Burp Suite v1.2 – Web Application Security Testing & Attack Platform

Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, downstream proxies, logging, alerting and extensibility.

Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another (The tools are Proxy, Spider, Scanner, Intruder, Repeater, Sequencer, Decoder & Comparer).

Key features unique to Burp Suite include:

• Detailed analysis and rendering of requests and responses.
• One-click transfer of interesting requests between tools.
• Ability to “passively” spider an application in a non-intrusive manner, with all requests originating from the user’s browser.
• FIPS-compliant statistical analysis of session token randomness.
• Utilities for decoding and comparing application data.
• Support for custom client and server SSL certificates.
• Extensibility via the IBurpExtender interface.
• Centrally configured settings for downstream proxies, web and proxy authentication, and logging.
• Tools can run in a single tabbed window, or be detached in individual windows.
• Runs in both Linux and Windows.

New features in version 1.2 include:

• Site map showing information accumulated about target applications in tree and table form.
• Fully fledged web vulnerability scanner. [Pro version only]
• Suite-level target scope configuration, driving numerous individual tool actions.
• Display filters on site map and Proxy request history.
• Ability to save and restore state. [Pro version only]
• Suite-wide search function.
• Support for invisible proxying.

Burp Suite is a Java application, and runs on any platform for which a Java Runtime Environment is available. It requires version 1.5 or later. The JRE can be obtained for free from java.sun.com.

You can download Burp Suite v1.2 here:

burpsuite_v1.2.zip

Or read more here.

MultiInjector v0.3 – Automatic SQL Injection and Defacement Tool

Features

• Receives a list of URLs as input
• Recognizes the parameterized URLs from the list
• Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
• Automatic defacement – you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
• OS command execution – remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
• Configurable parallel connections exponentially speed up the attack process – one payload, multiple targets, simultaneous attacks
• Optional use of an HTTP proxy to mask the origin of the attacks

Changes

• Automatic defacement – Try to concatenate a string to all user-defined text fields in DB
• Run any OS command as if you’re running a command console on the DB machine
• Execute SQL commands of your choice
• Enable OS shell procedure on DB – Revive the good old XP_CMDSHELL where it was turned off
• Add administrative user to DB server with password: T0pSeKret
• Enable remote desktop on DB server
• Fixed nvarchar cast to varchar. Verified against MS-SQL 2000
• Added numeric / string parameter type detection
• Improved defacement content handling by escaping quotation marks
• Improved support for Linux systems
• Fixed the “invalid number of concurrent connections” failure due to non-parameterized URLs

You can download MultiInjector v0.3 here

MultiInjectorV0.3.tar.gz

Or read more here.

sqlmap 0.6.3 – Automatic SQL Injection Tool

sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more..

Changes

Some of the new features include:

• Major enhancement to get list of targets to test from Burp proxy requests log file path or WebScarab proxy ‘conversations/’ folder path with option -l;
• Major enhancement to support Partial UNION query SQL injection technique;
• Major enhancement to test if the web application technology sup ports stacked queries (multiple statements) by providing option –stacked-test which will be then used someday also by takeover functionality;
• Major enhancement to test if the injectable parameter is affected by a time based blind SQL injection technique by providing option –time-test;
• Major bug fix to correctly enumerate columns on Microsoft SQL Server;
• Major bug fix so that when the user provide a SELECT statement to be processed with an asterisk as columns, now it also work if in the FROM
  there is no database name specified;

Complete ChangeLog

You can download sqlmap 0.6.3 here:

sqlmap-0.6.3.tar.gz (Linux)
sqlmap-0.6.3_exe.zip (Windows)

Or read more here (User Manual).

sapyto v0.98 – SAP Penetration Testing Framework Tool

sapyto is the first SAP Penetration Testing Framework, sapyto provides support to information security professionals in SAP platform discovery, investigation and exploitation activities.

sapyto is periodically updated with the outcome of the deep research on the various security aspects in SAP systems.

Although sapyto is a versatile and powerful tool, it is of major importance for it to be used by consultants who are highly skilled and specialized in its usage, preventing any interference with your organization’s usual SAP operation.

New in This Version

This version is mainly a complete re-design of sapyto’s core and architecture to support future releases. Some of the new features now available are:

• Target configuration is now based on “connectors”, which represent different ways to communicate with SAP services and components. This makes the
  framework extensible to handle new types of connections to SAP platforms.
• Plugins are now divided in three categories: Discovery, Audit & Exploit.
• Exploit plugins now generate shells and/or sapytoAgent objects.
• New plugins!: User account bruteforcing, client enumeration, SAProuter assessment, and more…
• Plugin-developer interface drastically simplified and improved.
• New command switches to allow the configuration of targets/scripts/output independently.
• Installation process and general documentation improved.

You can download sapyto v0.98 here (you may have to fill in a form):

sapyto Public Edition (v0.98)

Or read more here.

BarsWF - md5 cracker

BarsWF is basically an MD5 cracking tool and at the moment, is currently the fastest. Right now on nVidia 9600GT/C2D 3Ghz CUDA version does 350 M keys/sec, SSE2 version does 108 M keys/sec. You may check benchmarks of all known good MD5 bruteforcers here.

Changes in 0.8

• Added checks for errors when calling CUDA kernel.
• Now you can specify custom characters for charset using -X switch.
• You may specify minimal password length using -min_len.
• Save/restore feature added. State is being stored to barswf.save every 5 minutes or on exit. You may continue computation using -r switch. You may manually edit .save file to distribute job on several computers (but this is up to you – it is quite simple and non-documented ). BarsWF will also write found password into barswf.save at the end.
• Improved speed for cards GTX260, GTX280, 8800GT, 9600GSO, 8800GS, 8800GTS – by approximately 10%, all other cards will get just 1-2%.

System Requirements

• CUDA version only:nVidia GeForce 8xxx and up, at least 256mb of video memory.
• LATEST nVidia-driver with CUDA support.Standard drivers might be a bit older (as CUDA 2.0 is still beta)
• CPU with SSE2 support (P4, Core2Duo, Athlon64, Sempron64, Phenom).
• Recommended 64-bit OS (WinXP 64 or Vista64). 32-bit version is also available.

Download BarsWF 0.8 here:

CUDA:
BarsWF CUDA x64
BarsWF CUDA x32

SSE2:
BarsWF SSE x64
BarsWF SSE x32

Or read more here.

Microsoft Baseline Security Analyzer

What is MBSA?

Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool that helps small and medium businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems. Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS), System Center Configuration Manager (SCCM) 2007, and Small Business Server (SBS).

In order to provide support for Windows Vista, Windows Server 2008, 64-bit scan tool and vulnerability assessment check support, new Windows Embedded support, and compatibility with the latest versions of the Windows Update Agent (WUA) Microsoft Baseline Security Analyzer (MBSA) 2.1 is now available.

New Features found in MBSA 2.1:

• Support for Windows Vista and Windows Server 2008
• Updated graphical user interface
• Full support for 64-bit platforms and vulnerability assessment (VA) checks against 64-bit platforms and components
• Improved support for Windows XP Embedded platform
• Improved support for SQL Server 2005 vulnerability assessment (VA) checks
• Automatic Microsoft Update registration and agent update (if selected) using the graphical interface or from the command-line tool using the /ia feature
• New feature to output completed scan reports to a user-selected directory path or network share (command-line /rd feature) Windows Server Update Services 2.0 and 3.0 compatibility

You can download MBSA 2.1 here:

Microsoft Baseline Security Analyzer 2.1

Or read more here.

