ProxyFuzz

ProxyFuzz is a man-in-the-middle non-deterministic network fuzzer written in Python. ProxyFuzz randomly changes (fuzzes) contents on the network traffic. It supports TCP and UDP protocols and can also be configured to fuzz only one side of the communication. ProxyFuzz is protocol agnostic so it can randomly fuzz any network communication.

ProxyFuzz is a good tool for quickly testing network protocols and provide with basic proof of concepts. Using this tool you will be amazed by the poor quality of software and you will see clients and servers dying upon unexpected input, just be prepared to see the very weird behaviours.

Syntax of ProxyFuzz:

ProxyFuzz 0.1, Simple fuzzing proxy by Rodrigo Marcos

usage():

python proxyfuzz -l  -r  -p  [options]

[options]

               -w: Number of requests to send before start fuzzing

               -c: Fuzz only client side (both otherwise)

               -s: Fuzz only server side (both otherwise)

               -u: UDP protocol (otherwise TCP is used)

               -v: Verbose (outputs network traffic)

               -h: Help page

A demo of ProxyFuzz is available here.

The video shows ProxyFuzz proxying traffic between a VMWare Console and a VMWare Server. This is just a dumb example of the things you can do with this tool.

Download ProxyFuzz 0.1 Source Code

Download ProxyFuzz 0.1 Windows Binary

Or read more here.

The Kcpentrix Project – Penetration Testing Toolkit LiveDVD

The Kcpentrix Project was founded in May 2005 , KCPentrix 1.0 was liveCD designed to be a standalone Penetration testing toolkit for pentesters, security analysts and System administrators

What’s New in KcPentrix 2.0

Now release 2.0 is a liveDVD, It features a lot of new or up to date tools for auditing and testing a network, from scanning and discovering to exploiting vulnerabilities

Kcpentrix is based on SLAX 5, a Slackware live DVD, the Powerful modularity which Kcpentrix uses, allow it to be easily customised and include relevant modules.

It has switched to 2.6 kernel line and Zisofs compression was replaced by SquashFS, which provides better compression ratio and higher read speed.

You can download the ISO from Kcpentrix.com or Securitydistro.com here:

Kcpentrix v2.0

Or read more here.

Some of the key tools/software included:

ARP

arping-2.04
seringe
arp-sk
arpspoof

Backdoors

hbkdr.tar.gz
hbkdr.zip
sbd-1.37.tar.gz
ssheater-1.1.tar.gz
x86-linux-connectback.c
x86-linux-portbind.c

Bruteforce

adsmb-0.3
adsnmp-0.1
brutus-0.9.2
crackcvspass-v0.1
john-1.7.2
Online_Rainbow
onesixtyone-0.3.2
nat-1.0.4
mdcoll
lodowep
SIPcrack-0.1
smbat
TFTP-bruteforce
VNCcrack-0.9.1
wyd
crunch
md5crack.pl
ophcrack
thc-pptp-bruter
vncrack

Cisco

brute-enable-v.1.0.2
cisco-auditing-tool-v.1.0
cisco-global-exploiter
cisco-scanner-v.1.3
cisco-torch-0.4b
ciscopack
copy-router-config-v.0.1
eigrp-tools
ios-w3-vul
ios7decrypt-v.1.1
jitney-0.10

Database

sqlbrute.py
bsqlbf.pl
mysql_bftools
metacoretex-0.8.0
oat
oscanner_bin
checkpwd
sidguess
tnscmd10g.pl
bfora.pl
dbcool_audit.pl
oracletest.pl
tnsprobe.sh
oracle-scanner-v.1.0.6
oracle-dump-sids-v0.0.1
oat-v.1.3.1

Enumeration

dnswalk
DNSBruteforce.py
dns-ptr
dnsenum
dnsmap
dns-predict-v.0.0.2
fingergoogle-1.1
googrape-v.0.1
gooscan-v0.9
goog-mail.py
qgoogle.py
google-search
dnspython-1.3.2
dnslib.py
httplib.py
inet-enum.py
isr-form-1.0
ldap-enum-v.003
ldapbrowser
list-urls
lsrtunnel-0.2.1
mibble-2.6
mibble-2.7
nmbscan-1.2.4
nstx
relayscanner
revhosts
smb-enum
smtp-vrfy
snmpenum.pl
httprint_301

