FOCA – Network Infrastructure Mapping Tool

FOCA 2 has a new algorithm which tries to discover as much info related to network infrastructure as possible. In this alpha version FOCA will add to the figured out network-map, all servers than can be found using a recursive algorithm searching in Google, BING, Reverse IP in BING, Well-known servers and DNS records, using an internal PTR-Scaning, etc

To configure this algorithm you can use the new DNS Search panel and the info extracted will be showed up in three panels:

• Domains
• IP addresses
• PC/Servers

ChangeLog 2.0.1:

• Fix error searching EXIF information
• Fix error in DNS Transfer Zone requests

ChangeLog 2.0:

• DNS enumeration added using subdomains Web Search, zone transfer, dictionary and bing IP search.
• Added panels Domains & IP
• Documents grouped by document type
• Used ListView groups
• Better Network Map representation
• Bing only search supported filetype documents
• Fix error analysing metadata

You can read more and download FOCA here.

Metasploit 3.4.0 Hacking Framework Released – Over 100 New Exploits Added

Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only.

Update Summary

• Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
• Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
• Over 100 tickets were closed since the last point release and over 200 since v3.3

After five months of development, version 3.4.0 of the Metasploit Framework has been released. Since the last major release (Metasploit 3.3) over 100 new exploits have been added and over 200 bugs have been fixed.

This release includes massive improvements to the Meterpreter payload; both in terms of stability and features, thanks in large part to Stephen Fewer of Harmony Security. The Meterpreter payload can now capture screenshots without migrating, including the ability to bypass Session 0 Isolation on newer Windows operating systems. This release now supports the ability to migrate back and forth between 32-bit and 64-bit processes on a compromised Windows 64-bit operating system. The Meterpreter protocol now supports inline compression using zlib, resulting in faster transfers of large data blocks. A new command, “getsystem”, uses several techniques to gain system access from a low-privileged or administrator-level session, including the exploitation of Tavis Ormandy’s KiTrap0D vulnerability. Brett Blackham contributed a patch to compress screenshots on the server side in JPG format, reducing the overhead of the screen capture command. The pivoting backend of Meterpreter now supports bi-directional UDP and TCP relays, a big upgrade from the outgoing-only TCP pivoting capabilities of version 3.3.3.

This is the first version of Metasploit to have strong support for bruteforcing network protocols and gaining access with cracked credentials. A new mixin has been created that standardizes the options available to each of the brute force modules. This release includes support for brute forcing accounts over SSH, Telnet, MySQL, Postgres, SMB, DB2, and more, thanks to Tod Bearsdley and contributions from Thomas Ring.

Metasploit now has support for generating malicious JSP and WAR files along with exploits for Tomcat and JBoss that use these to gain remote access to misconfigured installations. A new mixin was creating compiling and signing Java applets on fly, courtesy of Nathan Keltner. Thanks to some excellent work by bannedit and Joshua Drake, command injection of a cmd.exe shell on Windows can be staged into a full Meterpreter shell using the new “sessions -u” syntax.

Full Metasploit 3.4.0 Release Notes

You can download Metasploit 3.4.0 here:

Windows – framework-3.4.0.exe
Linux – framework-3.4.0-linux-i686.run

Or read more here.

sqlninja v0.2.5 Released – Microsoft SQL Server (MS-SQL) SQL Injection Vulnerability Tool

Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide an interactive access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
• Bruteforce of ’sa’ password (in 2 flavors: dictionary-based and incremental)
• Privilege escalation to sysadmin group if ’sa’ password has been found
• Creation of a custom xp_cmdshell if the original one has been removed
• Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
• Evasion techniques to confuse a few IDS/IPS/WAF
• Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection

What’s New?

• Proxy support (it was about time!)
• No more 64k bytes limit in upload mode
• Upload mode is also massively faster
• Privilege escalation through token kidnapping (kudos to Cesar Cerrudo)
• Other minor improvements

Compatibility

It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on:

• Linux
• FreeBSD
• Mac OS X

You can download sqlninja v0.2.5 here:

sqlninja-0.2.5.tgz

Or read more here.

Suricata – Open Source Next Generation Intrusion Detection and Prevention Engine

The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

Basically it’s a is a multi-threaded intrusion detection/prevention engine engine available from the Open Information Security Foundation

OISF is part of and funded by the Department of Homeland Security’s Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy’s Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members.

The Suricata Engine and the HTP Library are available to use under the GPLv2.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.

You can download Suricata v0.9 here:

suricata-0.9.0.tar.gz

Or read more here.

iScanner – Detect & Remove Malicious Code/Web Pages Viruses From Your Linux/Unix Server

iScanner is free open source tool lets you detect and remove malicious codes and web pages viruses from your Linux/Unix server easily and automatically. This is a neat tool for those who have to do some clean up operation after a mass-exploitation or defacement on a shared web-host.