Browser Rider – Web Browser Exploitation

Browser Rider is a hacking framework to build payloads that exploit the browser. The project aims to provide a powerful, simple and flexible interface to any client side exploit.

Browser Rider is not a new concept. Similar tools such as BeEF or Backframe exploited the same concept. However most of the other existing tools out there are unmaintained, not updated and not documented. Browser Rider wants to fill those gaps by providing a better alternative.

Features

• Easily create powerful payloads and plugins
• Manage payloads automatically with plugins
• All data can be saved in a database
• Obfuscation
• Polymorphism
• Control more than one zombie at a time
• Simple administration panel

Requirements

• PHP 5, with json installed
• Mysql
• Apache with url_rewrite on
• Targets must have Javascript turned on

You can download Browser Rider here:

Browser Rider v20081124 (changelog)

Or read more here.

MultiInjector – Automated Stealth SQL Injection Tool

MultiInjector claims to the first configurable automatic website defacement software, I’m not sure if that’s a good thing – or a bad thing.

But well here it is anyway.

Features

• Receives a list of URLs as input
• Recognizes the parameterized URLs from the list
• Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
• Automatic defacement – you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
• OS command execution – remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
• Configurable parallel connections exponentially speed up the attack process – one payload, multiple targets, simultaneous attacks
• Optional use of an HTTP proxy to mask the origin of the attacks

The author highly recommend running a HTTP sniffer such as IEInspector HTTP Analyzer in order to see all attack requests going out to the targets.

Requirements

• Python >= 2.4
• Pycurl (compatible with the above version of Python)
• Psyco (compatible with the above version of Python)

You can download MultiInjector v0.2 here:

MultiInjector.py

Or read more here.

Sam Spade – Network Investigation Tool for Windows

Sam Spade is one of the oldest network security tools around in terms of a neat package containing a lot of stuff you need, it’s one of the first things I used when I got into information security and I was on a crusade against spammers and scammers.

It has all kinds of useful tools in a neat graphical interface, a lot of them are available on the command line in Windows – but they aren’t so easy to use. It’s extremely useful for tracking spam or ‘UCE’ as it’s known (Unsolicited Commercial E-mail).

Some of the features included are:

• Ping
• NSlookup
• Whois
• IP block search
• Dig
• Traceroute
• Finger
• SMTP VRFY
• Web browser keep-alive
• DNS zone transfer
• SMTP relay check
• Usenet cancel check
• Website download
• Website search
• Email header analysis
• Email blacklist
• Query Abuse address

Some other cool stuff it does is:

• Each tool displays it’s output in it’s own window, and everything is multi-threaded so you don’t need to wait for one query to complete before starting the next one
• Some functions are threaded still further to allow lazy reverse DNS lookups (never do a traceroute -n again)
• The output from each query is hotlinked, so you can right click on an email address, IP address, hostname or internic tag to run another query on it
• Appending the results of a query to the log window is a single button function
• There’s a lot of online help, in both WinHelp and HTMLHelp formats. This includes tutorials, background information and links to online resources as well as the program manual itself

You can download Sam Spade here:

Sam Spade v1.14

Or read more here.

sqlmap 0.6.1– Automatic SQL Injection Tool

sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.

Features

• Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server back-end database management systems. Besides these four database management systems, sqlmap can also identify Microsoft Access, DB2, Informix, Sybase and Interbase.
• Extensive back-end database management system fingerprint based upon inband error messages, banner parsing, functions output comparison and specific features such as MySQL comment injection. It is also possible to force the back-end database management system name if you already know it.
• Full support for two SQL injection techniques: blind SQL injection and inband SQL injection.

Changes

Some of the new features include:

• Added a Metasploit Framework 3 auxiliary module to run sqlmap;
• Implemented possibility to test for and inject also on LIKE statements;
• Implemented –start and –stop options to set the first and the last table entry to dump;
• Added non-interactive/batch-mode (–batch) option to make it easy to wrap sqlmap in Metasploit and any other tool.

Complete list of changes at ChangeLog.

You can also grab the User Manual here.

You can download sqlmap 0.6.1 here:

Source – sqlmap-0.6.1.tar.gz

Windows – sqlmap-0.6.1_exe.zip

Or read more here.

XSS-Proxy – Cross Site Scripting Attack Tool

XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool. The documents, tools and other content on this site assume you have a basic understanding of XSS issues and existing exploitation methods. If you are not famliar with XSS, then I recommend you check out the primer links/docs below to get a better of idea of what XSS is and how to detect it, fix it, and exploit it.

CERT info on XSS
CGISecurity’s Cross Site Scripting FAQ
Gunter Ollmann’s XSS paper
PeterW’s Cross Site Request Forgery (CSRF) Concept
SecureNet’s Session Riding paper

Some Common Misconceptions about XSS

• “A user has to click a link to be impacted by XSS.” No – if you visit a page that has your browser will run it regardless of you clicking a link. I carefully crafted this example so it would not be run by your browser, but I could have put real script tags/commands here and made you run then transparently.
• “XSS only matters with bulliten boards, blogs, and other sites where an attacker can upload script content.” That is one way the attack can happen, but an attacker can also leverage sites that allow HTML/SCRIPT tags to be reflected back to the same user (like a search form that repeats what it was told to look for in the response). These flaws are commonly combined with public site redirects or emails to attack a second site.
• “Don’t XSS attacks just create popup windows, alerts and other pesky things?” No – They are commonly used to reveal your cookies or form based login info to attackers. After havesting this info, the attacker uses it to log into the same site as you.
• “I understand XSS, but I don’t think it’s a huge issue“. I think you’ll change your mind once you understand this advanced attack. Read the advanced stuff below and play with XSS-Proxy to see how evil XSS really can be.

You can download XSS-Proxy here:

XSS-Proxy_0_0_12-book.pl

Or read more here.

lm2ntcrack – Microsoft Windows NT Hash Cracker (MD4 -LM)

This tool is for instantly cracking the Microsoft Windows NT Hash (MD4) when the LM Password is already known, you might be familiar with LM Cracking tools such as LCP.

The main problem is you’ve got the LM password, but it’s in UPPERCASE because LM hashes are not case sensitive, so you need to find the actual password for the account.

Example : Password cracker output for “Administrator” account

• LM password is ADMINISTRAT0R.
• NT password is ?????????????.

We aren’t lucky because the case-sensitive password isn’t “administrat0r” or “Administrat0r”. So you cannot use this to connect to the audited Windows system.

This password contains 13 characters but launching my password cracker on the NT hash is a waste of time and there is a poor chance of success.

Note :

• Password length : 13 characters.
• Details : 1 number + 12 case-sensitives letters.
• Possibilities : 2^12 = 4096 choices.

In this example, lm2ntcrack will generate the 4096 possibilities for the password ADMINISTRAT0R and, for each one, the associated NT MD4 hash. Then, search for matching with the dumped hash.

Execution time : <>

You can download lm2ntcrack here:

lm2ntcrack-current.tgz

Or read more here.

Firewalk – Firewall Ruleset Testing Tool

Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.

To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hopcount (at that point the scan is said to be `bound`) we can begin our scan.

