FOCA – Network Infrastructure Mapping Tool

FOCA 2 has a new algorithm which tries to discover as much info related to network infrastructure as possible. In this alpha version FOCA will add to the figured out network-map, all servers than can be found using a recursive algorithm searching in Google, BING, Reverse IP in BING, Well-known servers and DNS records, using an internal PTR-Scaning, etc

To configure this algorithm you can use the new DNS Search panel and the info extracted will be showed up in three panels:

• Domains
• IP addresses
• PC/Servers

ChangeLog 2.0.1:

• Fix error searching EXIF information
• Fix error in DNS Transfer Zone requests

ChangeLog 2.0:

• DNS enumeration added using subdomains Web Search, zone transfer, dictionary and bing IP search.
• Added panels Domains & IP
• Documents grouped by document type
• Used ListView groups
• Better Network Map representation
• Bing only search supported filetype documents
• Fix error analysing metadata

You can read more and download FOCA here.

Metasploit 3.4.0 Hacking Framework Released – Over 100 New Exploits Added

Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only.

Update Summary

• Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
• Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
• Over 100 tickets were closed since the last point release and over 200 since v3.3

After five months of development, version 3.4.0 of the Metasploit Framework has been released. Since the last major release (Metasploit 3.3) over 100 new exploits have been added and over 200 bugs have been fixed.

This release includes massive improvements to the Meterpreter payload; both in terms of stability and features, thanks in large part to Stephen Fewer of Harmony Security. The Meterpreter payload can now capture screenshots without migrating, including the ability to bypass Session 0 Isolation on newer Windows operating systems. This release now supports the ability to migrate back and forth between 32-bit and 64-bit processes on a compromised Windows 64-bit operating system. The Meterpreter protocol now supports inline compression using zlib, resulting in faster transfers of large data blocks. A new command, “getsystem”, uses several techniques to gain system access from a low-privileged or administrator-level session, including the exploitation of Tavis Ormandy’s KiTrap0D vulnerability. Brett Blackham contributed a patch to compress screenshots on the server side in JPG format, reducing the overhead of the screen capture command. The pivoting backend of Meterpreter now supports bi-directional UDP and TCP relays, a big upgrade from the outgoing-only TCP pivoting capabilities of version 3.3.3.

This is the first version of Metasploit to have strong support for bruteforcing network protocols and gaining access with cracked credentials. A new mixin has been created that standardizes the options available to each of the brute force modules. This release includes support for brute forcing accounts over SSH, Telnet, MySQL, Postgres, SMB, DB2, and more, thanks to Tod Bearsdley and contributions from Thomas Ring.

Metasploit now has support for generating malicious JSP and WAR files along with exploits for Tomcat and JBoss that use these to gain remote access to misconfigured installations. A new mixin was creating compiling and signing Java applets on fly, courtesy of Nathan Keltner. Thanks to some excellent work by bannedit and Joshua Drake, command injection of a cmd.exe shell on Windows can be staged into a full Meterpreter shell using the new “sessions -u” syntax.

Full Metasploit 3.4.0 Release Notes

You can download Metasploit 3.4.0 here:

Windows – framework-3.4.0.exe
Linux – framework-3.4.0-linux-i686.run

Or read more here.

sqlninja v0.2.5 Released – Microsoft SQL Server (MS-SQL) SQL Injection Vulnerability Tool

Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide an interactive access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
• Bruteforce of ’sa’ password (in 2 flavors: dictionary-based and incremental)
• Privilege escalation to sysadmin group if ’sa’ password has been found
• Creation of a custom xp_cmdshell if the original one has been removed
• Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
• Evasion techniques to confuse a few IDS/IPS/WAF
• Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection

What’s New?

• Proxy support (it was about time!)
• No more 64k bytes limit in upload mode
• Upload mode is also massively faster
• Privilege escalation through token kidnapping (kudos to Cesar Cerrudo)
• Other minor improvements

Compatibility

It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on:

• Linux
• FreeBSD
• Mac OS X

You can download sqlninja v0.2.5 here:

sqlninja-0.2.5.tgz

Or read more here.

Suricata – Open Source Next Generation Intrusion Detection and Prevention Engine

The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

Basically it’s a is a multi-threaded intrusion detection/prevention engine engine available from the Open Information Security Foundation

OISF is part of and funded by the Department of Homeland Security’s Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy’s Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members.

The Suricata Engine and the HTP Library are available to use under the GPLv2.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.

You can download Suricata v0.9 here:

suricata-0.9.0.tar.gz

Or read more here.

iScanner – Detect & Remove Malicious Code/Web Pages Viruses From Your Linux/Unix Server

iScanner is free open source tool lets you detect and remove malicious codes and web pages viruses from your Linux/Unix server easily and automatically. This is a neat tool for those who have to do some clean up operation after a mass-exploitation or defacement on a shared web-host.

This tool is programmed by iSecur1ty using Ruby programming language and it’s released under the terms of GNU Affero General Public License 3.0.

Features

• Detect malicious codes in web pages. This include hidden iframe tags, javascript, vbscript, activex objects and PHP codee.
• Extensive log shows the infected files and the malicious code.
• Send email reports.
• Ability to clean the infected web pages automatically.
• Easy backup and restore system for the infected files.
• Simple and editable signature based database.
• Ability to update the database and the program easily from dedicated server.
• Very flexible options and easy to use.
• Fast scanner with good performance.

Coming Soon

• Microsoft Windows compatibility.
• Export log in other formats (xml, html).
• Extend the database and make it able to detect malicious files.
• Ability to send infected file to iScanner server for analysis.
• Build remote scanner service with API.

You can download iScanner v0.5 here:

iscanner.tar.gz

Or read more here.

OpenDLP – Open-Source Data Loss Prevention Tool

OpenDLP is a free and open source, agent-based, centrally-managed, massively distributable data loss prevention tool released under the GPL. Given appropriate Windows domain credentials, OpenDLP can simultaneously identify sensitive data at rest on hundreds or thousands of Microsoft Windows systems from a centralized web application. OpenDLP has two components: a web application and an agent.

Web Application

• Automatically deploy and start agents over Netbios/SMB
• When done, automatically stop, uninstall, and delete agents over Netbios/SMB
• Pause, resume, and forcefully uninstall agents in an entire scan or on individual systems
• Concurrently and securely receive results from hundreds or thousands of deployed agents over two-way-trusted SSL connection
• Create Perl-compatible regular expressions (PCREs) for finding sensitive data at rest
• Create reusable profiles for scans that include whitelisting or blacklisting directories and file extensions
• Review findings and identify false positives
• Export results as XML
• Written in Perl with MySQL backend

Agent

• Runs on Windows 2000 and later systems
• Written in C with no .NET Framework requirements
• Runs as a Windows Service at low priority so users do not see or feel it
• Resumes automatically upon system reboot with no user interaction
• Securely transmit results to web application at user-defined intervals over two-way-trusted SSL connection
• Uses PCREs to identify sensitive data inside files
• Performs additional checks on potential credit card numbers to reduce false positives

You can download OpenDLP v0.1 here:

OpenDLP-0.1.tar.bz2

Or read more here.