inSSIDer v1.2.3.1014 – Wi-Fi network scanner For Windows

inSSIDer is an award-winning free Wi-Fi network scanner for Windows Vista and Windows XP. Because NetStumbler doesn’t work well with Vista and 64-bit XP, we built an open-source Wi-Fi network scanner designed for the current generation of Windows operating systems.

What’s Unique about inSSIDer?

• Use Windows Vista and Windows XP 64-bit.
• Uses the Native Wi-Fi API.
• Group by Mac Address, SSID, Channel, RSSI and “Time Last Seen.”
• Compatible with most GPS devices (NMEA v2.3 and higher).

How can inSSIDer help me?

• Inspect your WLAN and surrounding networks to troubleshoot competing access points.
• Track the strength of received signal in dBm over time.
• Filter access points in an easy to use format.
• Highlight access points for areas with high Wi-Fi concentration.
• Export Wi-Fi and GPS data to a KML file to view in Google Earth

InSSIDer is licensed under the Apache License, Version 2.0. The source code is freely available from the public Subversion repository at http://www.metageek.net/svn/trunk.

You can download inSSIDer here:

Inssider_Installer.msi

Or read more here.

Process Hacker v1.7 – Process Viewer & Memory Editor

Process Hacker is a free and open source process viewer and memory editor with unique features such as powerful process termination and a Regex memory searcher. It can show services, processes and their threads, modules, handles and memory regions.

Key Features

• Viewing, terminating, suspending and resuming processes.
• Restarting processes, creating dump files, detaching from any debuggers, viewing heaps, injecting DLLs, etc.
• Viewing detailed process information, statistics, and performance information.
• Viewing, terminating, suspending and resuming threads.
• Viewing detailed token information (including modifying privileges).
• Viewing and unloading modules.
• Viewing memory regions.
• Viewing environment variables.
• Viewing and closing handles.
• Viewing, controlling and editing services.
• Viewing and closing network connections.

System Requirements

• .NET Framework 2.0
• Microsoft Windows XP SP2 or above, 32-bit or 64-bit.

You can download Process Hacker v1.7 here:

processhacker-1.7-setup.exe

Or read more here.

Metasploit 3.3 - Exploitation Framework

What is Metasploit?

The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

What does it do?

The framework consists of tools, libraries, modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload.

It’s come a long way since it’s early versions and has picked up huge supports from the community.

• Metasploit now has 445 exploit modules and 216 auxiliary modules (from 320 and 99 respectively in v3.2)
• Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (375k lines of Ruby)
• Over 180 tickets were closed during the 3.3 development process

Full release notes for v3.3 are here.

You can download Metasploit v3.3 here:

Windows – framework-3.3.exe
Linux – framework-3.3.tar.bz2

Or read more here.

Katana v1 (Kyuzo) – Portable Multi-Boot Security Suite

The Katana: Portable Multi-Boot Security Suite is designed to fulfill many of your computer security needs. The idea behind this tool is to bring together many of the best security distributions and applications to run from one USB Flash Drive. Instead of keeping track of dozens of CDs and DVDs loaded with your favorite security tools, you can keep them all conveniently in your pocket.

Katana includes distributions which focus on Penetration Testing, Auditing, Password Cracking, Forensics and Honey Pots. Katana comes with over 100 portable Windows applications, such as Wireshark, HiJackThis, Unstoppable Copier, Firefox, and OllyDBG. It also includes the following distributions:

• Backtrack 4 pre
• the Ultimate Boot CD
• Ophcrack Live
• Damn Small Linux
• the Ultimate Boot CD for Windows
• Got Root? Slax
• Organizational Systems Wireless Auditor (OSWA) Assistant
• Damn Vulnerable Linux

Katana is also highly customizable. You can modify Katana by adding or removing distributions and portable apps with ease. You can add functionality to distributions like the Ultimate Boot CD, Got Root? Slax and UBCD4Win. You can also load your personal scripts and documents to keep them conveniently with
you on your flash drive to use in concert with the provided tools.

You can download Katana v1 here:

katana-v1.rar
katana-v1.torrent

Or read more here.

Cain & Abel v4.9.35 – Password Sniffer, Cracker and Brute-Forcing Tool

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol’s standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some “non standard” utilities for Microsoft Windows users.

Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. Please carefully read the License Agreement included in the program before using it.

The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.

Most recently added is the support for Windows 2008 Terminal Server in APR-RDP sniffer filter.

You can download Cain & Abel v4.9.35 here:

ca_setup.exe

Or read more here, the online user manual is here.

RATS – Rough Auditing Tool for Security

RATS – Rough Auditing Tool for Security – is an open source tool developed and maintained by Secure Software security engineers. Secure Software was acquired by Fortify Software, Inc. RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.

RATS scanning tool provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies. It also provides a relative assessment of the potential severity of each problem, to better help an auditor prioritize. This tool also performs some basic analysis to try to rule out conditions that are obviously not problems.

As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.

Requirements

RATS requires expat to be installed in order to build and run. Expat is often installed in /usr/local/lib and /usr/local/include. On some systems, you will need to specify –with-expat-lib and –with-expat-include options to configure so that it can find your installation of the library and header. Expat can be found here.

You can download RATS here:

Source Code: rats-2.3.tar.gz
Windows Binary: rats-2.3-win32.zip

Or read more here.

Nikto 2.1.0 – Web Server Security Scanning Tool

For those that don’t know, Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Changes

This version has gone through significant rewrites under the hood to how Nikto works, to make it more expandable and usable.

• Rewrite to the plugin engine allowing more control of the plugin structure and making it easier to add plugins
• Rewrite to the reporting engine allowing reporting plugins to cover more and also ensuring that output is written if Nikto is quit before finishing
• Large overhaul of documentation to document built-in methods and variables
• Addition of caching to reduce amount of calls made to the web servers, as well as a facility to disable smart 404 guessing.
• Addition of simple guessing for whether a system is an embedded device and to report what it is
• Plugin to use OWASPs dictionary lists to attempt to brute force directories on the remote web server (as mutate 6)
• Plugin to attempt to brute force domains (as mutate 5)
• Allow username guessing (mutate 3 and 4) to use a dictionary file as well as brute forcing
• Support for NTLM authentication
• Lots of bug fixes and new security checks

You can download Nikon 2.1.0 here:

nikto-current.tar.gz

Plugins and DB can be found here.

