Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

The tool is based on dictionaries and ranges, you choose where you want to bruteforce just by replacing the part of the URL or the POST by the keyword FUZZ.

It’s very flexible, here are some functionalities:

• Recursion (When doing directory bruteforce)
• Post data bruteforcing
• Output to HTML (easy for just clicking the links and checking the page, even with postdata!!)
• Colored output on all systems
• Hide results by return code, word numbers, line numbers, etc.
• URL encoding
• Cookies
• Multithreading
• Proxy support
• All parameters bruteforcing (POST and GET)
• Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more.

Example:

wfuzz.py -c -z file -f commons.txt --hc 404 --html http://www.mysite.com/FUZZ

This will bruteforce the site http://www.mysite.com/FUZZ in search of resources (directories, scripts, files,etc), it will hide from the output the return code 404 (for easy reading the results), it will use the dictionary commons.txt for the bruteforce.

It was created to facilitate the task in Web Applications assessments, it’s a tool by pentesters for pentesters.

You can download Wfuzz here:

Wfuzz 1.1 – Win32
Wfuzz 1.1 – Unix

Or read more here.

Dr. Morena – Firewall Configuration Testing Tool

Dr.Morena is a tool to confirm the rule configuration of a Firewall.

The configuration of a Firewall is done by combining more than one rule. Sometimes a rule configuration may reside in a place other than the basic rule configuration place. In such a case, it is difficult to confirm whether it is an intended configuration by the system administrators. (Is an unnecessary hole open, or is a necessary hole open?).

We prepare a computer which has two network interface for this tool. Then, each network interface is connected to each of the network interfaces on both sides of the Firewall. The packet the source IP address and the destination IP address is forged and sent to the Firewall from one network interface. The packet which passed through the Firewall is confirmed in the other network interface. The rule of the Firewall is confirmed from the packets which passed through the Firewall, and the packets which didn’t pass.

This tool can check the rules without depending on the way of the Firewall is configured.

There is two modules in Dr. Morena – similar to the Firewal Tester (FTester. The first module is a check engine, and the second module is a packet list making engine.

Checker, which is the check engine, makes the check packet according to given packet information, and sends and receives this packet. Also, the check engine confirms whether the packet passed through the firewall, and returns the checked result.

Ideally, it is good to be able to check all packets of all services from all Internet Protocol addresses to all Internet Protocol addresses when we check the rules of a firewall. However, it is impossible to check all packets in appropriate time. Therefore, it is necessary to check the firewall by using only some limited packets. However, efficiency is bad in the check which uses packets chosen at random. Then, it is necessary to check the firewall by using the packet intended for an important address and the service listed in the security policy etc. by priority.

ListMaker, which is the check packet list making engine, lists necessary packets for the check, from information classified according to the importance degree.

You can download Dr. Morena here as an rpm file:

drmorena-0.2.0-1.i386.rpm

Or read more here.

piggy – Download MS-SQL Password Brute Forcing Tool

Piggy is yet another tool for performing online password guessing against Microsoft SQL servers.

It supports scanning multiple servers using a dictionary file or a file with predefined accounts (username and password combinations).

It’s a pretty simple tool and has a Win32 binary verson – it is a command line tool however.

Piggy v1.0.1 by patrik@cqure.net
--------------------------------
usage: piggy [options]

options:
  -u [username] - Single username
  -p [password] - Single password
  -s [server]   - Single server
  -S [srvfile]  - File containing ip/hostnames
  -D [dicfile]  - File containing passwords
  -A [accounts] - File containing username;password combinations
  -N            - Do not check availability before scan
  -v verbose    - Verbose logging

You can download it here:

piggy-src-1_0_1.zip (Source code)
piggy-win32-1_0_1.zip (Binary version)

FTester – Firewall Tester and IDS Testing tool

The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.

The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets. The scripts both write a log file which is in the same form for both scripts. A diff of the two produced files (ftest.log and ftestd.log) shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall. Stateful inspection firewalls are handled with the ‘connection spoofing’ option. A script called freport is also available for automatically parse the log files.