It is significant to note the fact that the ultimate destination host does not have to be reached. It just needs to be somewhere downstream, on the other side of the gateway, from the scanning host.

Read the original 1998 whitepaper here.

You can download Firewalk here:

firewalk.tar.gz

Or read more here.

NetStumbler – Windows Freeware to Detects Insecure Wireless Networks

What is NetStumbler?

NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It has many uses:

• Verify that your network is set up the way you intended.
• Find locations with poor coverage in your WLAN.
• Detect other networks that may be causing interference on your network.
• Detect unauthorized “rogue” access points in your workplace.
• Help aim directional antennas for long-haul WLAN links.
• Use it recreationally for WarDriving.

General Requirements

The requirements for NetStumbler are somewhat complex and depend on hardware, firmware versions, driver versions and operating system. The best way to see if it works on your system is to try it.

Some configurations have been extensively tested and are known to work. These are detailed at http://www.stumbler.net/compat. If your configuration works but is not listed, or is listed but does not work, please follow the instructions on the web site.

The following are rules of thumb that you can follow in case you cannot reach the web site for some reason.

• This version of NetStumbler requires Windows 2000, Windows XP, or better.
• The Proxim models 8410-WD and 8420-WD are known to work. The 8410-WD has also been sold as the Dell TrueMobile 1150, Compaq WL110, Avaya Wireless 802.11b PC Card, and others.
• Most cards based on the Intersil Prism/Prism2 chip set also work.
• Most 802.11b, 802.11a and 802.11g wireless LAN adapters should work on Windows XP. Some may work on Windows 2000 too. Many of them report inaccurate Signal strength, and if using the “NDIS 5.1″ card access method then Noise level will not be reported. This includes cards based on Atheros, Atmel, Broadcom, Cisco and Centrino chip sets.
• I cannot help you figure out what chip set is in any given card.

Firmware Requirements

If you have an old WaveLAN/IEEE card then please note that the WaveLAN firmware (version 4.X and below) does not work with NetStumbler. If your card has this version, you are advised to upgrade to the latest version available from Proxim’s web site. This will also ensure compatibility with the 802.11b standard.

You can download NetStumbler 0.4.0 here:

NetStumblerInstaller_0_4_0.exe

Or read more here (tutorial here).

fwknop – Port Knocking Tool with Single Packet Authorization

Port Knocking came about in around 2003, but it has various weaknesses. There are plenty of implentations though (some quite advanced). Most of the problems are fixed however by fwknop!

fwknop stands for the “FireWall KNock OPerator”, and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports both iptables on Linux systems and ipfw on FreeBSD and Mac OS X systems) and libpcap.

SPA requires only a single encrypted packet in order to communicate various pieces of information including desired access through a firewall policy and/or complete commands to execute on the target system. By using a firewall to maintain a “default drop” stance, the main application of fwknop is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult.

With fwknop deployed, anyone using nmap to look for sshd can’t even tell that it is listening; it makes no difference if they have a 0-day exploit or not. The authorization server passively monitors authorization packets via libcap and hence there is no “server” to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored from a fwknop client.

• Single Packet Authorization retains the benefits of Port Knocking (i.e. service protection behind a default-drop packet filter), but has the following advantages over Port Knocking: SPA can utilize asymmetric ciphers for encryption. Asymmetric ciphers typically have larger key sizes than symmetric ciphers, and the data transmission rate of port knocking (which uses packet headers instead of packet payloads as used by SPA) is not sufficient to effectively use an asymmetric cipher. SPA is compatible with 2048-bit Elgamal GnuPG keys, and other asymmetric ciphers can be used as well.
• SPA packets are non-replayable. There are strategies (such as S/Key-style iteration of a hash function) used by port knocking implementations to reduce the danger of a replayed knock sequence, but these strategies are relatively brittle and not generally very scalable to lots of users.
• SPA cannot be broken by trivial sequence busting attacks. For any attacker who can monitor a port knocking sequence, the sequence can be busted by simply spoofing a duplicate packet (as though it comes from the source of the real sequence) to the previous port in a sequence.
• SPA only sends a single packet over the network, and hence does not look like a port scan to any intermediate IDS that may be watching.
• SPA is much faster because it only sends a single packet. Port knocking implementations must build in time delays between successive packets because there is no guarantee of in-order delivery.

You can download fwknop-1.9.8 here:

fwknop-1.9.8.tar.gz
Windows UI

Or read more here.

Superscan v4.0 – Fast TCP & UDP Port Scanner for Windows

This is another tool that has been around for a long time and I’ve been using it for years since it’s earliest versions, oddly however I’ve never posted about it.

So here it for the few of you that haven’t heard of it, probably the best port scanner on the Windows platform, very fast and compact and has good banner grabbing functionality.

SuperScan 4 is an update of the highly popular Windows port scanning tool, SuperScan.

Windows XP Service Pack 2 has removed raw sockets support which now limits SuperScan and many other network scanning tools. Some functionality can be restored by running the following at the Windows command prompt before starting SuperScan:

net stop SharedAccess

Features

Here are some of the new features in this version.

• Superior scanning speed
• Support for unlimited IP ranges
• Improved host detection using multiple ICMP methods
• TCP SYN scanning
• UDP scanning (two methods)
• IP address import supporting ranges and CIDR formats
• Simple HTML report generation
• Source port scanning
• Fast hostname resolving
• Extensive banner grabbing
• Massive built-in port list description database
• IP and port scan order randomization
• A selection of useful tools (ping, traceroute, Whois etc)
• Extensive Windows host enumeration capability

You can download Superscan v4.0 here:

Superscan v4.0

Or read more here.

BSQL Hacker – Automated SQL Injection

BSQL Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities in virtually any database.

It ships with Automated Attack modules which allows the dumping of whole databases for the following DBMS:

• MS-SQL Server
• ORACLE
• MySQL (experimental)

Attack Templates for:

• MS Access
• MySQL
• ORACLE
• PostgreSQL
• MS-SQL Server

Also you can write your own attack template for any other database as well (see the manual for details). New attack templates and exploits for specific web application can be shared via Exploit Repository.

BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).

It supports :

• Blind SQL Injection (Boolean Injection)
• Full Blind SQL Injection (Time Based)
• Deep Blind SQL Injection (a new way to exploit BSQLIs, explained here)
• Error Based SQL Injection

It allows metasploit alike exploit repository to share and update exploits and attack temlpates.

You can download BSQL Hacker here:

BSQLHackerSetup-0907.exe

Or read more here.

Surf Jack – Cookie Session Stealing Tool

A tool which allows one to hijack HTTP connections to steal cookies – even ones on HTTPS sites! Works on both Wifi (monitor mode) and Ethernet.

Features:

• Does Wireless injection when the NIC is in monitor mode
• Supports Ethernet
• Support for WEP (when the NIC is in monitor mode)

Known issues:

• Sometimes the victim is not redirected correctly (particularly seen when targeting Gmail)
• Cannot stop the tool via a simple Control^C. This is a problem with the proxy

Requires:

• Python 2.4
• Scapy

You can download Surf Jack here:

surfjack-0.2b.zip

Or read more here.

PorkBind v1.3 – Nameserver (DNS) Security Scanner

This program retrieves version information for the nameservers of a domain and produces a report that describes possible vulnerabilities of each.