Firewall

ftester-1.0
Morena
hping2

Forensics

autopsy-2.06
sleuthkit
sleuthkit-2.03

Fuzzers

bed
bed-v.0.5
cirt-fuzzer
clfuzz
fuzzer-1.1
fuzzer-1.2
fuzzer-mod
mistress
Peach
pirana-0.2.1
snmp-fuzzer-0.1.1
spike

Misc-tools

find_ddos3.1
fping-2.4b2
ipgenv2

Proxies

3proxy_0_5_2
paros
penproxy-0.4.10

Scanners

banshee-3.3
dcom_scanner
hydra-5.3
knocker-0.7.1
lsrscan-1.0
ike-scan
amap
nikto-1.35
pbnj
nbtscan
nmap
nmapfe
sinfp.pl
VNC_bypauth

Sniffers

aimsniff-0.9d
aimsniff-1.0beta
PHoss
xspy
dsniff
p0f
wireshark

Spoofing

netsed

Tunnelling

3proxy
iodine-0.3.2
proxytunnel-1.6.3

Web

asp-audit
metoscan04
proxyfinder-1.0
sqlibf
sqlinject-1.1
wal
easy-scraper.pl
hacker_webkit.tar.gz
mysql-miner.pl
put.pl

Wireless

aircrack-2.2-beta1
aircrack-ng-0.6.2
airpwn-1.3
airsnarf-0.2
asleap-1.4
wifitap
hotspotter-0.4
fakeap-0.3.2
cowpatty-2.0
wep_crack
wep_decrypt

sqlninja 0.1.2

sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment.

It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered. It is written in PERL and runs on Unix-like boxes.

Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability)
• Bruteforce of ’sa’ password
• Privilege escalation to ’sa’ if its password has been found
• Creation of a custom xp_cmdshell if the original one has been disabled
• Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames

What’s New?

• Test mode, that checks whether the configuration is correct and the injection is successful
• Debug option, which allows to print SQL commands and raw HTTP request/response data. Useful when things are not working and you want to see what’s going on under the hood
• Files are uploaded to %TEMP%, bypassing possible write restrictions
• A simplified way to configure the injection parameters
• Interactive config file generation

You can find it, together with a flash demo of its features, at the address:

http://sqlninja.sourceforge.net

Trinity Rescue Kit

Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.

It is possible to boot TRK in three different ways:

• As a bootable CD which you can burn yourself from a downloadable isofile
• From a USB stick/disk (optionally also a fixed disk), installable from Windows or from the bootable TRK cd
• From network over PXE, which requires some modifications on your local network.
  TRK is a complete commandline based distribution, apart from a few tools like qtparted, links, partition image and midnight commander

It’s recommend to keep a copy of TRK in your toolkit, we at Darknet do find it useful, especially for reseting passwords and fixing messed up file systems.

A summary of the main features:

• easily reset windows passwords
• 4 different virusscan products integrated in a single uniform commandline with online update capability
• full ntfs write support thanks to ntfs-3g (all other drivers included as well)
• clone NTFS filesystems over the network
• wide range of hardware support (kernel 2.6.19.2 and recent kudzu hwdata)
• easy script to find all local filesystems
• self update capability to include and update all virusscanners
• full proxyserver support.
• run a samba fileserver (windows like filesharing)
• run a ssh server
• recovery and undeletion of files with utilities and procedures
• recovery of lost partitions
• evacuation of dying disks
• UTF-8 international character support

You can download the latest TRK 3.2 here:

Trinity Rescue Kit: Download

Phrack 64

Finally a new Phrack! Phrack 64 has been released a while back at the end of May, and it’s been quite a wait.

At the beginning in 1985, Phrack started as an anarchy magazine. You can learn from the first issues how to create your own bomb or how to seriously take advantage of the world that surrounds us. You can learn from the first issues how the hacking started, in which state of mind were the editors of the magazine when the will of communicating was stronger than keeping all the fun for yourself. When you could teach so many peoples who deserved to make make fun as well. Nothing of Phrack was ever about making money or harming anyone, since Hacking is about freedom of speech and intellectual curiosity. Hackers regulate the digital exchanges happening on the network and it will never stop, because you cannot catch us, and you certainly cannot catch us all.