Of course this is not an automated process, ftest.conf must be crafted for every different situation. Examples and rules are included in the attached configuration file.

The IDS (Intrusion Detection System) testing feature can be used either with ftest only or with the additional support of ftestd for handling stateful inspection IDS, ftest can also use common IDS evasion techniques. Instead of using the configuration syntax currently the script can also process snort rule definition file.

Features:

• Firewall testing
• IDS testing
• Simulation of real TCP connections for stateful inspection firewalls and IDS
• Connection spoofing
• IP fragmentation / TCP segmentation
• IDS evasion techniques

Requirements:

The following PERL modules are required: Net::RawIP, Net::PcapUtils, NetPacket

You can download FTester here:

ftester-1.0.tar.gz

Or you can read more here.

Sandcat by Syhunt – Web Server & Application Vulnerability Scanner

Sandcat allows web administrators to perform aggressive and comprehensive scans of an organization’s web server to isolate vulnerabilities and identify security holes.

The Sandcat scanner requires basic inputs such as host names, start URLs and port numbers to scan a complete web site and test all the web applications for security vulnerabilities.

This is a pretty nifty and complete tool, there is a ‘pro’ version available too.

Key Features

• Provides over 260 web application security checks, covering over 38 types of web security attacks — a target server can be local or remote
• Crawls web sites and detects cross-site scripting, directory transversal problems, attempts to execute commands and multiple other attacks
• Scans web servers for the SANS Top Twenty (C1), the OWASP Top 10 and the OWASP PHP Top 5 vulnerabilities
• Allows to scan for specific vulnerabilities, such as Fault Injection, SQL Injection and XSS (Cross-Site Scripting) vulnerabilities
• Allows to define a range or list of IP addresses to be scanned
• Allows to define multiple start URLs
• Allows to perform destructive and non-destructive scans
• Allows to edit the crawling depth: maximum number of links per server, maximum links per page, maximum URL length and maximum response size and more
• Allows to create user signatures for detecting application vulnerabilities
• Prevents logout
• Tests intrusion detection systems
• Exploits AJAX-based web applications
• Supports host authentication (basic and web form authentication)
• Supports OSVDB, NVD, CVE and CWE
• Stores and allows you to view the HTTP request and response for each successful test
• Automatically discovers and analyzes the server’s configuration to determine which tests are needed
• Analyzes robots.txt file and javascript
• Includes a Baseline Security Scanner — ensures security against outdated server software

Download Sandcat Standard Edition v3.08 here:

Download (EXE-Installer)
Download PDF Manual

Downloads Page.

Windows only I’m afraid.

Or you can read more here.

FG-Injector – SQL Injection & Proxy Tool

FG-Injector Framework is a set of tools designed to help find SQL injection vulnerabilities in web applications, and help the analyst assess their severity. It includes a powerful proxy feature for intercepting and modifying HTTP requests, and an inference engine for automating SQL injection exploitation.

Often web developers think that by disabling error messages in their code, SQL injection vulnerabilities stop being dangerous. When a SQL injection vulnerability doesn’t return errors messages it is known as a Blind Injection. The truth is that Blind Injections are just as dangerous as regular SQL Injections. By carefully selecting SQL sentences to inject, an attacker can retrieve information from the database of the vulnerable web application, one bit at a time. The end result is that the attacker can obtain the same data through the Blind SQL Injection that he/she would obtain from a regular -non-blind- SQL Injection.

The Inference Engine Module of the FG-Injector Framework automates the generation and injection of SQL statements needed for exploitation of a Blind SQL Injection. This module will work also for regular injections using the same method. It can produce blind injections on web/app servers using MS SQL Server, MySQL, and PostgresSql DBMSs.