Or read more here.

Naptha – TCP State Exhaustion Vulnerability & Tool

The Naptha vulnerabilities are a type of denial-of-service vulnerabilities researched and documented by Bob Keyes of BindView’s RAZOR Security Team in 2000. The vulnerabilities exist in some implementations of the TCP protocol, specifically in the way some TCP implementations keep track of the state of TCP connections, and allow an attacker to exhaust the resources of a system under attack without utilizing much resources on the system used to launch the attack.

The following links provide more information about the Naptha denial-of-service vulnerabilities:

• The original BindView advisory is archived here.
• The advisory that CERT/CC published for the Naptha vulnerabilities is here.

The Tool

To study and show the Naptha vulnerabilities, Bob Keyes wrote the Naptha tool. The tool was written in C and used libpcap to read packets from the network and libdnet to craft packets.

The Naptha tool actually consists of two programs: a program called synsend whose only function is to send TCP SYN packets to the target system, and a program called srvr whose function is to respond to specific traffic received from the target system with TCP packets with specific TCP flags set. Both what traffic to respond to and how to respond to it are specified by the user via command-line arguments.

You can download Naptha here:

naptha-1.1.tgz

Or read more here.

Nat Probe – NAT Detection Tool

This little, but very useful program, try to sends ICMP packet out the LAN, and detect all the host that allow it. Whit this you can find bugs in your (company?) network ( or others), for example hosts that allow p2p connections.

Explanation

When we use a Gateway, we send the packets with IP destination of the target, but the destination MAC on the ethernet is the MAC at the Gateway. If we send a packet to the different MACs in the LAN, we can know who is the gateway when we receive an response from this MAC.

Some times we can discover more than one box configured to be an gateway, generally, this is an wrong configuration, and the box will response with an ICMP-Redirect. This is the same, because the script only verify if the mac response.

NatProbe is develop in Python with the Scapy library.

You can download Nat Probe here:

natprobe.1.0.tar.gz

Or read more here.

FRHACK OS v1 alpha1 – Pentesting/Security LiveCD

FRHACK OS is an updated/modified version of the latest BackTrack 4 ISO with many updated tools and fixes.

This means it’s a fully fledged linux pen-testing/security environment.

Some included tools & Updates

• gcc-4.2
• sun-java6-jre sun-java6-plugin
• spoonwep-wpa-rc3.deb
• airsnort-0.2.7e.tar.gz
• wepbuster-1.0_beta_0.6
• jbrofuzz-jar-15
• wfuzz-1.4
• tor-0.2.1.19
• privoxy-3.0.8-stable-src
• ophcrack-3.3.1
• vncrack_src-1.21
• fuzzgrind_090622

A new version (coming with bug fixes, included rainbow tables, wordlists, extras etc.) will be available for FRHACK 01, so you’ll be able to use it for the FRHACK Wargame.

You can download FRHACK OS v1 alpha1 (1.4GB) here:

frhack-os.iso

Websecurify – Web Security Testing

Websecurify is a web and web2.0 security initiative specializing in researching security issues and building the next generation of tools to defeat and protect web technologies.

Key Features

1. JavaScript – Websecurify Security Testing Framework is the first tool of its kind to be written entirely in JavaScript using only standard technologies adopted by the leading browsers.
2. Multiple Environments – The core technology can run in normal browsers, xulrunner, xpcshell (command line), inside Java or as part of a custom V8 (Chrome’s JavaScript Engine) build. The core is written with extensibility in mind so that more environments can be supported without changing even a single line of code.
3. Multi-platform – The tool is available and successfully runs on Windows, Mac OS, Linux and other operating systems.
4. Automatic Updates – Every single piece of the tool is subjected to automatic updates. This means that newer and more advanced versions of the tool can be shipped to your front door without you lifting your finger. This however is completely optional. The automatic update can be turned off if needed.
5. Extensions – Because the tool comes wrapped in xulrunner by default (keep in mind that we can support any other JavaScript environment) we benefit from all cool features that Firefox has, such as extensions. Extensions are easy to write and maintain and can customize every single aspect of the tool and there are already tones of resources and documentation, including books and what not, out there to teach you exactly how to do that. We will be providing documentation as well.

You can download Websecurify 0.3 here:

Windows – Websecurify 0.3.exe
Linux – Websecurify 0.3.tgz
Mac – Websecurify 0.3.dmg

Or read more here.

SWFScan – Free Flash Application Security Scanner

HP SWFScan is a free tool developed by HP Web Security Research Group, which will automatically find security vulnerabilities in applications built on the Flash platform.

HP is offering SWFScan because:

• Their research shows that developers and increasingly implementing applications built on the Adobe Flash platform without the required security expertise.
• As a result, they are seeing a proliferation of insecure applications being deployed on the web.
• A vulnerable application built on the Flash platform widens your website’s attack surface creating more opportunity for malicious hackers.

How SWFScan works and what vulnerabilities it finds:

• Decompiles applications built on the Adobe Flash platform to extract the ActionScript code and statically analyzes it to identify security issues such as information disclosure.
• Identifies and reports insecure programming and deployment practices and suggests solutions.
• Enables you to audit third party applications without requiring access to the source code.

You can download SWFScan here:

SwfScan.msi

Or read more here.

MySqloit – SQL Injection Takeover Tool For LAMP

MySqloit is a SQL Injection takeover tool focused on LAMP (Linux, Apache, MySQL, PHP) and WAMP (Windows, Apache, MySQL, PHP) platforms. It has the ability to upload and execute metasploit shellcodes through the MySql SQL Injection vulnerabilities. Attackers performing SQL injection on a MySQL-PHP platform must deal with several limitations and constraints.