This tool is programmed by iSecur1ty using Ruby programming language and it’s released under the terms of GNU Affero General Public License 3.0.

Features

• Detect malicious codes in web pages. This include hidden iframe tags, javascript, vbscript, activex objects and PHP codee.
• Extensive log shows the infected files and the malicious code.
• Send email reports.
• Ability to clean the infected web pages automatically.
• Easy backup and restore system for the infected files.
• Simple and editable signature based database.
• Ability to update the database and the program easily from dedicated server.
• Very flexible options and easy to use.
• Fast scanner with good performance.

Coming Soon

• Microsoft Windows compatibility.
• Export log in other formats (xml, html).
• Extend the database and make it able to detect malicious files.
• Ability to send infected file to iScanner server for analysis.
• Build remote scanner service with API.

You can download iScanner v0.5 here:

iscanner.tar.gz

Or read more here.

OpenDLP – Open-Source Data Loss Prevention Tool

OpenDLP is a free and open source, agent-based, centrally-managed, massively distributable data loss prevention tool released under the GPL. Given appropriate Windows domain credentials, OpenDLP can simultaneously identify sensitive data at rest on hundreds or thousands of Microsoft Windows systems from a centralized web application. OpenDLP has two components: a web application and an agent.

Web Application

• Automatically deploy and start agents over Netbios/SMB
• When done, automatically stop, uninstall, and delete agents over Netbios/SMB
• Pause, resume, and forcefully uninstall agents in an entire scan or on individual systems
• Concurrently and securely receive results from hundreds or thousands of deployed agents over two-way-trusted SSL connection
• Create Perl-compatible regular expressions (PCREs) for finding sensitive data at rest
• Create reusable profiles for scans that include whitelisting or blacklisting directories and file extensions
• Review findings and identify false positives
• Export results as XML
• Written in Perl with MySQL backend

Agent

• Runs on Windows 2000 and later systems
• Written in C with no .NET Framework requirements
• Runs as a Windows Service at low priority so users do not see or feel it
• Resumes automatically upon system reboot with no user interaction
• Securely transmit results to web application at user-defined intervals over two-way-trusted SSL connection
• Uses PCREs to identify sensitive data inside files
• Performs additional checks on potential credit card numbers to reduce false positives

You can download OpenDLP v0.1 here:

OpenDLP-0.1.tar.bz2

Or read more here.

DAVTest – WebDAV Vulberability Scanning Tool

When facing off against a WebDAV enabled server, there are two things to find out quickly: can you upload files, and if so, can you execute code?

DAVTest attempts help answer those questions, as well as enable the pentester to quickly gain access to the host. DAVTest tries to upload test files of various extension types (e.g., “.php” or “.txt”), checks if those files were uploaded successfully, and then if they can execute on the server. It also allows for uploading of the files as plain text files and then trying to use the MOVE command to rename them to an executable.

Assuming you can upload an executable, a test file does you no good–so DAVTest can automatically upload a fully functional shell. It ships with shells for PHP, ASP, ASPX, CFM, JSP, CGI, and PL, and dropping a file in the right directory will let you upload any back-door you like.

Features

• Upload with executable extension or .txt
• Checks for successful upload and execution
• Supports MOVE and MKCOL
• Can upload backdoor/shell or arbitrary files
• Basic authentication

DAVTest is written in PERL and licensed under the GPLv3.

You can download DAVTest v1.0 here:

davtest-1.0.zip

Or read more here.

fuzzdb – Comprehensive Set Of Known Attack Sequences

fuzzdb is a comprehensive set of known attack pattern sequences, predictable locations, and error messages for intelligent brute force testing and exploit condition identification of web applications.

Many mechanisms of attack used to exploit different web server platforms and applications are triggered by particular meta-characters that are observed in more than one product security advisory. fuzzdb is a database attack patterns known to have caused exploit conditions in the past, categorized by attack type, platform, and application.

Because of the popularity of a small number of server types, platforms, and package formats, resources such as logfiles and administrative directories are typically located in a small number of predictable locations. A comprehensive database of these, sorted by platform type, makes brute force fuzz testing a scalpel-like approach.

Since system errors contain predictable strings, fuzzdb contains lists of error messages to be pattern matched against server output in order to aid detection software security defects.

Primary sources used for attack pattern research:

• researching old web exploits for repeatable attack strings
• scraping scanner patterns from http logs
• various books, articles, blog posts, mailing list threads
• patterns gleaned from other open source fuzzers and pentest tools
• analysis of default app installs
• system and application documentation
• error messages

It’s like a non-automated open source scanner without the scanner. You can download fuzzdb v1.06 here:

fuzzdb-1.06.tgz

It’s recommended to sync via SVN though as the contents will be a lot fresher as compared to the files in the tar.

svn checkout http://fuzzdb.googlecode.com/svn/trunk/ fuzzdb-read-only

Or read more here.

