FRHACK OS v1 alpha1 – Pentesting/Security LiveCD

FRHACK OS is an updated/modified version of the latest BackTrack 4 ISO with many updated tools and fixes.

This means it’s a fully fledged linux pen-testing/security environment.

Some included tools & Updates

• gcc-4.2
• sun-java6-jre sun-java6-plugin
• spoonwep-wpa-rc3.deb
• airsnort-0.2.7e.tar.gz
• wepbuster-1.0_beta_0.6
• jbrofuzz-jar-15
• wfuzz-1.4
• tor-0.2.1.19
• privoxy-3.0.8-stable-src
• ophcrack-3.3.1
• vncrack_src-1.21
• fuzzgrind_090622

A new version (coming with bug fixes, included rainbow tables, wordlists, extras etc.) will be available for FRHACK 01, so you’ll be able to use it for the FRHACK Wargame.

You can download FRHACK OS v1 alpha1 (1.4GB) here:

frhack-os.iso

Websecurify – Web Security Testing

Websecurify is a web and web2.0 security initiative specializing in researching security issues and building the next generation of tools to defeat and protect web technologies.

Key Features

1. JavaScript – Websecurify Security Testing Framework is the first tool of its kind to be written entirely in JavaScript using only standard technologies adopted by the leading browsers.
2. Multiple Environments – The core technology can run in normal browsers, xulrunner, xpcshell (command line), inside Java or as part of a custom V8 (Chrome’s JavaScript Engine) build. The core is written with extensibility in mind so that more environments can be supported without changing even a single line of code.
3. Multi-platform – The tool is available and successfully runs on Windows, Mac OS, Linux and other operating systems.
4. Automatic Updates – Every single piece of the tool is subjected to automatic updates. This means that newer and more advanced versions of the tool can be shipped to your front door without you lifting your finger. This however is completely optional. The automatic update can be turned off if needed.
5. Extensions – Because the tool comes wrapped in xulrunner by default (keep in mind that we can support any other JavaScript environment) we benefit from all cool features that Firefox has, such as extensions. Extensions are easy to write and maintain and can customize every single aspect of the tool and there are already tones of resources and documentation, including books and what not, out there to teach you exactly how to do that. We will be providing documentation as well.

You can download Websecurify 0.3 here:

Windows – Websecurify 0.3.exe
Linux – Websecurify 0.3.tgz
Mac – Websecurify 0.3.dmg

Or read more here.

SWFScan – Free Flash Application Security Scanner

HP SWFScan is a free tool developed by HP Web Security Research Group, which will automatically find security vulnerabilities in applications built on the Flash platform.

HP is offering SWFScan because:

• Their research shows that developers and increasingly implementing applications built on the Adobe Flash platform without the required security expertise.
• As a result, they are seeing a proliferation of insecure applications being deployed on the web.
• A vulnerable application built on the Flash platform widens your website’s attack surface creating more opportunity for malicious hackers.

How SWFScan works and what vulnerabilities it finds:

• Decompiles applications built on the Adobe Flash platform to extract the ActionScript code and statically analyzes it to identify security issues such as information disclosure.
• Identifies and reports insecure programming and deployment practices and suggests solutions.
• Enables you to audit third party applications without requiring access to the source code.

You can download SWFScan here:

SwfScan.msi

Or read more here.

MySqloit – SQL Injection Takeover Tool For LAMP

MySqloit is a SQL Injection takeover tool focused on LAMP (Linux, Apache, MySQL, PHP) and WAMP (Windows, Apache, MySQL, PHP) platforms. It has the ability to upload and execute metasploit shellcodes through the MySql SQL Injection vulnerabilities. Attackers performing SQL injection on a MySQL-PHP platform must deal with several limitations and constraints.

For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution, compared to other platforms. This tool is written to demostrate how remote code execution can be performed on a database connector that do not support stack queries.

Key Features

• SQL Injection detection using time based injection method
• Database fingerprint
• Web server directory fingerprint
• Payload creation and execution

MySqloit is currently only tested on Linux. This is a new tool though so we should expect more development soon, I hope some of you guys can test it out and let the author know what you think.

You can download MySqloit v0.1 here:

MySqloitv0.1.tar

Or read more here.