For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution, compared to other platforms. This tool is written to demostrate how remote code execution can be performed on a database connector that do not support stack queries.

Key Features

• SQL Injection detection using time based injection method
• Database fingerprint
• Web server directory fingerprint
• Payload creation and execution

MySqloit is currently only tested on Linux. This is a new tool though so we should expect more development soon, I hope some of you guys can test it out and let the author know what you think.

You can download MySqloit v0.1 here:

MySqloitv0.1.tar

Or read more here.

IKECrack – IKE/IPSec Authentication Cracking Tool

IKECrack is an open source IKE/IPSec authentication crack tool. This tool is designed to bruteforce or dictionary attack the key/password used with Pre-Shared-Key [PSK] IKE authentication. The open source version of this tool is to demonstrate proof-of-concept, and will work with RFC 2409 based aggressive mode PSK authentication.

IKE Agressive Mode BruteForce Summary

Aggressive Mode IKE authentication is composed of the following steps:

1. Initiating client sends encryption options proposal, DH public key, random number [nonce_i], and an ID in an un-encrypted packet to the gateway/responder.
2. Responder creates a DH public value, another random number [nonce_r], and calculates a HASH that is sent back to the initiator in an un-encrypted packet. This hash is used to authenticate the parties to each other, and is based on the exchange nonces, DH public values, the initiator ID, other values from the initiator packet, and the Pre-Shared-Key [PSK].
3. The Initiating client sends a reply packet also containing a HASH, but this response is normally sent in an encrypted packet.

IKECrack utilizies the HASH sent in step 2, and attempts a realtime bruteforce of the PSK. This involves a HMAC-MD5 of the PSK with nonce values to determine the SKEYID, and a HMAC-MD5 of the SKEYID with DH pubkeys, cookies, ID, and SA proposal. In practice, SKEYID and HASH_R are calculated with the Hash cipher proposed by the initiator, so could actually be either SHA1 or MD5 in HMAC mode.

Project Details

IKECrack utilizes components from the following OpenSource/PublicDomain programs:

• MDCrack
• Ron Rivest’s MD5
• Simeon Pilgrim’s Reverse MD5
• MD5 and HMAC-MD5 PerlMods
• libpcap

Performance

Initial testing with Perl based IKECrack shows numbers of 18,000 tests per second with a PIII 700, and can bruteforce 3 chars of ucase/lcase/0-9 in 13 seconds.

MDCrack [a MD5 bruteforce tool] can achieve 1.5 million keys per second with pure MD5 and a PIII 700. PSK bruteforcing consists of 4 MD5’s, and 4 64 byte XORs….but should still be able to achieve 375,000 IKE keys per second. Preliminary tests in C have shown 26,000 keys per second with un-optimized routines. I’m hoping that Simeon Pilgrim’s MD5 routines will speed this up a bit more.

You can download IKECrack here:

ikecrack-snarf-1.00.pl

Or read more here.

Stoned Bootkit – Windows XP, 2003, Vista, 7 MBR Rootkit

What is Stoned Bootkit?

A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows kernel, and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption, because the master boot record (where Stoned is stored) is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive. This is the weak point, the master boot record, which will be used to pwn your whole system. No one’s secure!

For whom is Stoned Bootkit interesting?

1. Black Hats
2. Law enforcement agencies
3. Microsoft

Why is Stoned something new? Because it is the firts bootkit that..

• attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record
• attacks TrueCrypt full volume encryption
• has integrated FAT and NTFS drivers
• has an integrated structure for plugins and boot applications (for future development)

“A bootkit is a rootkit that is able to load from a master boot record and persist in memory all the way through the transition to protected mode and the startup of the OS. It’s a very interesting type of rootkit.” – Robert Hensing about bootkits

You can download Stoned Bootkit here:

Open Source Framework – Stoned Bootkit Framework.zip
Infector file – Infector.exe

Or you can read more here.

Xplico – Network Forensic Analysis Tool

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT). Xplico is released under the GNU General Public License (see License for more details).

Xplico Features

• Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
• Port Independent Protocol Identification (PIPI) for each application protocol;
• Multithreading;
• Output data and information in SQLite database or Mysql database and/or files;
• At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
• Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
• TCP reassembly with ACK verification for any packet or soft ACK verification;
• Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
• No size limit on data entry or the number of files entrance (the only limit is HD size);
• IPv4 and IPv6 support
• Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcer) are all modules
• The ability to easily create any kind of dispatcer with which to organize the data extracted in the most appropriate and useful to you

You can download Xplico 0.5.2 here:

xplico-0.5.2.tgz

Or read more here.

sqlmap 0.7 – Automatic SQL Injection Tool

For those not familiar with the tool, sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications.

Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Recent Changes

Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:

• Adapted Metasploit wrapping functions to work with latest 3.3 development version too.
• Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
• Reset takeover OOB features (if any of –os-pwn, –os-smbrelay or –os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter.
• This make sqlmap 0.7 to work again on Windows too.
• Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).
• HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.

For a complete list of changes view the ChangeLog.

The manual is available here – README.pdf [PDF]

You can download sqlmap 0.7 here:

Linux Source: sqlmap-0.7.tar.gz
Windows Portable: sqlmap-0.7_exe.zip

Or read more here.

bsqlbf v2.3 – Blind SQL Injection Brute Forcing Tool

This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections.

Databases supported:

• MS-SQL
• MySQL
• PostgreSQL
• Oracle

The 6 Attack Models

• Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
• Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
• Type 2: Blind SQL Injection in “order by” and “group by”.
• Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
• Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
• Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)

New additions

-type: Type of injection:

3: Type 3 is extracting data with DBA privileges
(e.g. Oracle password hashes from sys.user$)
4: Type 4 is O.S code execution(default: ping 127.0.0.1)
5: Type 5 is Reading O.S files(default: c:\boot.ini)

Type 4 (O.S code execution) supports the following sub types:

-stype: How you want to execute command:

0: SType 0 (default) is based on java,
universal but won’t work against XE
1: SType 1 against oracle 9 with plsql_native_make_utility
2: SType 2 against oracle 10 with dbms_scheduler

You can download bsqlbf v2.3 here:

bsqlbf-v2-3.pl

Or read more here.