ReFrameworker – General Purpose Framework Modifier

ReFrameworker is a general purpose Framework modifier, used to reconstruct framework Runtimes by creating modified versions from the original implementation that was provided by the framework vendor. ReFrameworker performs the required steps of runtime manipulation by tampering with the binaries containing the framework’s classes, in order to produce modified binaries that can replace the original ones.

It was developed to experiment with and demonstrate deployment of MCR (Managed Code Rootkits) code into a given framework.

Features

• Performs all the required steps needed for modifying framework binaries (disassemble, code injection, reassemble, precompiled images cleaning, etc.)
• Fast development and deployment of a modified behavior into a given framework
• Auto generated deployers
• Modules: a separation between general purpose “building blocks” that can be injected into any given binary, allowing the users to create small pieces of code that can be later combined to form a specific injection task.
• Can be easily adapted to support multiple frameworks by minimal configuration (currently comes preconfigured for the .NET framework)
• Comes with many “preconfigured” proof-of-concept attacks (implemented as modules) that demonstrate its usage that can be easily extended to perform many other things.

ReFrameworker, as a general purpose framework modification tool, can be used in other contexts besides security such as customizing frameworks for performance tuning, Runtime tweaking, virtual patching, hardening, and probably other usages – It all depends on what it is instructed to do.

You can download ReFrameworker v1.1 here:

Software – ReFrameworker_V1.1.zip
Source Code: ReFrameworker_V1.1_Source_Code.zip

Or read more here.

Netsparker Community Edition – Web Application Security Scanner

Netsparker is a Web Application Security Scanner that claims to be False-Positive Free. The developers thought that if you need to investigate every single identified issue manually what’s the point of having an automated scanner? So they developed a new technology which can confirm vulnerabilities on demand which allowed us to develop the first false positive free web application security scanner.

When Netsparker identifies an SQL Injection, it can identify how to exploit it automatically and extract the version information from the application. When the version is successfully extracted Netsparker will report the issue as confirmed so that you can make sure that the issue is not a false-positive.

Same applies to other vulnerabilities such as XSS (Cross-site Scripting) where Netsparker loads the injection in an actual browser and observes the execution of JavaScript to confirm that the injection will actually get executed in the browser.

Thanks to its comprehensive and powerful JavaScript engine it’s possible to simulate a real attacker successfully. This means it can successfully analyse websites that rely on AJAX and JavaScript.

You don’t need to be a security expert, get training or read a long manual to start. Since the user interface is easy to use and can confirm and show you the impact, you can just fire it up and start using it.

You can download Netsparker – Community Edition here:

NetSparkerCommunityEditionSetup.exe

Or read more here.

PBNJ – Network Architecture Monitoring Tool

PBNJ is a suite of tools to monitor changes on a network over time. It does this by checking for changes on the target machine(s), which includes the details about the services running on them as well as the service state. PBNJ parses the data from a scan and stores it in a database. PBNJ uses Nmap to perform scans.

What does PBNJ do?

Depending on what you need, PBNJ can do various things. It is able to give a layout of a class network. It can also be run as an automated scanning tool parsing the data to CSV format files and growing an in-depth view of a network over time.

• Automated Internal/External Scans
• Flexible Querying/Alerting System
• Parsing Nmap XML results
• Easy access to Nmap’s data in a database (SQLite, MySQL or Postgres)
• Distributed Scanning Consoles and Engines
• Runs on Linux, BSD and Windows
• Packaged for Debian, FreeBSD, Gentoo, Backtrack and nUbuntu

You can download PBNJ here:

pbnj-2.04.tar.gz

Or read more here.

x5s – Automated XSS Security Testing Assistant

x5s is a Fiddler add-on which aims to assist penetration testers in finding cross-site scripting vulnerabilities. It’s main goal is to help you identify the hotspots where XSS might occur by:

• Detecting where safe encodings were not applied to emitted user-inputs
• Detecting where Unicode character transformations might bypass security filters
• Detecting where non-shortest UTF-8 encodings might bypass security filters

It injects ASCII to find traditional encoding issues, and it injects special Unicode characters and encodings to help an analyst identify where XSS filters might be bypassed. The approach to finding these hotspots involves injecting single-character probes separately into each input field of each request, and detecting how they were later emitted. The focus is on reflected XSS issues however persisted issues can also be detected.