Vulnerability information is configurable through a configuration file; the default is porkbind.conf. Each nameserver is tested for recursive queries and zone transfers. The code is parallelized with libpthread.

Changes for v1.3

• Wrote in-a-bind shell script that scans random domain names from DMOZ
• Implemented recursive query testing
• Changed porkbind.conf to use CVE numbers in addition to CERT alerts
• Modified text displayed on stdout to make it more parsable
• Licensed with GNU Lesser General Public License
• Fixed timeout/concurrency/memory corruption bugs
• Fixed improper comparison of alpha/beta version numbering bug
• Added typecasts to silence compiler warnings

The tool now scans for 14 flaws and reports CVE numbers & CERT.

You can download PorkBind v1.3 here:

porkbind-1.3.tar.gz

Or read more here.

ISR-evilgrade – Inject Updates to Exploit Software

ISR-evilgrade is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates and exploiting the system or software.

How does it work?

It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of the victims DNS traffic, it works in conjunction with man-in-the-middle techniques or MITM such as DNS, ARP, DHCP, etc.

Attack Vectors

Internal scenario:

• Internal DNS access
• ARP Spoofing
• DNS Cache Poisoning
• DHCP Spoofing

External scenario:

• Internal DNS Access
• DNS Cache Poisoning

What are the supported OS?

The framework is multiplatform, it only depends of having the right payload for the target platform to be exploited.

Implemented modules

• Java plugin
• Winzip
• Winamp
• MacOS
• OpenOffice
• iTunes
• Linkedin Toolbar
• DAP [Download Accelerator]
• Notepad++

You can download ISR-evilgrade here:

isr-evilgrade-1.0.0.tar.gz

Or read more here.

OpenVAS – Open Vulnerability Assessment System

As you all probably known since version 3 Nessus turned to a proprietary model and started charging for the latest plugins locking most of us out. Now we finally have a new, properly organised forked development with the name of OpenVAS – at last a decent and free Vulnerability Scanner!

OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

OpenVAS products are Free Software under GNU GPL and a fork of Nessus.

About OpenVAS Server

The OpenVAS Server is the core application of the OpenVAS project. It is a scanner that runs many network vulnerability tests against many target hosts and delivers the results. It uses a communication protocol to have client tools (graphical end-user or batched) connect to it, configure and execute a scan and finally receive the results for reporting. Tests are implemented in the form of plugins which need to be updated to cover recently identified security issues.

The server consists of 4 modules: openvas-libraries, openvas-libnasl, openvas-server and openvas-plugins. All need to be installed for a fully functional server.

OpenVAS server is a forked development of Nessus 2.2. The fork happened because the major development (Nessus 3) changed to a proprietary license model and the development of Nessus 2.2.x is practically closed for third party contributors. OpenVAS continues as Free Software under the GNU General Public License with a transparent and open development style.

About OpenVAS-Client

OpenVAS-Client is a terminal and GUI client application for both OpenVAS and Nessus. It implements the Nessus Transfer Protocol (NTP). The GUI is implemented using GTK+ 2.4 and allows for managing network vulnerability scan sessions.

OpenVAS-Client is a successor of NessusClient 1.X. The fork happened with NessusClient CVS HEAD 20070704. The reason was that the original authors of NessusClient decided to stop active development for this (GTK-based) NessusClient in favor of a newly written QT-based version released as proprietary software.

OpenVAS-Client is released under GNU GPLv2 and may be linked with OpenSSL.

You can download OpenVAS here:

OpenVAS Client
OpenVAS Server

Or read more here.

raWPacket HeX – Network Security Monitoring & Analysis LiveCD

HeX is a project aimed at the NSM (Network Security Monitoring) community for use by network security analysts. The developers believe that simplicity and analysis work flow logic must be enhanced and emphasized through-out the process of designing this liveCD. Not only have they carefully chosen all the necessary applications and tools to be included to the liveCD, they have also tested them to make sure everything running as smooth as possible. In order to summarize the objective of HeX, they are trying to develop the first and foremost Network Security Monitoring & Network Based Forensics liveCD!

HeX Main Features

HeX Main Menu – Cleaner look and more user interface oriented and maximum 4 levels depth HeX Main Menu allows quick access to all the installed applications in HeX.

Terminal – This is exactly what you need, the ultimate analyzt console!

Instant access to all the Network Security Monitoring(NSM) and Network Based Forensics(NBF) Toolkits via Fluxbox Menu. We have also categorized them nicely so that you know what to use conditionally or based on scenario.

Instant access to the Network Visualization Toolkit, you can watch the network traffics in graphical presentation and that assist you in identifying large scale network attacks easily.

Instant access to Pcap Editing Tools which you can use to modify or anonymize the pcap data, it’s great especially when you want to share your pcap data.

Network and Pentest Toolkits contain a lot of tools to perform network or application based attacks, you can generate malicious packets using them and study malicious packets using those analysis tools listed in NSM-Toolkit and NBF-Toolkit as well.

While we think HeliX liveCD is better choice in digital forensics arsenal, Forensics-Toolkit can be considered as the add-on for people who are interested in doing digital forensics.

Under Applications, there are Desktop, Sysutils and Misc, all of them are pretty self-explained and contain user based applications such as Firefox, Liferea, Xpdf and so forth. Additionally, Misc contains some useful scripts, for example you can just start ssh service by clicking on SSHD-Start.

You can download HeX 1.0.3 here:

hex-i386-1.0.3.iso

Or read more here.

PuttyHijack V1.0 – Hijack SSH/PuTTY Connections on Windows

PuttyHijack is a POC tool that injects a dll into the PuTTY process to hijack an existing, or soon to be created, connection.

This can be useful during penetration tests when a windows box that has been compromised is used to SSH/Telnet into other servers. The injected DLL installs some hooks and creates a socket for a
callback connection that is then used for input/output redirection.

It does not kill the current connection, and will cleanly uninject if the socket or process is stopped.

Details

1) Start a nc listener
2) Run PuttyHijack specify the listener ip and port
3) Watch the echoing of everything including passwords

Some basic commands in this version include;

!disco – disconnect the real putty from the display
!reco – reconnect it
!exit – just another way to exit the injected shell

You can download PuttyHijack V1.0 here:

PuttyHijackV1.0.rar

Or read more here.

SIPcrack – SIP Login Dumper & Hash/Password Cracker

SIPcrack is a suite for sniffing and cracking the digest authentication used in the SIP protocol.

The tools offer support for pcap files, wordlists and many more to extract all needed information and bruteforce the passwords for the sniffed accounts.

If you don’t have OpenSSL installed or encounter any building problems try ‘make no-openssl’ to build with integrated MD5 function (which is slower than the OpenSSL implementation).

Usage

Use sipdump to dump SIP digest authentications to a file. If a login is found, the sniffed login is written to the dump file. See ’sipdump -h’ for options.

Use sipcrack to bruteforce the user password using the dump file generated by sipdump. If a password is found, the sniffed login in the dump file is updated See ’sipcrack -h’ for options.

You can download SIPcrack here:

SIPcrack-0.3pre.tar.gz

Or read more here.

Pass-The-Hash Toolkit v1.4

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).

What’s new?