Damn Vulnerable Web App

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be light weight, easy to use and full of vulnerabilities to exploit. Used to learn or teach the art of web application security.

Vulnerabilities

• SQL Injection
• XSS (Cross Site Scripting)
• LFI (Local File Inclusion)
• RFI (Remote File Inclusion)
• Command Execution
• Upload Script
• Login Brute Force

Changes

• Added Acunetix scan report.
• All links use http://hiderefer.com to hide referrer header.
• Updated/added ‘more info’ links.
• Moved change log info to CHANGELOG.txt.
• Fixed the exec.php UTF-8 output.
• Moved Help/View source buttons to footer.
• Fixed phpInfo bug.
• Made DVWA IE friendly.
• Fixed html bugs.
• Improved README.txt and fixed typos.
• Made SQL injection possible in sqli_med.php.

WARNING

It should come as no shock..but this application is damn vulnerable! Do not upload it to your hosting provider’s public html folder or any working web server as it will be hacked. It’s recommend that you download and install XAMP onto a local machine inside your LAN which is used solely for testing.

You can download DVWA 1.0.4 here:

dvwa_v1.0.4.zip

Or read more here.

MultiISO LiveDVD v1.0 – BackTrack, Knoppix & Ophcrack

MultiISO LiveDVD is an integrated Live DVD technology which combines some of the very popular Live CD ISOs already available on the internet. It can be used for security reconnaissance, vulnerability identification, penetration testing, system rescue, media center and multimedia, system recovery, etc. It’s a all-in-one multipurpose LiveDVD put together. There’s something in it for everyone.

MultiISO LiveDVD Version 1.0 consists of:

• Backtrack 3
• Damn Small Linux (DSL) 4.2.5
• GeeXboX 1.1
• Damn Vulnerable Linux (Strychnine) 1.4 edition
• Knoppix 5.1.1, MPentoo 2006.1
• Ophcrack 1.2.2 (remastered to contain SSTIC04-5k [720MB] table sets)
• Puppy Linux 3.01
• Byzantine OS i586-20040404

You can download MultiISO LiveDVD here (to conserve bandwidth only a Torrent link is available, please seed after downloading):

Torrent: EmErgEs_MultiBOOT_ISO.torrent (4.03GB)

MD5SUM: 1b1f37ed6b6f958cde0529a8a1f06637
SHA1SUM: 593ffbfa3c4b665220dcd63b2e4b77bacde5237d

Or read more here.

Kon-Boot – Reset Windows & Linux Passwords

Kon-Boot is an prototype piece of software which allows to change contents of a Linux kernel (and now Windows kernel also!!!) on the fly (while booting).

In the current compilation state it allows to log into a Linux system as ’root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password.

It was mainly created for Ubuntu, later the author has made a few add-ons to cover some other Linux distributions.

Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

Latest Updates – Kon-Boot for Windows

Kon-Boot was moved to Windows platforms. So now it provides support for Microsoft Windows systems and also the Linux systems listed below. Kon-Boot for Windows enables logging in to any password protected machine profile without without any knowledge of the password. This tool changes the contents of Windows kernel while booting, everything is done virtually – without any interferences with physical system changes. So far following systems were tested to work correctly with Kon-Boot:

• Windows Server 2008 Standard SP2 (v.275)
• Windows Vista Business SP0
• Windows Vista Ultimate SP1
• Windows Vista Ultimate SP0
• Windows Server 2003 Enterprise
• Windows XP
• Windows XP SP1
• Windows XP SP2
• Windows XP SP3
• Windows 7

No special usage instructions are required for Windows users, just boot from Kon-Boot CD/Floppy, select your profile and put any password you want. You lost your password? Now it doesnt matter at all.

It has been tested with the following Linux distributions:

• Gentoo 2.6.24-gentoo-r5 GRUB 0.97
• Ubuntu 2.6.24.3-debug GRUB 0.97
• Debian 2.6.18-6-6861 GRUB 0.97
• Fedora 2.6.25.9-76.fc9.i6862 GRUB 0.97

You can download Kon-Boot here:

Floppy Image – FD0-konboot-v1.1-2in1.zip
CD ISO Image – CD-konboot-v1.1-2in1.zip

Or read more here.

BackTrack 4 Pre

You may remember back in February the BETA of BackTrack 4 was released for download, the team have made many changes and have now released BackTrack 4 Pre Release.

For those that don’t know BackTrack is the top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.

It’s evolved from the merge of the two wide spread distributions – Whax and Auditor Security Collection. By joining forces and replacing these distributions, BackTrack has gained massive popularity and was voted in 2006 as the #1 Security Live Distribution by insecure.org. Security professionals as well as new-comers are using BackTrack as their favorite toolset all over the globe.

The new version has busted the 700mb file size though so it’d DVD or USB, it’s recommended to use a USB drive to run it or install it on your HDD as running from a CD isn’t exactly speedy.

Full details available in the PDF guide:

BackTrack 4 Guide [PDF]

You can download BackTrack 4 Pre Release ISO here:

bt4-pre-final.iso

Or read more here.

Technitium v5 R2

Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has a MAC address hard coded in its circuit by the manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Network (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address. Technitium MAC Address Changer is a must tool in every security professionals tool box.

Technitium MAC Address Changer is coded in Visual Basic 6.0.