The idea of injecting special Unicode characters and non-shortest form encodings was to identify where transformations occur which could be used to bypass security filters. This also has the interesting side effect of illuminating how all of the fields in a Web-app handle Unicode. For example, in a single page with many inputs, you may end up seeing the same test case get returned in a variety of ways – URL encoded, NCR encoded, ill-encoded, raw, replaced, dropped, etc. In some cases where we’ve had Watcher running in conjunction, we’ve been able to detect ill-formed UTF-8 byte sequences which is indicative of ‘other’ problems.

x5s acts as an assistant to the security tester by speeding up the process of parameter manipulation and aggregating the results for quick viewing. It automates some of the preliminary XSS testing work by enumerating and injecting canaries into all input fields/parameters sent to an application and analyzing how those canaries were later emitted. E.g. Was the emitted output encoded safely or not? Did an injected character transform to something else?

x5s does not inject XSS payloads – it does not attempt to exploit or confirm an XSS vulnerability. It’s designed to draw your attention to the fields and parameters which seem likely candidates for vulnerability. A security-tester would review the results to find issues where special characters were dangerously transformed or emitted without a safe encoding. This can be done by quickly scanning the results, which have been designed with the intention of providing quick visual inspection. Results filters are also included so the tester could simply click show hotspots to see only the potential problem areas. After identifying a hotspot it’s the tester’s job to perform further validation and XSS testing.

The types of test cases that x5s includes:

1. Traditional test cases – characters typically used to test for XSS injection such as <, >, “,and ‘ which are used to control HTML, CSS, or javascript;
2. Transformable test cases – characters that might uppercase, lowercase, Normalize, best-fit map, or other wise transform to completely different characters, E.g. the Turkish ‘İ’ which will lower-case to ‘i’ in culture-aware software.
3. Overlong UTF-8 test cases – non-shortest UTF-8 encodings of the ‘traditional’ test cases noted above. E.g. the ASCII <>

You can download x5s here:

x5s v1.0.0 beta

Or read more here.

StreamArmor – Discover & Remove Alternate Data Streams (ADS)

StreamArmor is a tool for discovering hidden alternate data streams (ADS) and can also clean them completely from the system. It’s advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams. StreamArmor comes with fast multi threaded ADS scanner which can recursively scan over entire system and quickly uncover all hidden streams. All such discovered streams are represented using specific color patten based on threat level which makes it easy for human eye to distinguish between suspicious and normal streams.

StreamArmor has built-in advanced file type detection mechanism which examines the content of file to accurately detect the file type of stream. This makes it great tool in forensic analysis in uncovering hidden documents/images/audio/video/database/archive files within the alternate data streams. StreamArmor is the standalone, portable application which does not require any installation. It can be copied to any place in the system and executed directly.

What are ADS (Alternate Data Streams)?

If you’ve had any experience with advanced malware or Windows forensics you’d already know what ADS are, but if you haven’t is a lesser known feature of the Windows NTFS file system which provides the ability to put data into existing files and folders without affecting their functionality and size. Any such stream associated with file/folder is not visible when viewed through conventional utilities such as Windows Explorer or DIR command or any other file browser tools.

If so inclined you can read more here:

• Windows NTFS Alternate Data Streams
• Hidden Threat: Alternate Data Streams

Platform

Windows XP, 2K3, Vista, Longhorn and Windows 7 (both 32 & 64 bit versions) On 64 bit platform, only 32 bit processes are supported.

You can download StreamArmor v1.0 here:

StreamArmor_v1.zip

Or read more here.

pwnat – NAT To NAT Client Communication Tool

pwnat, pronounced “poe-nat”, is a tool that allows any number of clients behind NATs to communicate with a server behind a separate NAT with *no* port forwarding and *no* DMZ setup on any routers in order to directly communicate with each other. The server does not need to know anything about the clients trying to connect.

Simply put, this is a proxy server that works behind a NAT, even when the client is behind a NAT, without any 3rd party. There is no middle man, no proxy, no 3rd party, no UPnP/STUN/ICE required, no spoofing, and no DNS tricks. More importantly, the client can then connect to any host or port on any remote host or to a fixed host and port decided by the server.

pwnat is based off of the UDP tunneling software by Daniel Meekins, udptunnel, and my original chownat.

pwnat will work on most *nix operating systems. Tested on Linux and OS X.

You can download pwnat v0.2-beta here:

pwnat-0.2-beta.tgz

Or read more here.

PenTBox – Penetration Testing Security Suite

PenTBox is a Security Suite that packs security and stability testing oriented tools for networks and systems. Programmed in Ruby and oriented to GNU/Linux systems, but compatible with Windows, MacOS and every systems where Ruby works.

It is free, licensed under GNU/GPLv3.

PenTBox Contains

Cryptography tools

• Base64 Encoder & Decoder
• Multi-Digest (MD5, SHA1, SHA256, SHA384, SHA512)
• Hash Password Cracker (MD5, SHA1, SHA256, SHA384, SHA512)
• Secure Password Generator
• Files en/decryptor Rijndael (AES) 256 bits – GOST – ARC4

Network tools

• TCP Flood DoSer
• TCP Flood AutoDoSer
• Spoofed SYN Flood DoSer [nmap - hping3]
• Port scanner
• Honeypot
• PenTBox Secure Instant Messaging

Extra

• L33t Sp3@k Converter
• Fuzzer

An updated list of tools can be found here.