• Support for XP SP 3 for whosthere/iam (whosthere-alt/iam-alt work on xp sp3 without requiring any update)
• New -t switch for whosthere/whosthere-alt: establishes interval used by the -i switch (by default 2 seconds).
• New -a switch for whosthere/iam: specify addresses to use.
• New -r switch for iam/iam-alt: Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)
• genhash now outputs hashes using the LM HASH:NT HASH format

You can download Pass-The-Hash Toolkit v.14 here:

Source

pshtoolkit_v1.4-src.tgz

Windows Binaries

pshtoolkit_v1.4.tgz

Read what’s new? Or read more here.

nUbuntu – Security LiveCD

The main goal of nUbuntu is to create a distribution which is derived from the Ubuntu distribution, and add packages related to security testing, and remove unneeded packages, such as Gnome, Openoffice.org, and Evolution. nUbuntu is the result of an idea two people had to create a new distribution for the learning experience.

Many people ask, “What makes it better than X?”, or “Why should I use this over Y”. Our answer to this question is, we do not think about whether people are using it or not. We are more concerned about the learning process. If you want to try something with a clean interface, fast, and an excellent range of programs please don’t hesitate to download nUbuntu.

You can download nUbuntu 8.04 here:

nUbuntu – 8.04 (x86) (Torrent)
nUbuntu – 8.04 (x86) (Direct)

Or read more here.

MoocherHunter – Detect & Track Rogue Wifi Users

MoocherHunter™ is a mobile tracking software tool for the real-time on-the-fly geo-location of wireless moochers and hackers. It’s included as part of the OSWA Assistant LiveCD we mentioned quite recently.’

I wanted to mention this tool separately as I think it’s very cool!

MoocherHunter™ identifies the location of an 802.11-based wireless moocher or hacker by the traffic they send across the network. If they want to mooch from you or use your wireless network for illegal purposes (e.g. warez downloading or illegal filesharing), then they have no choice but to reveal themselves by sending traffic across in order to accomplish their objectives. MoocherHunter™ enables the owner of the wireless network to detect traffic from this unauthorized wireless client (using either MoocherHunter™’s Passive or Active mode) and enables the owner, armed with a laptop and directional antenna, to isolate and track down the source.

Because it is not based on fixed or statically-positioned hardware, MoocherHunter™ allows the user to move freely and walk towards the actual geographical location of the moocher/hacker. In residential and commercial multi-tenant building field trials held in Singapore in March 2008, MoocherHunter™ allowed a single trained operator to geo-locate a wireless moocher with a geographical positional accuracy of as little as 2 meters within an average of 30 minutes.

You can download OSWA Assistant here to get MoocherHunter:

oswa-assistant.iso

Or read more here.

TSGrinder – Brute Force Terminal Services Server

This is a tool that has been around quite some time too, it’s still very useful though and it’s a very niche tool specifically for brute forcing Windows Terminal Server.

TSGrinder is the first production Terminal Server brute force tool, and is now in release 2. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts.

TSGringer is a “dictionary” based attack tool, but it does have some interesting features like “l337″ conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a
username/password combination within a particular connection.

You can download TSGrinder 2.0.3 here:

tsgrinder-2.03.zip

Note that the tool requires the Microsoft Simulated Terminal Server Client tool, “roboclient,” which may be found here:

roboclient.zip

Or read more here.

Lynis – Security & System Auditing Tool for UNIX/Linux

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This is a tool that might be useful for both penetration testers performing white box tests and system admins trying to secure their own systems.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, CD/DVD).

What is Lynis NOT:
- Not a hardening tool: Lynis does not fix things automatically, it only reports (and makes suggestions).

Intended audience:
Security specialists, penetration testers, system auditors, system/network managers.

Examples of audit tests:

• Available authentication methods
• Expired SSL certificates
• Outdated software
• User accounts without password
• Incorrect file permissions
• Firewall auditing

You can download Lynis 1.1.7 here:

lynis-1.1.7.tar.gz

Or you can read more here.

FWAuto v1.1 – Firewall Auditing & Ruleset Analyzer

FWAuto (Firewall Rulebase Automation) is a Perl script and should work on any system with Perl installed. Provide the running config of a PIX firewall to fwauto. It will analyze and give you a list of weak rules in your rule base and store the result in multiple output files.

Maybe there have been times when you have pentested a firewall. As part of a grey box engagement you were assigned the task of auditing that HUGE firewall rulebase and were stuck on how to proceed, just because of the sheer volume of information. This tool in Perl is created to help in auditing a rulebase and helping you to narrow down on the weak rules. Current support is just for Cisco PIX though the framework was designed to scale across multiple firewalls and no major changes need to be made.

Updates

• Outputs now available in reasonably neat HTML format
• No more complex command line arguments, everything’s in a config file
• More ports added in vulnerable ports section
• Options available to obtain detailed/non detailed output

You can download fwauto v.1.1 here:

fwauto_v1.1.zip

Or read more here.

Bsqlbf V2 – Blind SQL Injection Brute Forcer

The original tool (bsqlbfv1.2-th.pl) was intended to exploit blind sql injection against a mysql backend database, this new version supports blind sql injection against the following databases:

• MS-SQL
• MY-SQL
• PostgreSQL
• Oracle

It supports injection in string and integer fields. The feature which separates this tool from all other sql injection tools is that it supports custom SQL queries to be supplied with the -sql switch.

It supports 2 modes of attack:

1. Type 0: Blind SQL Injection based on True And Flase response
2. Type 1: Blind SQL Injection based on True And Error Response(details)

You can download Bsqlbf V2 here:

bsqlbf-v2.1.zip

Or read more here.

BackTrack Final 3 Hacking LiveCD

New Stuff

SAINT
SAINT has provided BackTrack users with a functional version of SAINT, pending a free request for an IP range license through the SAINT website, valid for 1 year.

Maltego
The guys over at Paterva have created a special version of Maltego v2.0 with a community license especially for BackTrack users. We would like to thank Paterva for co-operating with us and allowing us to feature this amazing tool in BackTrack.

Nessus
Tenable would not allow for redistribution of Nessus on BackTrack 3.

Kernel
2.6.21.5. Yes, yes, stop whining….We had serious deliberations concerning the BT3 kernel. We decided not to upgrade to a newer kernel as wireless injection patches were not fully tested and verified. We did not want to jeopardize the awesome wireless capabilities of BT3 for the sake of sexiness or slightly increased hardware compatibilities. All relevant security patches have been applied.

Tools
As usual, updated, sharpened, SVN’ed and armed to the teeth. This release we have some special features such as spoonwep, fastrack and other cool additions.

Availability

For the first time we distribute three different version of Backtrack 3:

• CD version
• USB version
• VMWare version

You can download BackTrack 3 Final here:

http://remote-exploit.org/backtrack_download.html

Or read more here.

Technitium v5

Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has a MAC address hard coded in its circuit by the manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Network (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address. Technitium MAC Address Changer is a must have tool in every security professionals tool box. Technitium MAC Address Changer is coded in Visual Basic 6.0.