Features

• Support for Windows 7 RC added.
• Issues with installer program resolved.
• Most reported bugs in previous versions removed.
• Allows you to remove all registry entries corresponding to Network Adapter that is no longer physically installed on the system.
• Allows you to configure Internet Explorer HTTP proxy settings through configuration presets or command line.
• Identifies the preset applied to currently selected Network Interface Card (NIC) automatically making it easy to identify settings.
• Most known issues with Windows Vista removed.
• Changes MAC address of Network Interface Card (NIC) including Wireless LAN Cards, irrespective of its manufacturer or its drivers.
• Has latest list of all known manufacturers (with corporate addresses) to choose from. You can also enter any MAC address and know which manufacturer it belongs to.
• Allows you to select random MAC address from the list of manufacturers by just clicking a button.
• Restarts your NIC automatically to apply MAC address changes instantaneously.
• Allows you to create Configuration Presets, which saves all your NIC settings and makes it very simple to switch between many settings in just a click and hence saves lot of time.
• Allows you to Import or Export Configuration Presets to or from another file, which saves lot of time spent in reconfiguration.
• Allows you to load any Configuration Presets when TMAC starts by just double clicking on any Configuration Preset File. (*.cpf file extension)
• Has command line interface which allows you to perform all the tasks from the command prompt or you can even create a DOS batch program to carry out regular tasks.
• Displays all information you would ever need to know about your NIC in one view like Device Name, Configuration ID, Hardware ID, Connection Status, Link Speed, DHCP details, TCP/IP details etc.
• Displays total bytes sent and received through the NIC.
• Displays current data transfer speed per second.
• Allows you to configure IP Address, Gateway and DNS Server for your NIC quickly and instantaneously.
• Allows you to enable/disable DHCP instantaneously.
• Allows you to Release/Renew DHCP IP address instantaneously.

There are some famous, commercial tools available in the market from USD 19.99 to as much as USD 2499, but Technitium MAC Address Changer is available for FREE. They don’t charge for just changing a registry value! Also knowing how this works doesn’t require extensive research as some commercial tool providers claim.

You can download Technitium v5 R2 here:

TMACv5_R2_Setup.zip

Or read more here.

Samurai Web Testing Framework 0.6 – Web Application Security LiveCD

The authors have updated and fixed a number of issues with the environment as well as improved performance of the java based tools. They have also included a virtual machine of the environment. This VM requires VMWare.

For those that don’t know, Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. There are tools used in all four steps of a web pen-test.

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

You can download SamuraiWTF 0.6 here:

samurai-0.6.iso

Or read more here.

Pangolin – Automatic SQL Injection Tool

Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.

Database Support

• Access: Informations (Database Path; Root Path; Drivers); Data
• MSSql: Informations; Data; FileReader; RegReader; FileWriter; Cmd; DirTree
• MySql: Informations; Data; FileReader; FileWriter;
• Oracle: Inforatmions (Version; IP; Database; Accounts ……); Data; and any others;
• Informix: Informatons; Data
• DB2: Informatons; Data; and more;
• Sybase: Informatons; Data; and more;
• PostgreSQL: Informatons; Data; FileReader;
• Sqlite: Informatons; Data

At present, most of the functions are directed at MSSQL and MySql coupled with Oracle and Access. Other small and medium-sized companies are using DB2, Informix, Sybase, PostgreSQL, as well as Sqlite which isn’t so common.

You can download Pangolin here:

pangolin_free_edition_2.1.2.924.rar (Download Page)

Or read more here.

Durzosploit v0.1 – JavaScript Exploit Generation

Durzosploit is a JavaScript exploit generation framework that works through the console. This goal of that project is to quickly and easily generate working exploits for cross-site scripting vulnerabilities in popular web applications or web sites.

Please note that Durzosploit does not find browser vulnerabilities, it only is an framework containing exploits you can use.

At present there aren’t many exploits:

• twitter.com/update_status – Updates a target’s status
• twitter.com/update_settings – Updates your target’s settings
• facebook.com/what_is_on_your_mind – Write your message in your target’s mind
• drupal/edit_user_profile – Drupal 6.x – edit the profile of the user
• drupal/logout – Drupal 6.x – makes target logout

So far the author’s focus has been on the framework itself; allowing people to quickly write their exploits and adding some automated obfuscators.

Durzosploit provides some obfuscators to automatically pack/minify your generated exploit.

You can download the latest version from the Durzosploit SVN here:

svn co svn://www.engineeringforfun.com/svn/durzosploit/trunk

Or read more here.

Fiddler – Web Debugging Proxy For HTTP(S)

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and “fiddle” with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.

Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.

If you want some info on how to use Fiddler for debugging you can check here:

Fiddler Can Make Debugging Easy

You can download Fiddler here:

Fiddler2Setup.exe

Or read more here.

Lynis 1.2.6 – UNIX System & Security Auditing Tool

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.

A lot of new checks and controls have been added in this latest release (Full Changelog). Do note Lynix is not a hardening tool, it won’t make any changes – only suggestions.

Intended audience:
Security specialists, penetration testers, system auditors, system/network managers.

Examples of audit tests:

• Available authentication methods
• Expired SSL certificates
• Outdated software
• User accounts without password
• Incorrect file permissions
• Firewall auditing

You can download Lynix 1.2.6 here:

lynis-1.2.6.tar.gz

Or read more here.

winAUTOPWN – Windows Autohacking Tool

winAUTOPWN is a TooL to Autohack your targets with least possible interaction. The aim of creating winAUTOPWN is not to compete with already existing commercial frameworks like Core Impact (Pro), Immunity Canvas, Metasploit Framework (freeware), etc. which offer autohacks, but to create a free, quick, standalone application which is easy to use and doesn’t require a lot of support of other dependencies.

Also not forgetting that winAUTOPWN unlike other frameworks maintains the original exploit writer’s source code intact just as it was and uses it. This way the exploit writer’s credit and originality is maintained. The source is modified only when required to enable a missing feature or to remove hard-coded limitations. Under these circumstances also, the exploit writers credits remain intact.

Newer exploit modules are added as and when they release and older ones are also being daily added.
Binaries of perl, php, python and cygwin DLLs (included) are required to exist either in a common folder or should be properly installed with their paths registered for those exploits which are cannot be compiled into a PE-exe.