You can download PenTBox v1.3.2 here:

Windows version (Ruby included) – pentbox_1.3.2_win.zip
Linux version – pentbox_1.3.2.tar

Or read more here.

Flint – Web-based Firewall Rule Scanner

Flint examines firewalls, quickly computes the effect of all the configuration rules, and then spots problems so you can:

• CLEAN UP RUSTY CONFIGURATIONS that are crudded up with rules that can’t match traffic.
• ERADICATE LATENT SECURITY PROBLEMS lurking in overly-permissive rules
• SANITY CHECK CHANGES to see if new rules create problems.

Flint is absolutely free. There’s no catch. You can download the source from the git repository. This isn’t the “play at home” version; it’s their second product, and they want to do it open source.

Why You Need Flint

You have multiple firewalls protecting internal networks from the Internet and controlling access to customer data. Your business changes, and so do your firewalls, and not always at the same time. Firewalls can get out of step with policies.

Everybody makes mistakes. To understand a firewall configuration, you have to read hundreds of configuration lines, and then you have to think like a firewall does. People aren’t good at thinking like firewalls. So most firewalls are riddled with subtle mistakes. Some of those mistakes can be expensive:

• INSECURE SERVICES might be allowed through the firewall, preventing it from blocking attacks.
• LAX CONTROLS ON DMZs may expose staging and test servers.
• FIREWALL MANAGEMENT PORTS may be exposed to untrusted networks.
• REDUNDANT FIREWALL RULES may be complicating your configuration and slowing you down.

You can download Flint here:

VMWare Virtual Machine – FlintVM-current.zip
OVF Virtual Machine – FlintVM-current.ovf.zip
Source – flint-current.tgz

Or read more here.

skipfish – Automated Web Application Security Reconnaissance Tool

The safety of the Internet is of paramount importance to Google, and helping web developers build secure, reliable web applications is an important part of the equation. To advance this goal, Google has released projects such as ratproxy, a passive security assessment tool.

The latest is they have announced a new tool called skipfish – a free, open source, fully automated, active web application security reconnaissance tool.

Key Features

• High speed: written in pure C, with highly optimized HTTP handling and a minimal CPU footprint, the tool easily achieves 2000 requests per second with responsive targets.
• Ease of use: the tool features heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
• Cutting-edge security logic: we incorporated high quality, low false positive, differential security checks capable of spotting a range of subtle flaws, including blind injection vectors.

The tool is believed to support Linux, FreeBSD 7.0+, MacOS X, and Windows (Cygwin) environments.

You can download skipfish here:

skipfish-1.10b.tgz

Or read more here.

OWASP CodeCrawler – Static Code Review Tool

CodeCrawler is a tool aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code. It’s a Microsoft .NET 3.5 Windows Form application which supports the OWASP Code Review Project.

It provides automatic STRIDE classification a very simple DREAD calculator and few minor utilities. Direct links to WAST 2.0 Threat Classification, Secure Java Development Guidelines and OWASP Tools are also part of the package.

Requirements

• .NET Framework 3.5 (Service Pack 1)
• Visual Studio 2008
• Windows Platform

You can download CodeCrawler here:

CODECRAWLER_2.5_RELEASE.zip

Or read more here.

Vicnum – Lightweight Vulnerable Web Application

Vicnum is a flexible and vulnerable web application which demonstrates common web security problems such as cross site scripting, sql injections, and session management issues. The program is especially useful to IT auditors honing web security skills and setting up ‘capture the flag’ type exercises.

Being a small web application with no complex framework involved, Vicnum can easily be invoked and tailored to meet a specific need. For example if a test vulnerable application is needed in evaluating a web security scanner or a web application firewall, you might want to control a target web application to see what the scanner can find and what the firewall can protect.

Ultimately the major goal of this project is to strengthen security of web applications by educating different groups (students, management, users, developers, auditors) as to what might go wrong in a web app. And of course it’s OK to have a little fun.

The guessing part of the game itself is quite fun too, there’s an online version of Vicnum hosted here:

http://vicnum.ciphertechs.com/

I can guess the number correctly with 1 try every time (that’s an easy one), also got an SQL injection to dump out all the scores recorded. Seeing what else can be done now.

It’s actually quite a fun one to play around with.

You can download Vicnum v1.4 here:

VMvicnum14.zip

Or read more here.

WebRaider – Automated Web Application Exploitation Tool

WebRaider is a plugin based automated web application exploitation tool which focuses to get a shell from multiple targets or injection point.

Idea of this attack is very simple. Getting a reverse shell from an SQL Injection with one request without using an extra channel such as TFTP, FTP to upload the initial payload.

