Integrity & Stability Checker

ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.) It generates piles of pseudo random packets of the target protocol. The packets be given tendencies to conform to. Ie 50% of the packets generated can have IP Options. 25% of the packets can be IP fragments… But the percentages are arbitrary and most of the packet fields have a configurable tendency.

The packets are then sent against the target machine to either penetrate its firewall rules or find bugs in the IP stack.

ISIC also contains a utility generate raw ether frames to examine hardware implementations.

Other novel uses people have found for ISIC include IDS testing, stack fingerprinting, breaking sniffers and barraging the IRC kiddie.

Warning:

ISIC may break shit, melt your network, knock out your firewall, or singe the fur off your cat

You can read more and download ISIC from Packet Factory here:

http://www.packetfactory.net/Projects/ISIC/ (Direct download)

Labels: , ,

Ubuntu Ultimate Edition

Basically Ubuntu Ultimate Edition is Ubuntu Edgy Eft with a whole lot of software pre-added.

Sadly the author had to removed Java, Flash and Acrobat reader due to licensing agreements. But don’t worry as there is a custom repository in the release which includes all of these and much more.


  • SMP Support (dual core CPUS) / works with single core as well
  • 121 Additional Updates
  • New Grub boot screen
  • New theme and animated bootscreen
  • New GDM theme
  • New splash screen & wallpaper
  • Updated Beryl
  • Capture card support – TVTime / ATI-All-in-wonder
  • Gaim Beta 6 – prebuilt with plugins.
  • GKRealm – Realtime hardware monitor
  • MGM – Moaning Goat Meter
  • Newer Amarok then can be obtained from edgy repos
  • Hardinfo – System information
  • GTKPod – Ipod Sync software
  • HTop – Process viewer
  • Sysinfo – System information
  • IPodder – Ipod sync software
  • XSensors – Hardware sensor software
  • Addition networking and wireless tools
  • Gpixpod – Photo sync software for Ipod
  • IPodslave – an iPod IO slave
  • Xpenguins – Thanks Maddog

Current version is 1.2 which has a whole bunch of new software and fixed an issues with Dual Core processors.

Please use torrents if you can or mirror first, unfortunately Ubuntu Ultimate 1.2 can not be downloaded locally due to bandwidth consumption, if you have some space to host a mirror please let the authors know.

You can find out more at:

Ubuntu Ultimate Edition

Ubuntu Ultimate 1.2 TORRENT

Ubuntu Ultimate 1.2 Mirror

Labels:

VoIP Security Testing Tools List from VoIPSA

The VoIP Security Alliance (VOIPSA) is pleased to announce the public release of its VoIP security tool list. Check it out at:

http://www.voipsa.org/Resources/tools.php

This VoIP Security Tool List provides categories, descriptions and links to current free and commercial VoIP security tools.

This list was developed to address the current void of VoIP security testing resources and sites, for vendors and VoIP users alike. It is separated into the following seven broad categories:

  • VoIP Sniffing Tools
  • VoIP Scanning and Enumeration Tools
  • VoIP Packet Creation and Flooding Tools
  • VoIP Fuzzing Tools
  • VoIP Signaling Manipulation Tools
  • VoIP Media Manipulation Tools
  • Miscellaneous Tools

The key objectives of the list are as follows:

  1. Provide links to tools that help test the efficacy of implemented best practices outlined by VOIPSA’s Best Practices Project.
  2. Facilitate the open discussion of VoIP security tool information to help users better audit and defend their VoIP devices and deployments.
  3. Provide vendors the information needed to proactively test their VoIP devices’ ability to function and withstand real-world attacks.

VoIPSA Resources.

Labels: ,

Scapy – Interactive Network Packet Manipulation

What is Scapy?

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.

What makes Scapy different from most other networking tools

First, with most other tools, you won’t build someting the author did not imagine. These tools have been built for a specific goal and can’t deviate much from it. For example, an ARP cache poisoning program won’t let you use double 802.1q encapsulation. Or try to find a program that can send, say, an ICMP packet with padding (I said padding, not payload, see?). In fact, each time you have a new need, you have to build a new tool.

Second, they usually confuse decoding and interpreting. Machines are good at decoding and can help human beings with that. Interpretation is reserved to human beings. Some programs try to mimic this behaviour. For instance they say “this port is open” instead of “I received a SYN-ACK”. Sometimes they are right. Sometimes not. It’s easier for beginners, but when you know what you’re doing, you keep on trying to deduce what really happened from the program’s interpretation to make your own, which is hard because you lost a big amount of information. And you often end up using tcpdump -xX to decode and interpret what the tool missed.

Third, even programs which only decode do not give you all the information they received. The network’s vision they give you is the one their author thought was sufficient. But it is not complete, and you have a bias. For instance, do you know a tool that reports the padding ?

You can grab the latest version here for Linux:

Scapy.py for Linux

And Windows here:

Scapy.py for Windows

Or…

Scapy 1.1.1 tarball (not always up to date)
Scapy’s debian package (not always up to date)
Scapy’s RPM package (not always up to date)

You can read more and find examples, presentations and so on here:

http://www.secdev.org/projects/scapy/

Labels: ,

Sguil – Intuitive GUI for Network Security Monitoring with Snort

Sguil (pronounced sgweel) is probably best described as an aggregation system for network security monitoring tools. It ties your IDS alerts into a database of TCP/IP sessions, full content packet logs and other information. When you’ve identified an alert that needs more investigation, the sguil client provides you with seamless access to the data you need to decide how to handle the situation. In other words, sguil simply ties together the outputs of various security monitoring tools into a single interface, providing you with the most information in the shortest amount of time.

Sguil uses a database backend for most of its data, which allows you to perform SQL queries against several different types of security events.

How is sguil different from Snort + ACID or Snort + BASE?

ACID & BASE are both web-based IDS alert management systems. They let you browse and search alerts, but don’t offer very much in the way of data-mining that would allow you to answer questions like, “Was this an attack attempt or a false positive?”, “Was the attempt successful?” or “What other machines did the attacker try to crack once he got into this one?”. They rely on you to do the research necessary to determine the severity of the situation.

Sguil’s design centers on providing convenient, quick access to a host of supporting information, which both saves you time and helps you make better decisions. Incidentally, because sguil uses a dedicated client instead of running through a web browser, you get a richer, more responsive user interface as well.

You can find snort here:

http://www.snort.org/

You can read more and download Sguil here:

http://sguil.sourceforge.net/

Labels: , ,
Subscribe to: Posts (Atom)