Features :

• Contains already custom-compiled executables of famous and effective exploits alongwith a few original modified exploits.
• No need to debug, script or compile the source codes.
• Scans all ports 1 – 65535 after taking the IP address and tries all possible exploits according to the list of discovered open ports (OpenPorts.TXT)
• PortScan is multi-threaded.
• Doesn’t require any Database like (PostGres,MySQL,etc.) at the back-end
• Can be also be used to test effectiveness of IDS/IPS
• Launched exploits are independent and doesn’t rely on service fingerprinting (to avoid evasion, if any)
• Requires presence of php, perl and python with registeredpaths in Environment variables.

winAUTOPWN is updated almost daily. A separate DragonflyBSD-server is being set up which will hold the exploit repository and the next version will autosync the exploits from them in the appropriate folder.

You can download winAUTOPWN here:

winAUTOPWN.RAR

Or read more here.

sqlsus 0.2 - MySQL Injection & Takeover Tool

sqlsus is an open source MySQL injection and takeover tool, written in perl.

Via a command line interface that mimics a mysql console, you can retrieve the database structure, inject a SQL query, download files from the web server, upload and control a backdoor, and much more…

It is designed to maximize the amount of data gathered per web server hit, making the best use of MySQL functions to optimize the available injection space.

sqlsus is focused on PHP/MySQL installations, and integrates some neat features, some of them being really specific to this DBMS.

It is not and won’t ever be a SQL injection scanner, it starts its job on the next step.

Both quoted and numeric injections are supported.

All quoted texts can be translated as their hex equivalent (eg : “sqlsus” will become 0×73716c737573)

sqlsus also supports these 2 scenarios of injection :

• sighted : the result of the request will be in the HTML returned by the web server
• blind : when you can’t see the result of the request directly

Support for GET and POST parameters injections.

Support for HTTP proxy and HTTP simple authentication.

Full logging support of your queries and the answers, allowing you to recall a command and its cached answer, even in a later re-use of the session.

Key variables can be edited on the fly, saved per session, and can be loaded in a later session on the same target server.

Requirements

On a Debian system, in addition to perl, you will need the following packages :

• libterm-readline-perl-perl
• libipc-shareable-perl
• libwww-mechanize-perl

It also requires previous SQL injection knowledge, and.. well.. a brain helps.

You can download sqlsus 0.2 here:

sqlsus-0.2.tgz

Or read more here.

Webshag 1.10 – Free Web Server Audit Tool

Webshag is a multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing like website crawling, URL scanning or file fuzzing.

You may remember back in March 2008 we published about Webshag 1.00 being released. Now Webshag 1.10 has been released! This new version provides several feature enhancements as well as some bug-fixes.

Webshag can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (Basic and Digest). In addition to that it proposes innovative IDS evasion functionalities aimed at making correlation between request more complicated (e.g. use a different random per request HTTP proxy server).

It also provides innovative functionalities like the capability of retrieving the list of domain names hosted on a target machine and file fuzzing using dynamically generated filenames (in addition to common list-based fuzzing).

Webshag URL scanner and file fuzzer are aimed at reducing the number of false positives and thus producing cleaner result sets. For this purpose, webshag implements a web page fingerprinting mechanism resistant to content changes. This fingerprinting mechanism is then used in a false positive removal algorithm specially aimed at dealing with “soft 404″ server responses.

Requirements

To be fully functional, Webshag requires the following elements:

• Python 2.5 or Python 2.6 (NOT compatible with Python 3.0)
• wxPython 2.8.9.0 (or greater) GUI toolkit
• Nmap port scanner (for port scanning module only)
• A valid Live Search AppID (for domain information module only)

Just like the previous version, Webshag 1.10 is freely available (GPL license) for Linux and Windows platforms.

You can download Webshag 1.10 here:

Linux – ws110.tar.gz
Windows – ws110.zip
Windows (installer) – ws110_win32installer.zip
User Manual (EN) – ws110_manual.pdf

Or read more here.

dnsmap 0.22 Released – Subdomain Bruteforcing Tool

Originally released in 2006, dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc. dnsmap was included in Backtrack 2 and 3, although the version included is the now dated version 0.1.

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work (public zone transfers rarely work nowadays).

Original Features of Version 0.1

• obtain all IP addresses (A records) associated to each successfully bruteforced subdomain, rather than just one IP address per subdomain
• abort the bruteforcing process in case the target domain uses wildcards
• ability to be able to run the tool without providing a wordlist by using a built-in list of keywords
• bruteforcing by using a user-supplied wordlist (as opposed to the built-in wordlist)

New Improvements in Version 0.22

• saving the results in human-readable and CSV format for easy processing
• fixed bug that disallowed reading wordlists with DOS CRLF format
• improved built-in subdomains wordlist
• new bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file.
• bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards

You can download dnsmap 0.22 here:

dnsmap-0222tar.gz (Make sure you add another . before the tar)

Or read more here.

Medusa v1.5

What is Medusa?

Medusa is a speedy, massively parallel, modular, login brute-forcer for network services. Some of the key features of Medusa are:

• Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
• Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
• Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

It currently has modules for the following services:

• AFP
• CVS
• FTP
• HTTP
• IMAP
• MS-SQL
• MySQL
• NCP (NetWare)
• NNTP
• PcAnywhere
• POP3
• PostgreSQL
• rexec
• rlogin
• rsh
• SMB
• SMTP (AUTH/VRFY)
• SNMP
• SSHv2
• SVN
• Telnet
• VmAuthd
• VNC

It also includes a basic web form module and a generic wrapper module for external scripts.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences – you can see a brief comparison here.

It’s been over a year since version 1.4 was released and there has been a bunch of changes. This release includes multiple bug fixes, several new modules and additional module functionality. The following is a quick rundown on some of the new features, if you wish to see a detailed ChangeLog it’s here.

• AFP – new module (still marked as unstable)
• HTTP – digest auth support
• IMAP – STARTTLS, NTLM support
• POP3 – STARTTLS, LOGIN, PLAIN, NTLM support
• SMBNT – LM, LMv2, NTLMv2 support
• SMTP – NTLM support
• TELNET – AS/400 (TN5250) support
• misc. core and module bug fixes

You can download Medusa v1.5 here:

medusa-1.5.tar.gz

Or read more here.