• It’s only one request therefore faster,
• Simple, you don’t need a tool you can do it manually by using your browser or a simple MITM proxy,
• Just copy paste the payload,
• CSRF(able), It’s possible to craft a link and carry out a CSRF attack that will give you a reverse shell,
• It’s not fixed, you can change the payload,
• It’s short, Generally not more than 3.500 characters,
• Doesn’t require any application on the target system like FTP, TFTP or debug.exe,
• Easy to automate.

Dependencies

Internally WebRaider uses Metasploit. The authors use a specific version of Metasploit, they trimmed the fat from Metasploit to launch it faster and make it smaller. You can change the paths and make it work with the latest Metasploit of your own setup.

Also note due to the reverse shells and Metasploit components this software will be detected a virus by AV software.

You can download WebRaider here:

WebRaider-0.2.3.8.zip

Or read more here.

SAHI – Web Automation & Application Security Testing Tool

Sahi is an automation tool to test web applications. Sahi injects javascript into web pages using a proxy and the javascript helps automate web applications.

Sahi is a tester friendly tool. It abstracts out most difficulties that testers face while automating web applications. Some salient features include excellent recorder, platform and browser independence, no XPaths, no waits, multi-threaded playback, excellent Java interaction and inbuilt reporting.

Features

• Browser and Operating System independent
• Powerful recorder which works across browsers
• Powerful Object Spy
• Intuitive and simple APIs
• Javascript based scripts for good programming control
• Version Controllable text-based scripts
• In-built reports
• In-built multi-threaded or parallel playback of tests
• Tests do not need the browser window to be in focus
• Command line and ant support for integration into build processes
• Supports external proxy, HTTPS, 401 & NTLM authentications
• Supports browser popups and modal dialogs
• Supports AJAX and highly dynamic web applications
• Scripts very robust
• Works on applications with random auto-generated ids
• Very lightweight and scalable
• Supports data-driven testing. Can connect to database, Excel or CSV file.
• Ability to invoke any Java library from scripts

Limitations

• Framesets/pages with frames/iframes loading pages from multiple domains is not supported. Sahi cannot handle pages which have other pages from different domains embedded in them using iframes or frames. So you cannot have a page from google.com having an iframe with a page from yahoo.com. Note that this is not the same as switching between domains, where you navigate from a google.com page to a yahoo.com page, which will work in Sahi.
• File upload field will not be populated on browsers for javascript verification. File upload itself works fine

You can download SAHI here:

sahi_20100302.zip

Or read more here.

Ncrack – High Speed Network Authentication Cracking Tool

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients.

Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more.

Ncrack was started as a “Google Summer of Code” Project in 2009. While it is already useful for some purposes, it is still unfinished, alpha quality software. It is released as a standalone tool, be sure to read the Ncrack man page to fully understand Ncrack usage.

You can download Ncrack ALPHA here:

Tarball: ncrack-0.01ALPHA.tar.gz
Windows Binary: ncrack-0.01ALPHA-setup.exe

Or read more here.

Web Security Dojo – Training Environment For Web Application Security

Web Security Dojo is a free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo

What?
Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v9.10.

Why?

The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started – tools, targets, and documentation.

Web Security Dojo currently contains:

Targets –

• OWASP’s WebGoat v5.2
• Damn Vulnerable Web App v1.0.6
• Hacme Casino v1.0
• OWASP InsecureWebApp v1.0
• Simple training targets by Maven Security (including REST and JSON)

Tools -

• Burp Suite (free version) v1.3
• w3af cvs version
• OWASP Skavengerv0.6.2a
• OWASP Dirbuster v1.0 RC1
• Paros v3.2.13
• Webscarab v20070504-1631
• Ratproxy v1.57-beta
• sqlmap v0.7
• Helpful Firefox add-ons

You can download Web Security Dojo here:

VMWare image – dojo_v1.0-vmware.zip
VirtualBox image – dojo_v1.0-virtualbox.zip

Or read more here.

keimpx – Open Source SMB Credential Scanner

keimpx is an open source tool, released under a modified version of Apache License 1.1. It can be used to quickly check for the usefulness of credentials across a network over SMB. Credentials can be:

• Combination of user / plain-text password.
• Combination of user / NTLM hash.
• Combination of user / NTLM logon session token.

If any valid credentials has been discovered across the network after its attack phase, the user is asked to choose which host to connect to and which valid credentials to use, then he will be prompted with an interactive SMB shell where the user can:

• Spawn an interactive command prompt.
• Navigate through the remote SMB shares: list, upload, download files, create, remove files, etc.
• Deploy and undeploy his own service, for instance, a backdoor listening on a TCP port for incoming connections.
• List users details, domains and password policy.

You can download keimpx 0.2 here:

keimpx-0.2.zip

Or read more here.

Medusa 2.0 – Parallel Network Login Brute Forcing Tool

What is Medusa? Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at Foofus.net.

It currently has modules for the following services: AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), NNTP, PcAnywhere, POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (AUTH/VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC. It also includes a basic web form module and a generic wrapper module for external scripts.