You can find the downloads here including 0.9 version Windows binary and 0.9a source code:

FG-Injector Framework Downloads

You can find full documentation here or just read more here.

sqlget v1.0.0

sqlget is a blind SQL injection tool developed in Perl, it lets you get databases schemas and tables rows. Using a single GET/POST you can access quietly the database structure and using a single GET/POST you can dump every table row to a csv-like file.

Databases supported:

• IBM DB2
• Microsoft SQL Server
• Oracle
• Postgres
• Mysql
• IBM Informix
• Sybase
• Hsqldb
• Mime
• Pervasive
• Virtuoso
• SQLite
• Interbase/Yaffil/Firebird (Borland)
• H2
• Mckoi
• Ingres
• MonetDB
• MaxDB
• ThinkSQL
• SQLBase

Evasion features:

• Full-width/Half-width Unicode encoding
• Apache non standard CR bypass
• mod_security bypass
• Random uppercase request transform
• PHP Magicquotes: encode every string using db CHR function or similar.
• Convert requests to hexadecimal values
• Avoid non-space replacing for /**/ or (\t) tab
• Avoid non || or + concatenation using db concat function or similar.
• Random user-agent
• Random proxy-server
• Random delay request

Common features:

• Database schemate download blacklist
• Cookie array support
• SSL support
• Proxy server support
• Database information dumped in csv format

You can find a demo here bypassing IBM ISS Proventia IPS:

ISR sqlget ISS Proventia Bypass

And you can download sqlget here:

ISR-sqlget v.1.0.0

Or read more here.

Proxmon – Proxy Log Monitoring Tool

ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you’re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression testing scenarios.

Formerly announced as ScarabMon as part of BlackHat EU 2007, proxmon monitors proxy logs and reports on security issues it discovers. ProxMon was also presented at CanSecWest 2007.

ProxMon handles routine tasks like

• Checking server SSL configuration
• Looking for directories that allow listing or upload

It’s real strength is that it also helps with higher level analysis such as

• Finding values initially sent over SSL that later go cleartext
• Finding Secure cookie values also sent in the clear
• Finding values that are sent to 3rd party sites

It’s key features are

• automatic value tracing of set cookies, sent cookies, query strings and post parameters across sites
• proxy agnostic
• included library of vulnerability checks
• active testing mode
• cross platform
• open source license
• easy to program extensible python framework

You can download ProxMon here (Prerequisites: Python):

proxmon-1.0.18.tar.gz
proxmon-1.0.18.exe

Selenium – JavaScript Web Application Security Testing Tool

Selenium is a test tool for web applications. Selenium tests run directly in a browser, just as real users do. And they run in Internet Explorer, Mozilla and Firefox on Windows, Linux, and Macintosh. No other test tool covers such a wide array of platforms.

• Browser compatibility testing. Test your application to see if it works correctly on different browsers and operating systems. The same script can run on any Selenium platform.
• System functional testing. Create regression tests to verify application functionality and user acceptance.

Try it out! Get started with Selenium IDE for your first taste of Selenium’s power. You can run Selenium IDE tests in any supported browser using Selenium Core.

Any Language! Want to write tests in your favorite programming language? Try Selenium Remote Control; it currently supports writing tests in Java, .NET, Perl, Python and Ruby.

Supported Platforms:

Windows:

• Internet Explorer 6.0
• Firefox 0.8 to 1.5
• Mozilla Suite 1.6+, 1.7+
• Seamonkey 1.0
• Opera 8

Mac OS X:

• Safari 1.3+
• Firefox 0.8 to 1.5
• Camino 1.0a1
• Mozilla Suite 1.6+, 1.7+
• Seamonkey 1.0

Linux:

• Firefox 0.8 to 1.5
• Mozilla Suite 1.6+, 1.7+
• Konqueror

Selenium uses JavaScript and Iframes to embed a test automation engine in your browser. This technique should work with any JavaScript-enabled browser. Because different browsers handle JavaScript somewhat differently, usually they have to tweak the engine to support a wide range of browsers on Windows, Mac OS X and Linux.

You can read more here.