SSLstrip – HTTPS Stripping Attack Tool

This tool provides a demonstration of the HTTPS stripping attacks that was presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. For more information on the attack, see the video from the presentation on the homepage.

To get this running:

• Flip your machine into forwarding mode.
• Setup iptables to redirect HTTP traffic to sslstrip.
• Run sslstrip.
• Run arpspoof to convince a network they should send their traffic to you.

That should do it.

How does this work?

First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send us all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example).

At this point, sslstrip receives the traffic and does its magic.

You can download sslstrip 0.2 here:

sslstrip-0.2.tar.gz

Or read more here.

Fast-Track 4.0 – Automated Penetration Testing Suite

The latest big buzz is Fast-Track released recently at ShmooCon by Securestate, basically Fast-Track is an automated penetration suite for penetration testers.

For those of you new to Fast-Track, Fast-Track is a python based open-source project aimed at helping Penetration Testers in an effort to identify, exploit, and further penetrate a network. Fast-Track was originally conceived when David Kennedy was on a penetration test and found that there was generally a lack of tools or automation in certain attacks that were normally extremely advanced and time consuming.

In an effort to reproduce some of David’s advanced attacks and propagate it down to the team at SecureState, David ended up writing Fast-Track for the public. Many of the issues Fast-Track exploits are due to improper sanitizing of client-side data within web applications, patch management, or lack of hardening techniques. All of these are relatively simple to fix if you know what to look for, but as penetration testers are extremely common findings for us.

Fast-Track arms the penetration tester with advanced attacks that in most cases have never been performed before. Sit back relax, crank open a can of jolt cola and enjoy the ride.

It’s something a lot of people will enjoy as many parts of a pen-test are very monotonous and don’t really take your full concentration, a semi-automated approach with a skillful eye watching for false-positives and false-negatives is always more effective and efficient than fully manual or fully automated testing.

Dependencies – Metasploit 3, SQLite, PYMSSQL, FreeTDS, Pexpect, ClientForms, Beautiful Soup, and Psycho.

Installation – When extracting the tarball, run the setup.py file by executing python setup.py install, this will install the needed dependencies MINUS SQLite and Metasploit 3, you should specify the metasploit path or it will default to the BackTrack 3 installation menu. Once the installation is completed, Fast-Track should be fully functional.

You can download Fast-Track 4.0 here:

fasttrack.tgz

Or read more here.

BackTrack BETA 4

The Remote Exploit Development Team is happy to announce the release of BackTrack 4 Beta. In this latest version of BackTrack 4 there have been some conceptual changed and some new and exciting features. The most significant of these changes is the expansion from the realm of a Pentesting LiveCD towards a full blown “Distribution”.

Now based on Debian core packages and utilizing the Ubuntu software repositories, BackTrack 4 can be upgraded in case of update. When syncing with the BackTrack repositories, you will regularly get security tool updates soon after they are released.

If you don’t know what BackTrack is – it’s the result of merging the two innovative penetration testing live linux distributions Auditor and Whax. Backtrack provides a thorough pentesting environment which is bootable via CD, USB or the network (PXE). The tools are arranged in an intuitive manner, and cover most of the attack vectors. Complex environments are simplified, such as automatic Kismet configuration, one click Snort setup, precompiled Metasploit lorcon modules, etc. BackTrack has been dubbed the #1 Security Live CD by Insecure.org, and #36 overall.

New Features

• Kernel 2.6.28.1 with better hardware support.
• Native support for Pico e12 and e16 cards is now fully functional, making BackTrack the first pentesting distro to fully utilize these awesome tiny machines.
• Support for PXE Boot – Boot BackTrack over the network with PXE supported cards!
• SAINT EXPLOIT – kindly provided by SAINT corporation for our users with a limited number of free IPs.
• MALTEGO – The guys over at Paterva did outstanding work with Maltego 2.0.2 – which is featured in BackTrack as a community edition.
• The latest mac80211 wireless injection patches are applied, with several custom patches for rtl8187 injection speed enhancements. Wireless injection support has never been so broad and functional.
• Unicornscan – Fully functional with postgress logging support and a web front end.
• RFID support
• Pyrit CUDA support…
• New and updated tools – the list is endless!

This BETA release is considered stable and usable. Some tools were kept back from this version, and will be soon added to the repositories. Some minor bugs have been discovered and will be fixed with updated packaged.

It would also be appreciated if you could use this latest release and give some feedback to the development team to improve it and ensure it works with your specific hardware config (especially the wireless features).

You can download BackTrack BETA 4 here:

DVD ISO Image – bt4-beta.iso
VMware Image – bt4-beta-vm-6.5.1.rar

Or read more here.

Webtunnel 0.0.2 – HTTP Encapsulation and Tunnel Tool

Webtunnel is a network utility that encapsulates arbitrary data in HTTP and transmits it through a web server. In that regard, it is similar to httptunnel, however, it has several key important differences: its server component runs in the context of a web server as a CGI application (with optional FastCGI support) so it does not need its own port, and supports most things that the web server supports, such as authentication, HTTP 1.1, HTTPS, and client certificates; it uses simple requests and responses so it works seamlessly through forward and reverse proxies; it is multi-threaded (actually multi-process using sockets for inter-process communication) to allow multiple parallel connections to multiple destinations simultaneously.

It’s written in Perl and currently supports the tunneling of TCP connections. Future plans include implementations in different languages, mixed tunneling of UDP and pipes (so you can tunnel directly to a shell etc.), configuration features such as access control lists, and transmission options like compression and encryption.

You can download Webtunnel 0.0.2 here:

webtunnel-0.0.2.tgz

Or read more here.

dradis v2.0 – Open Source Security Reporting Tool

This is more of a tool for the information security professional amongst us, those working in a team carrying out web application audits, penetration tests and vulnerability assessments.

It’s useful for a team to use a tool like dradis so everyone is on the same page and the progress and segregation of responsibility can easily be seen.

Basically speaking dradis is an open source tool for sharing information during security assessments. It provides a centralized repository of information to keep track of
what has been done so far, and what is still ahead.