Features

• Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
• Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
• Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

This release contains the most significant changes to the core of Medusa since its original release in 2005. We’ve moved to a “real” thread pool and modified how credential sets are selected. For a more detailed list of changes check the ChangeLog here.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. For a brief comparison see Medusa Compare.

You can download Medusa 2.0 here:

medusa-2.0.tar.gz

Or read more here.

GreenSQL – Open Source Database Firewall Software

GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL & PostgreSQL . The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.

GreenSQL Architecture

GreenSQL works as a reverse proxy for MySQL connections. This means, that instead of connecting TO THE MySQL server, your applications will connect to THE GreenSQL server. GreenSQL will analyze SQL queries and then, if they’re safe, will forward them to the back-end MySQL server.

New Changes

In this version, GreenSQL provides native support for PostgreSQL (http://www.postgresql.org) databases for the very first time. In fact, GreenSQL is the only database firewall (Open or Closed Source) available for the protection of the many PostgreSQL databases currently in use.

GreenSQL 1.2 merges the GreenSQL-Console package into the GreenSQL-FW. The GreenSQL-Console will no longer be released as a separated package. During the installation process, you will be able to choose whether or not to install the console.

You can download GreenSQL v1.2 here:

greensql-fw-1.2.2.tar.gz

Or read more here.

SecuBat – Modular Web Vulnerability Scanner

As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers.

Typical web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the web that are vulnerable.

SecuBat is a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities.

Software Requirements

• Windows 2000, XP, 2003 or higher
• .NET Framework 2.0 or higher
• MS SQL Server 2000, 2005, Express, MSDE or higher

Known Issues

• If you schedule a crawling run, you have to restart SecuBat for manually selecting this crawling run for
  an attacking run afterwards if you not choose to do a combined run.
• The XSS variants report a not existing vulnerability if the response page contains the injected string within the title tag.
• The “Attack Report” window shows only attacks with an analysis value greater than 0 (indicating a vulnerability).

You can also find out more from the SecuBat paper published here:

secubat.pdf [PDF]

You can download SecuBat v0.5 here:

SecuBat v0.5.zip

Or read more here.

Nmap v5.20 – Open Source Network Exploration & Auditing Tool

For those that may not know, Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Nmap 5.20 offers more than 150 significant improvements, including:

• 30+ new Nmap Scripting Engine scripts
• Enhanced performance and reduced memory consumption
• Protocol-specific payloads for more effectie UDP scanning
• A completely rewritten traceroute engine
• Massive OS and version detection DB updates (10,000+ signatures)

You can download Nmap 5.21 here (more options):

Linux – nmap-5.21.tgz
Windows – nmap-5.21-win32.zip

Or read more here.

Groundspeed 1.1 – Web Application Security Add-on For Firefox

Groundspeed is an open-source Firefox extension for web application security testers presented at the OWASP AppSec DC 2009. It allows you to manipulate the web application’s user interface to eliminate annoying limitations and client-side controls that interfere with the web application penetration test.

What can I do with Groundspeed?

Groundspeed allows you to modify the forms and form elements loaded in the page. Some practical uses include:

• Changing the types of form fields, for example you can change hidden fields into text fields so you can easily edit their contents.
• Quickly removing size and length limitations on text fields so you have more space to type your attack strings.
• Changing form target so the form submits in another tab.
• Removing or editing the JavaScript event handlers to bypass client side validation.

You can install Groundspeed here:

https://addons.mozilla.org/en-US/firefox/addon/46698/

Or read more here.

Browser Fuzzer 3 (bf3) – Comprehensive Web Browser Fuzzing Tool

Browser Fuzzer 3, or bf3, is a comprehensive web browser fuzzer. Browser Fuzzer 3 is designed as a hybrid framework/standalone fuzzer; the modules it uses are extensible but also highly integrated into the core. bf3 can be used via command line to set all necessary flags for each fuzzing operation.

After initialization, bf3 creates test cases in a numbered system. Fuzzing is automated through the browser using the refresh method. If error is detected, server logs can provide insight to the offending test case.

Features

• Fuzzes CSS, DOM, HTML, JavaScript and XML
• Attended and Unattended Fuzzing Modes
• 7th Generation Fuzzing Oracle
• Random Data Generator
• Mutation Fuzzing Engine

You can download Browser Fuzzer 3 here:

bf3.tar.gz

Or read more here.

Burp Suite v1.3 – Integrated Platform For Attacking Web Applications

Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility.

Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.

This is a major upgrade with a host of new features, including:

• A new message editor/viewer optimised for HTTP requests and responses, with colourised syntax, mouse-over decoding, and quick conversion functions.
• Facility to add comments and highlights to the proxy history and site map.
• Support for viewing and editing AMF-encoded messages.
• Improved handling of SSL server certificates, to eliminate browser SSL warnings and connection problems with thick clients.
• Copy to file / paste from file to facilitate working with binary content.
• New display filters.
• Greatly enhanced extensibility.
• Configurable DNS resolution, to override your computer’s own resolution, facilitating work with non-proxy-aware clients.
• Fine-grained upstream proxy rules.
• Exporting of HTTP messages and metadata in XML format.