Before Phrack, Hacking was already existing and even all serious companies, agencies, and groups of influence in the world dealing with information privacy and security felt concerned with the topic. Hackers were the founders of the system itself, and the system decomposed into multiple entities. Students and self-made hackers followed their way in the society that often did not integrate them how they deserved to be, so harshly that nowadays Hacking is forbidden in most of the countries of our planet. The system is getting private. Some of the humans have more rights than others. Some have interests to keep, others are simply waiting for their turn.

In the last decade, Phrack took a very annoying industry-oriented editorial policy and the original spirit was in our opinion not respected. The good old school spirit as we like had somehow disappeared from the process of creating the magazine. That is why the underground got split with a major dispute, as some part of the scene was unhappy with this new way of publishing. We clearly needed to bring together again all the relevant parties around the spirit of hacking and the values that make the Underground. The Underground is neither about making the industry richer by publishing exploits or 0day information, nor distributing hacklogs of whitehats on the Internet, but to go further the limits of technology ever and ever, in a big wave of learning and sharing with the people ready to embrace it. This is not our war to fight peoples doing this for money but we have to clearly show our difference.
It is also getting more urgent that hackers use the technology to make the world a fair place to live in, and we will not let politics decide without us what is good to do. Hackers needs to express their concerns and regulate the information despite the rules imposed by self-claimed authorities, and this is the real subject of our actions.
Because of this, the Phrack Magazine always was an alternative recipient for all the Hacking community knowledge that get renewed continuously. The content is evolving in a patchwork made of multiple disciplines. Of course, programming takes a central place, but software and hardware systems evolve together, so does our protocol suite and its extensions. Reverse Engineering and Cryptography are made more and more desirable even in the mainstream society. Our own body has turned into an experimentation system that brings new perspectives on the judgment that define who we are.

Phrack will always exist and will never discriminate the origin of its contributors. The magazine is where information is the rule and discrimination does not exist, provided you complete the disruptive compliance attitude that define the Hacking identity itself.

Be original, keep the underground renewing.

Contribute to Phrack.

You can read Phrack 64 at http://phrack.org/ or get the tar.gz in original style here:

64.tar.gz

Fuzzled – PERL Fuzzing Framework

Someone else noticed this, and wondered where is the Perl framework to complete the family? With that in mind he spent the last few months working on something that should fill the gap – Fuzzled.

Fuzzled is a powerful fuzzing framework. Fuzzled includes helper functions, namespaces, factories which allow a wide variety of fuzzing tools to be developed. Fuzzled comes with several example protocols and drivers for them.

All in PERL!

It’s a pretty comprehensive framework with a lot of functionality, so do check it out and let us know what you think.

Fuzzled v1.0 can be found here.

You can download Fuzzled directly here:

Fuzzled-1.0.tar.gz

Priamos Project – SQL Injector and Scanner

You can search for SQL Injection vulnerabilities and inject vulnerable string to get all Database names, Tables and Column data with the injector module.

You should only use PRIAMOS to test the security vulnerabilities of your own web applications (obviously).

The first release of PRIAMOS contain only SQL Server Database module.

You can watch a demo video here and find out more here:

http://www.priamos-project.com/

If you want something to test you can create your own local vulnerable test platform using this script:

Download Vulnerable ASP page and Database script

You can download PRIAMOS here:

PRIAMOS.v1.0.zip

SQLBrute – SQL Injection Brute Force Tool

SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries (there is some code in there for pycurl, but it is disabled because it isn’t finished).

For error based SQL injection, SQLBrute should work, if you can either:

• Get an identifiable difference between adding the exploit strings AND 1=1 and AND 1=2 to your SQL injection point (usually works if the query is normally valid)
• Get an identifiable difference between adding the exploit strings OR 1=1 and OR 1=2 to your SQL injection point (usually works if the query is normally invalid)

For time based SQL injection, SQLBrute should work if you can use exploit syntax similar to ;waitfor delay ‘0:0:5′ to generate a time delay in Microsoft SQL Server.

Here is the options printed from SQLBrute when you run it with no options:

    Usage: ./sqlbrute.py options url
           [--help|-h]
           [--verbose|-v]
           [--server|-d oracle|sqlserver]
           [--error|-e regex]
           [--threads|-s number]
           [--cookie|-k string]
           [--time|-n]
           [--data|-p string]
           [--database|-f database]
           [--table|-t table]
           [--column|-c column]
           [--where|-w column=data]
           [--header|-x header::val]

Full details and usage notes can be found here:

Using SQLBrute to brute force data from a blind SQL injection point

You can download SQLBrute here:

sqlbrute.py