Features

• Support for Windows Vista SP1 and Windows Server 2008 added.
• Allows you to remove all registry entries corresponding to Network Adapter that is no longer physically installed on the system.
• Allows you to configure Internet Explorer HTTP proxy settings through configuration presets or command line.
• Issues with installer program resolved. (Thanks to all your feedbacks)
• Identifies the preset applied to currently selected Network Interface Card (NIC) automatically making it easy to identify settings.
• Most known issues with Windows Vista removed. (Thanks to all your feedbacks)
• Changes MAC address of Network Interface Card (NIC) including Wireless LAN Cards, irrespective of its manufacturer or its drivers.
• Has latest list of all known manufacturers (with corporate addresses) to choose from. You can also enter any MAC address and know which manufacturer it belongs to.
• Allows you to select random MAC address from the list of manufacturers by just clicking a button.
• Restarts your NIC automatically to apply MAC address changes instantaneously.
• Allows you to create Configuration Presets, which saves all your NIC settings and makes it very simple to switch between many settings in just a click and hence saves lot of time.
• Allows you to Import or Export Configuration Presets to or from another file, which saves lot of time spent in reconfiguration.
• Allows you to load any Configuration Presets when TMAC starts by just double clicking on any Configuration Preset File. (*.cpf file extension)
• Has command line interface which allows you to perform all the tasks from the command prompt or you can even create a DOS batch program to carry out regular tasks. (see help for command line parameter details)
• Allows you to export a detailed text report for all the network connections.
• Displays all information you would ever need to know about your NIC in one view like Device Name, Configuration ID, Hardware ID, Connection Status, Link Speed, DHCP details, TCP/IP details etc.

You can download Technitium v5 here:

Technitium-MAC-Address-Changer

Or read more here.

OSWA Assistant – Wireless Hacking & Auditing LiveCD Toolkit

The OSWA-Assistant is a no-Operating-System-required standalone toolkit which is solely focused on wireless auditing. As a result, in addition to the usual WiFi (802.11) auditing tools, it also covers Bluetooth and RFID auditing. Using the toolkit is as easy as popping it into your computer’s CDROM and making your computer boot from it!

This toolkit is a contribution to the wireless security/auditing community and, as the “Assistant” moniker implies, and is designed for the following groups of people:

• IT-security auditors and professionals who need to execute technical wireless security testing against wireless infrastructure and clients;
• IT professionals who have responsibility for ensuring the secure operation and administration of their organization’s wireless networks;
• SME (Small & Medium Enterprise) and SOHO (SmallOffice-HomeOffice) businesses who do not have either the technical expertise or the resources to employ such expertise to audit their wireless networks;
• Non-technical-users who run wireless networks at home and who would like to audit the security of their wireless home networks and laptops but don’t know how.

You can download OSWA Assistant here:

oswa-assistant.iso

Or read more here.

Angry IP Scanner – Cross Platform Port Scanner

Angry IP scanner is a very fast IP address and port scanner.

It can scan IP addresses in any range as well as any their ports. It is cross-platform and lightweight. Not requiring any installations, it can be freely copied and used anywhere.

Angry IP scanner simply pings each IP address to check if it’s alive, then optionally it is resolving its hostname, determines the MAC address, scans ports, etc. The amount of gathered data about each host can be extended with plugins.

It also has additional features, like NetBIOS information (computer name, workgroup name, and currently logged in Windows user), favorite IP address ranges, web server detection, customizable openers, etc.

Scanning results can be saved to CSV, TXT, XML or IP-Port list files. With help of plugins, Angry IP Scanner can gather any information about scanned IPs. Anybody who can write Java code is able to write plugins and extend functionality of Angry IP Scanner.

In order to increase scanning speed, it uses multithreaded approach: a separate scanning thread is created for each scanned IP address. It is also cross platform running on Windows, Linux & Mac.

You can download Angry IP Scanner version 3.0-beta3 below:

Executable for Windows 2000/XP/Vista
Executable JAR for any distribution of Linux (32-bit)

Or read more here.

sqlninja 0.2.3

Sqlninja is a tool written in PERL to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, authentication mode)
• Bruteforce of ’sa’ password, both dictionary-based and incremental
• Privilege escalation to ’sa’ if its password has been found
• Creation of a custom xp_cmdshell if the original one has been disabled
• Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
• Evasion techniques, in order to obfuscate the injected code and confuse/bypass signature-based IPS and application firewalls

Fancy going from a SQL Injection to a full GUI access on the DB server? What about extracting password hashes on the fly? Take a few SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have the latest release of sqlninja! See it in action here.

What’s new in 0.2.3?

• A Metasploit3 wrapper, which allows the user to use SQL Injection to execute Metasploit payloads on the remote DB server
• Several other minor improvements

You can download sqlninja 0.2.3 here:

sqlninja-0.2.3.tgz

Or read more here.

Tmin – Test Case Optimizer for Automated Security Testing

Tmin is a simple utility meant to make it easy to narrow down complex test cases produced through fuzzing. It is closely related to another tool of this type, delta, but meant specifically for unknown, underspecified, or hard to parse data formats (without the need to tokenize and re-serialize data), and for easy integration with external UI automation harnesses.

It also features alphabet normalization to simplify test cases that could not be further shortened.

Example

$ cat testcase.in
This is a lengthy and annoying hello world testcase.

$ cat testme.sh
#!/bin/bash

grep "el..*wo" || exit 0
exit 1

$ ../tmin -x ./testme.sh
tmin - complex testcase minimizer, version 0.03-beta (lcamtuf@google.com)
[*] Stage 0: loading 'testcase.in' and validating fault condition...
[*] Stage 1: recursive truncation (round 1, input = 53/53)
[*] Stage 1: recursive truncation (round 2, input = 27/53)
[*] Stage 1: recursive truncation (round 3, input = 14/53)
[*] Stage 1: recursive truncation (round 4, input = 10/53)
[*] Stage 1: recursive truncation (round 5, input = 8/53)
[*] Stage 1: recursive truncation (round 6, input = 7/53)
[*] Stage 2: block skipping (round 1, input = 7/53)
[*] Stage 2: block skipping (round 2, input = 6/53)
[*] Stage 2: block skipping (round 3, input = 5/53)
[*] Stage 3: alphabet normalization (round 1, charset = 5/5)
[*] Stage 3: alphabet normalization (round 2, charset = 5/5)
[*] Stage 4: character normalization (round 1, characters = 4/5)
[*] All done - writing output to 'testcase.small'...

== Final statistics==
Original size : 53 bytes
Optimized size : 5 bytes (-90.57%)
Chars replaced : 1 (1.89%)
   Efficiency : 9 good / 49 bad
 Round counts : 1:6 2:3 3:2 4:1

$ cat testcase.small
el0wo

You can download Tmin 0.03 here:

tmin-0.03.tar.gz

Or read more here.

Technitium v4.8

Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has a MAC address hard coded in its circuit by the manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Network (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address. Technitium MAC Address Changer is a must tool in every security professionals tool box. Technitium MAC Address Changer is coded in Visual Basic 6.0.

There are some famous, commercial tools available in the market for US$19.99 to as much as US$1500 (!), but Technitium MAC Address Changer is available for FREE. We don’t charge for just changing a registry value! Also knowing how this works doesn’t require extensive research as some commercial tool providers claim!

Features

• Identifies the preset applied to currently selected Network Interface Card (NIC) automatically making it easy to identify settings.
• Changes MAC address of Network Interface Card (NIC) including Wireless LAN Cards, irrespective of its manufacturer or its drivers.
• Has latest list of all known manufacturers (with corporate addresses) to choose from. You can also enter any MAC address and know which manufacturer it belongs to.
• Allows you to select random MAC address from the list of manufacturers by just clicking a button.
• Restarts your NIC automatically to apply MAC address changes instantaneously.
• Allows you to create Configuration Presets, which saves all your NIC settings and makes it very simple to switch between many settings in just a click and hence saves lot of time.
• Allows you to Import or Export Configuration Presets to or from another file, which saves lot of time spent in reconfiguration.
• Has command line interface which allows you to perform all the tasks from the command prompt or you can even create a DOS batch program to carry out regular tasks.