Burp Suite is a Java application, and runs on any platform for which a Java Runtime Environment is available. It requires version 1.5 or later. The JRE can be obtained for free from java.sun.com.

Full release details can be found here.

You can download Burp Suite v1.3 here:

burpsuite_v1.3.zip

Or read more here.

Microsoft SQL Server Fingerprint Tool

This is a tool that performs version fingerprinting on Microsoft SQL Server 2000, 2005 and 2008, using well known techniques based on several public tools that identifies the SQL Version. The strength of this tool is that it uses probabilistic algorithm to identify the version of the Microsoft SQL Server.

The “Microsoft SQL Server Fingerprint Tool” can also be used to identify vulnerable versions of Microsoft SQL Server – it is based on some techniques used by Exploit Next GenerationTM to perform automated penetration test.

This is a very new tool and is in the BETA stage, so please do download it, try it out and give some feedback to the author.

You can download mssqlfp here:

mssqlfp-BETA4.exe

Or read more here.

WAFP – Web Application Finger Printing Tool

WAFP is a Web Application Finger Printer written in ruby using a SQLite3 DB.

How it works?

WAFP fetches the files given by the Finger Prints from a webserver and checks if the checksums of those files are matching to the given checksums from the Finger Prints. This way it is able to detect the detailed version and even the build number of a Web Application.

In detail?

A Web Application Finger Print consits of a set of relative file locations in conjunction with their md5sums. It is made based on a production or example installation of a Web Application or just out of an extracted Web Application install files tarball. For this task, generate_wafp_fingerprint.sh is to be used.

WAFP comes with a README and a HOWTO file both containing some descriptions and examples.

Example

A specific fingerprint with verbose mode enabled:

wafp.rb --verbose -p phpmyadmin https://phpmyadmin.example.de

    found the following matches (limited to 10):
  +-------------------------------------------------------------+
   phpmyadmin-2.11.9.1                  296 / 299  (98.99%)
   phpmyadmin-2.11.9.2                  295 / 299  (98.66%)
   phpmyadmin-2.11.9.4                  295 / 299  (98.66%)
   phpmyadmin-2.11.8.1                  295 / 299  (98.66%)
   phpmyadmin-2.11.9.5                  295 / 299  (98.66%)
   phpmyadmin-2.11.8                    295 / 299  (98.66%)
   phpmyadmin-2.11.9.3                  295 / 299  (98.66%)
   phpmyadmin-2.11.9                    295 / 299  (98.66%)
   phpmyadmin-2.11.4                    294 / 299  (98.33%)
   phpmyadmin-2.11.5.2                  294 / 299  (98.33%)

You can download WAFP here:

wafp-0.01-26c3.tar.gz

Or read more here.

YASAT – Yet Another Stupid Audit Tool

YASAT (Yet Another Stupid Audit Tool) is a simple stupid audit tool. Its goal is to be as simple as possible with minimum binary dependencies (only sed, grep and cut).

It do many tests for checking security configuration issue or others good practice.

It checks many software configurations like:

• Apache
• PHP
• kernel
• MySQL
• OpenVPN
• Packages update
• snmpd
• tomcat
• user accounting
• vsftpd
• xinetd

YASAT has been tested on:

• Gentoo
• Debian
• Ubuntu
• FreeBSD
• OpenBSD

YASAT is licensed under GPLv3.

You can download YASAT here:

yasat-207.tar.gz

Or read more here.

fimap – Remote & Local File Inclusion (RFI/LFI) Scanner

fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap is similar to sqlmap just for LFI/RFI bugs instead of sql injection. It is currently under heavy development but it’s usable.

Features

• Check a Single URL, List of URLs, or Google results fully automatically.
• Can identify and exploit file inclusion bugs.
• Test and exploit multiple bugs
• Has an interactive exploit mode
• Add your own payloads and patches to the config.py file.
• Has a Harvest mode which can collect URLs from a given domain for later pentesting.
• Can use proxies (experimental).

Changes

• All commands will now be send base64 encoded. So you can use quotes as much as you want.
• php://input detection is now 100% reliable.
• You can now define a POST string for relative and absolute files in the config.py.
• TTL implemented. You can define it with “—ttl “. Default is 30 seconds.
• Experimental HTTP Proxy support. You can define a HTTP(s) proxy with “—http-proxy localhost:8080″.
• Googlescanner can now skip the first X pages. Use “—skip-pages X”.
• Lots of bugfixes and additional regular expressions.

Requirements

• Needs: Python >= 2.4

You can download fimap here:

fimap_alpha_v07.tar.gz

Or read more here.