It’s a web application using a client/server architecture with an easy to use web interface. If you still aren’t sure what that means you can view a flash demo of the application in action here.

This application is suited to people in lengthy engagements, it’s very useful to have all the information in one place. It’s also good to have if your team changes (i.e. someone joins half the way through), it will be useful to bring them up to speed.

The app is flexible, you don’t need to adapt your methodology to use it. It provides a web service interface so you can connect it with your existing vulnerability database or reporting tool.

The changelog for the latest feature can be found here.

You can download dradis v2.0 here:

One click installer for Windows – dradis-v2.0-setup.exe
Platform independant source – dradis-v2.0.0.tar.gz

Or read more here.

Complemento v0.6 – LetDown TCP Flooder, ReverseRaider Subdomain Scanner & Httsquash HTTP Server Scanner Tool

What is Complemento?

Complemento is a collection of tools that the author originally created for his own personal toolchain for solving some problems or just for fun. Now he has decided to release it to the public.

LetDown is a TCP flooder written after the author read the article by fyodor entitled article “TCP Resource Exhaustion and Botched Disclosure“. It has an (experimental) userland TCP/IP stack, and support multistage payloads for complex protocols, fragmentation of packets and variable TCP window.

ReverseRaider is a domain scanner that uses brute force wordlist scanning for finding a target sub-domains or reverse resolution for a range of ip addresses. This is similar to some of the functionality in DNSenum. It supports permutation on wordlist and IPv6.

Httsquash is an HTTP server scanner, banner grabber and data retriever. It can be used for scanning large ranges of IP addresses and finding devices or HTTP servers (there is an alpha version of a GUI for this). It supports IPv6 and personalized HTTP requests.

Improvements for v0.6

LetDown:

• New (experimental) userland TCP stack
• Support for multistage payloads (for complex and stateful protocol, such as FTP, SMTP…)
• Variable TCP Window size
• Fragmentation of packets
• Polite mode (ACK received packets and/or closing the connection with FIR or RST packets)

ReverseRaider:

• Support for IPv6

HttSquash:

• Support for IPv6

You can download Complemento v0.6 here:

complemento-0.6

Or read more here.

CeWL – Custom Word List Generator

It seems to be trendy lately to make tools which can create custom or more specific word lists for password cracking, just last week we posted about the web application The Associative Word List Generator (AWLG), which crawls the whole web to look for associated words with a given topic.

This application is more towards creating custom word lists from a specific domain by crawling it for unique words. Basically you give the application a spidering target website and it will collect unique words. The application is written in Ruby and is called CeWL, the Custom Word List generator. The app can spider a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

IF you combine the info output by CeWL and AWLG with the standard wordlists for password cracking – you should have a fairly comprehensive set.

By default, CeWL sticks to just the site you have specified and will go to a depth of 2 links, this behaviour can be changed by passing arguments. Be careful if setting a large depth and allowing it to go offsite, you could end up drifting on to a lot of other domains. All words of three characters and over are output to stdout. This length can be increased and the words can be written to a file rather than screen so the app can be automated.

Version 2 of CeWL can also create two new lists, a list of email addresses found in mailto links and a list of author/creator names collected from meta data found in documents on the site. It can currently process documents in Office pre 2007, Office 2007 and PDF formats. This user data can then be used to create the list of usernames to be used in association with the password list.

Installation

CeWL needs the rubygems package to be installed along with the following gems:

• http_configuration
• mime-types
• mini_exiftool
• rubyzip
• spider

You can download CeWL here:

cewl_2.0.tar.bz2

Or read more here.

The Associative Word List Generator

About AWLG

The Associative Word List Generator (AWLG) is a tool that generates a list of words relevant to some subjects, by scouring the Internet in an automated fashion.

Inclusion Example: A search string including the words (without quotes): “steve carell” would give us a word list with lots of words associated with the actor Steve Carell. This includes all of the words from his MySpace page, words from the Wikipedia article on him, etc.

Exclusion Example: We know that Steve Carell is an actor for lots of things, including a show called “The Office”. A search string: “steve carell” with omissions: “office” and “michael scott” would find words from websites that mention Steve Carell, but do not mention the word “office”, “michael”, or “scott”.

Privacy policy

AWLG.org does not record any transmitted search strings or user information. AWLG.org does record statistical information such as total site usage, total number of words generated per search, etc.

You can get cracking with AWLG here:

http://awlg.org/index.gen

OWASP (Open Web Application Security Project) Testing Guide v3

This project’s goal is to create a “best practices” web application penetration testing framework which users can implement in their own organizations and a “low level” web application penetration testing guide that describes how to find certain issues.

Version 3 of the Testing Guide was released in last month in December 2008, the project was part of the OWASP Summer of Code, started on April 2008 reviewing the version 2 and improving it.

OWASP Testing Guide v3 is a 349 page book; they have split the set of active tests in 9 sub-categories for a total of 66 controls to test during the Web Application Testing activity.

Each control has an OWASP name, so for example a SQL Injection is called: OWASP-DV-005, meaning that it is the 5th control of the Data Validation category. They got a dream team of 21 authors and 4 reviewers: after 6 months of hard work and great team work we realized the v3.

The Guide is a “live” document: the project always needs your feedback! Please join the testing mailing list and share your ideas here.

You can download OWASP Testing Guide v3 here:

OWASP_Testing_Guide_v3.pdf

Download the presentation here
Browse the Testing Guide v3 on the wiki here

Or read more here.

WITOOL v0.1 – GUI Based SQL Injection

WITOOL is an graphical based SQL Injection Tool written in dotNET.

- For SQL Server, Oracle
- Error Base and Union Base

Interface

Features

• Retrieve schema : DB/TableSpace, Table, Column, other object
• Retrieve data : retrive paging, dump xml file
• Log : View the raw data HTTP log

Environment

OS: Windows 2000/XP/VISTA
Requirement: Microsoft .NET(2.0) Library (Download Here).

You can download WITOOL v0.1 here:

WITOOL_V0.1_081231.zip

Or read more here.