You can download Technitium MAC Address Changer v4.8 here:

Technitium-MAC-Address-Changer

Or read more here.

Pass-The-Hash Toolkit v1.3

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions maintained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).

Pass-The-Hash Toolkit

Pass-The-Hash Toolkit is comprised of three tools: IAM.EXE, WHOSTHERE.EXE and GENHASH.EXE.

GENHASH.EXE
This is just a utility that uses some undocumented Windows functions to generate the LM and NT hash of a password. This tool is useful to test IAM.EXE and WHOSTHERE.EXE and perhaps to do some other things. Pretty simple and small tool.

IAM.EXE
This tools allows you to change your current NTLM credentials without having the cleartext password but the hashes of the password. The program receives a username, domain name and the LM and NT hashes of the password; using this it will change in memory the NTLM credentials associated with the current windows logon session. After the program performs this operation, all outbound network connections to services that use for authentication the NTLM credentials of the currently logged on user will utilize the credentials modified by IAM.EXE.

WHOSTHERE.EXE
This tools will list logon sessions with NTLM credentials (username,domain name, LM and NT hashes). Logon sessions are created by windows services that log in using specific users, remote desktop connections, etc. This tool has many uses, one that i think is interesting: Let’s say you compromised a Windows Server that is part of a Windows Domain (e.g.: Backup server) but is NOT the domain controller.

You can download Pass-The-Hash Toolkit v1.3 here:

Source Code

Latest stable release (1.3), updated on February 29, 2008.

Win32 binaries

Latest stable release (1.3), updated on February 29, 2008.

Or read more here.

sqlninja 0.2.2 – SQL Injection Tool

Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on:

• Linux
• FreeBSD
• Mac OS X

Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, authentication mode)
• Bruteforce of ’sa’ password, both dictionary-based and incremental
• Privilege escalation to ’sa’ if its password has been found
• Creation of a custom xp_cmdshell if the original one has been disabled
• Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames

What’s new

• Evasion techniques, in order to obfuscate the injected code and confuse/bypass signature-based IPS and application firewalls
• A more sophisticated upload module
• A new ‘blind execution’ attack mode, useful to issue commands and performs diagnostics when other modes fail
• Automatic URL-encoding now is performed only on sqlninja generated SQL code, giving the user a more granular control on the exploit strings

You can download Sqlninja 0.2.2 here:

sqlninja-0.2.2.tgz

Or read more here.

ProxyStrike – Active Web Application Proxy

ProxyStrike is an active Web Application Proxy, is a tool designed to find vulnerabilities while browsing an application. It was created because the problems faced in the pentests of web applications that depends heavily on Javascript, not many web scanners did it good in this stage, so ProxyStrike was born.

Right now it has available SQL injection and XSS modules. Both modules are designed to catch as many vulnerabilities as they can, it’s that why the SQL Injection module is a Python port of the great “SQLibf“.

The process is very simple, ProxyStrike runs like a passive proxy listening in port 8008 by default, so you have to browse the desired web site setting your browser to use ProxyStrike as a proxy, and ProxyStrike will analyze all the paremeters in background mode. For the user is a passive proxy because you won’t see any different in the behaviour of the application, but in the background is very active.

Features:

• HTTP request/response history
• Request parameter stats
• Request parameter values stats
• Request URL parameter signing and header field signing
• Use of an alternate proxy (tor for example)
• SQL attacks
• XSS attacks
• Export results to HTML or XML
• Console version (python proxystrike.py -c / proxystrike.exe -c)

You can download ProxyStrike here:

ProxyStrike v1.0 (Windows) (26/03/2008)
ProxyStrike v1.0 (Linux/OSX) (26/03/2008)

Or read more here.

Burp Suite v1.1

Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, authentication, downstream proxies, logging, alerting and extensibility.

Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.

Key features unique to Burp Suite include:

• Ability to “passively” spider an application in a non-intrusive manner, with all requests originating from the user’s browser.
• One-click transfer of interesting requests between tools, e.g. from the Burp Proxy request history, or the Burp Spider results tree.
• Detailed analysis and rendering of requests and responses.
• Extensibility via the IBurpExtender interface, which allows third-party code to extend the functionality of Burp Suite. Data processed by one tool can be used in arbitrary ways to affect the behaviour and results of other tools.
• Centrally configured settings for downstream proxies, web and proxy authentication, and logging.
• Tools can run in a single tabbed window, or be detached in individual windows.
• All tool and suite configuration is optionally persistent across program loads.
• Runs in both Linux and Windows.

New features in version 1.1 include:

• Improved analysis of HTTP requests and responses wherever they appear, with browser-quality HTML and media rendering.
• Burp Sequencer, a new tool for analysing session token randomness.
• Burp Decoder, a new tool for performing manual and intelligent decoding and encoding of application data.
• Burp Comparer, a new utility for performing a visual diff of any two data items.
• Support for custom client and server SSL certificates.
• Ability to follow 3xx redirects in Burp Intruder and Repeater attacks.
• Improved interception and match-and-replace rules in Burp Proxy.
• A “lean mode”, for users who prefer less functionality and a smaller resource footprint.

You can download Burp Suite here:

burpsuite_v1.1.zip
burpsuite_v1.1.tar.gz

Or read more here.

SWFIntruder – Analysis and Security Testing of Flash Applications

It helps to find flaws in Flash applications using the methodology originally described in Testing Flash Applications and in Finding Vulnerabilities in Flash Applications.

Features

• Basic predefined attack patterns.
• Highly customizable attacks.
• Highly customizable undefined variables.
• Semi automated XSS check.
• User configurable internal parameters.
• Log Window for debugging and tracking.
• History of latest 5 tested SWF files.
• ActionScript Objects runtime explorer in tree view.
• Persistent Configuration and Layout.

SWFIntruder was developed using ActionScript, Html and JavaScript resulting in a tool taking advantage of the best features of those technologies in order to get the best capabilities for analysis and interaction with the testing Flash movies.

SWFIntruder was developed by using only open source software. Thanks to its generality, SWFIntruder is OS independant.

You can download SWFIntruder here:

swfintruder-0.9.1.tgz

Or read more here.

Russix – LiveCD Linux Distro for Wireless Penetration Testing & WEP Cracking

Russix is a Slax based Wireless Live Linux. It has been designed to be light (circa 230Mb) and dedicated purely to wireless auditing.

It is not a script kiddy phishing tool and as such, while it will allow you to break a WEP key in 6 key strokes and conduct an “Evil Tiny Twin” attack in less than 5, it will not let you become the latest version of Barclays Bank.

Russix evolved from an internal UK Military Wireless auditing tool (debian based) which russ had developed while working for them as a penetration tester.

Russix is a free download for auditing. It scripts together several WLAN attacks and will allow the user to break a WEP key in about 6 keystrokes! It will not be modified by us to make it into a phishing tool as that would be evil.

It comprises a number of tools including aircrack-ng, cowpatty, asleap, nmap, wireshark, hydra, as well as scripted attacks to aid cracking WEP and WPA networks. Currently, it only supports Atheros based chipsets and those of you lucky enough to own 2 atheros cards will be able to use the scripted Evil Twin attack.

Interested in hearing any feedback you may have or improvements you can make.

You can download it here:

Built on 9th Dec 2007: Download latest version

Or read more here.

PHPIDS – Security Layer & Intrusion Detection for PHP Based Web Applications

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt.

This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

PHPIDS enables you to see who’s attacking your site and how and all without the tedious trawling of logfiles or searching hacker forums for your domain. Last but not least it’s licensed under the LGPL!

It’s a fairly mature product with some good documentation (docs are here) and it’s easily to programmatically grab the latest version of the filter rules (it’s just an xml file).

You can see a demo here were you can try some injections or XSS and see the warnings.

http://demo.php-ids.org/

Download the latest version of PHPIDS here:

PHPIDS 0.4.6 zip
PHPIDS 0.4.6 tar.gz

There are other versons for Drupal and Wordpress on the download page.

Or read more here.

Kismet – Wireless Network Hacking, Sniffing & Monitoring

Kismet is one of foundation tools Wireless Hacking, it’s very mature and does what it’s supposed to do.

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.

Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.

Features

• Ethereal/Tcpdump compatible data logging
• Airsnort compatible weak-iv packet logging
• Network IP range detection
• Built-in channel hopping and multicard split channel hopping
• Hidden network SSID decloaking
• Graphical mapping of networks
• Client/Server architecture allows multiple clients to view a single
• Kismet server simultaneously
• Manufacturer and model identification of access points and clients
• Detection of known default access point configurations
• Runtime decoding of WEP packets for known networks
• Named pipe output for integration with other tools, such as a layer3 IDS like Snort
• Multiplexing of multiple simultaneous capture sources on a single Kismet instance
• Distributed remote drone sniffing
• XML output
• Over 20 supported card types

If you need to get funky with a wireless network, grab Kismet for a start.

You can download the latest stable source here:

kismet-2007-10-R1.tar.gz (sig)

Or read more here.

Bruter 1.0 – Parallel Windows Password Brute Forcing Tool

Bruter 1.0 BETA 1 has been released. Bruter is a parallel login brute-forcer. This tool is intended to demonstrate the importance of choosing strong passwords. The goal of Bruter is to support a variety of services that allow remote authentication.

Bruter is a tool for the Win32 platform only.

PROTOCOL SUPPORT

It currently supports the following services:

• FTP
• HTTP (Basic)
• HTTP (Form)
• IMAP
• MSSQL
• MySQL
• POP3
• SMB-NT
• SMTP
• SNMP
• SSH2
• Telnet

DEPENDENCIES

• OpenSSL – Win32 OpenSSL package
• Libssh2

You can download Bruter here:

Bruter_1.0_beta1.zip

Or read more here.

Metasploit Framework v3.1

The latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265 remote exploits. Metasploit 3.1 consolidates a year of research and development, integrating ideas and code from some of the sharpest and most innovative folks in the security research community.

The graphical user interface is a major step forward for Metasploit users on the Windows platform. Development of this interface was driven by Fabrice Mourron and provides a wizard-based exploitation system, a graphical file and process browser for the Meterpreter payloads, and a multi-tab console interface. “The Metasploit GUI puts Windows users on the same footing as those running Unix by giving them access to a console interface to the framework” said H D Moore, who worked with Fabrice on the GUI project.

The latest incarnation of the framework includes a bristling arsenal of exploit modules that are sure to put a smile on the face of every information warrior. Notable exploits in the 3.1 release include a remote, unpatched kernel-land exploit for Novell Netware, written by toto, a series of 802.11 fuzzing modules that can spray the local airspace with malformed frames, taking out a wide swath of wireless-enabled devices, and a battery of exploits targeted at Borland’s InterBase product line. “I found so many holes that I just gave up releasing all of them”, said Ramon de Carvalho, founder of RISE Security, and Metasploit contributor.

Metasploit runs on all modern operating systems, including Linux, Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on a wide range of hardware platforms, from massive Unix mainframes to the tiny Nokia n800 handheld. Users can access Metasploit using the tab-completing console interface, the Gtk GUI, the command line scripting interface, or the AJAX-enabled web interface. The Windows version of Metasploit includes all software dependencies and a selection of useful networking tools.

You can download Metasploit v3.1 here:

Metasploit v3.1 tar.gz
Metasploit v3.1 exe

Or read more here.

sqlmap 0.5 – Automated SQL Injection

sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

Features

• Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server database management system back-end.
• Can also identify Microsoft Access, DB2, Informix and Sybase;
• Extensive database management system back-end fingerprint based upon:
• - Inband DBMS error messages
• – DBMS banner parsing
• – DBMS functions output comparison
• – DBMS specific features such as MySQL comment injection
• – Passive SQL injection fuzzing
• It fully supports two SQL injection techniques:
• – Blind SQL injection, also known as Inference SQL injection
• – Inband SQL injection, also known as UNION query SQL injection

You can find the documentation here:

sqlmap README (HTML and PDF)

You can download sqlmap 0.5 here:

sqlmap-0.5 (tar/zip)

Or read more here.

w3af Fifth BETA – Automated Web Auditing and Exploitation Framework

w3af is a Web application attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and

We did mention when it was first released – w3af – Web Application Attack and Audit Framework.

There are a lot of small changes, but the basic and bigger ones are:

• Virtual daemon, a way to use Metasploit framework payloads/shellcodes while exploiting web applications.
• w3afAgent, a reverse VPN that allows you to route packets through the compromised server
• Good samaritan, a module that allows you to exploit blind sql injections much faster
• 20+ new plugins
• A lot of bug fixes
• A much more stable core.

A full plugin list is here:

w3af – Plugins

The users guide can be found here:

w3afUsersGuide.pdf

The author has also uploaded the presentation material he made for the T2 conference in Finland – this can serve as a good introduction.

w3af-T2.pdf

You can download w3af here:

w3af BETA5

Or read more here.

Unicornscan v0.4.7

Unicornscan has always been a favourite of mine, especially for UDP scanning and scanning large networks (and getting it done fast).

Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. It is released for the community to use under the terms of the GPL license.

In some ways the implementation is better than Nmap – in some ways worse. Both are great tools and for me they work well hand in hand, both have certain advantages over the other in different situations.

I did get half way to writing an article about Nmap vs Unicornscan for large network scanning.

Benefits of Unicornscan

Unicornscan is an attempt at a User-land Distributed TCP/IP stack. It is intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network. Although it currently has hundreds of individual features, a main set of abilities include:

• Asynchronous stateless TCP scanning with all variations of TCP Flags.
• Asynchronous stateless TCP banner grabbing
• Asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a response).
• Active and Passive remote OS, application, and component identification by analyzing responses.
• PCAP file logging and filtering
• Relational database output
• Custom module support
• Customized data-set views

Anyway on the news – Unicornscan has finally been updated and v0.4.7 is available and released for download.

Unicornscan has also been awarded 2nd place in the security category for this years Les Trophees du libre 2007 (http://www.tropheesdulibre.org).

You can download Unicornscan here:

Source Code: unicornscan-0.4.7-2.tar.bz2
Fedora Core 8 RPM: unicornscan-0.4.7-4.fc8.i386.rpm

Or read more here.

Documentation is available here: Unicornscan-Getting_Started.pdf