winAUTOPWN v2.8 Released For Download – Windows Auto-Hacking Toolkit

winAUTOPWN and bsdAUTOPWN are minimal Interactive Frameworks which act as a frontend for quick systems vulnerability exploitation. It takes inputs like IP address, Hostname, CMS Path, etc. and does a smart multi-threaded portscan for TCP ports 1 to 65535. Exploits capable of giving Remote Shells, which are released publicly over the Internet by active contributors and exploit writers are constantly added to winAUTOPWN/bsdAUTOPWN. A lot of these exploits are written in scripting languages like python, perl and php. Presence of these language interpreters is essential for successful exploitations using winAUTOPWN/bsdAUTOPWN.

Exploits written in languages like C, Delphi, ASM which can be compiled are pre-compiled and added along-with others. On successful exploitation winAUTOPWN/bsdAUTOPWN gives a remote shell and waits for the attacker to use the shell before trying other exploits. This way the attacker can count and check the number of exploits which actually worked on a Target System.

This version covers almost all remote exploits up-till September 2011 and a few older ones as well. Also added in this release are a few ruby exploits which require ‘socket’ alone for interpretation. Gee-Hence, winAUTOPWN now requires ruby installed as well, just like perl, python and php.

This version incorporates a new command-line parameters: -targetOS to allow selection of the target Operating System. This is essential for a few exploits to work perfectly. The List of OS and the corresponding OS codes are available and asked when winAUTOPWN OR bsdAUTOPWN is executed.

Untill the last release there was only a bind_shell TCP shellcode available in the exploits. This release brings yet another feature which gives the freedom to choose from a variety of shellcodes. You can now select reverse_tcp for Windows cmd and other shellcodes for Solaris, Linux, FreeBSD, etc. This is all done by mod_shellcode which has been created and added to WINDOWS AUTOPWN and BSD AUTOPWN as well. mod_shellcode gets automatically invoked by WINDOWS AUTOPWN for every scripted exploit code whose shellcode can be manually changed. Note that there are a few exploits in a compiled binary form which lack reverse shell and other shellcode features.

mod_shellcode is available as a separate binary in the exploits/ directory for Windows, FreeBSD x86, FreeBSD x64 and DragonFly BSD platforms (just like the main BSD AUTOPWN and other exploit binaries) and hence can also be manually used by exploit writers and exploiters to quickly change shellcodes in their exploit files.

You can download winAUTOPWn v2.8 here:

winAUTOPWN_2.8.7z

Or read more here.

CAINE (Computer Aided INvestigative Environment) – Digital Forensics LiveCD

CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a project of Digital Forensics. CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.

The main design objectives that CAINE aims to guarantee are the following:

• an interoperable environment that supports the digital investigator during the four phases of the digital investigation
• a user friendly graphical interface
• a semi-automated compilation of the final report

New Features/Tools

• New NAUTILUS SCripts
• ataraw
• bloom
• fiwalk
• xnview
• NOMODESET in starting menu
• xmount
• sshfs
• Reporting by Caine Interface fixed
• xmount-gui
• nbtempo
• fileinfo
• TSK_Gui
• Raid utils e bridge utils
• SMBFS
• BBT.py
• Widows Side
• Wintaylor updated & upgraded

“rbfstab” is a utility that is activated during boot or when a device is plugged. It writes read-only entries to /etc/fstab so devices are safely mounted for forensic imaging/examination. It is self installing with ‘rbfstab -i’ and can be disabled with ‘rbfstab -r’. It contains many improvements over past rebuildfstab incarnations. Rebuildfstab is a traditional means for read-only mounting in forensics-orient distributions.
“mounter” is a GUI mounting tool that sits in the system tray. Left clicking the system tray drive icon activates a window where the user can select devices to mount or un-mount. With rbfstab activated, all devices, except those with volume label “RBFSTAB”, are mounted read-only. Mounting of block devices in Nautilus (file browser) is not possible for a normal user with rbfstab activated making mounter a consistent interface for users.

You can download CAINE 2.5/Supernova here:

caine 2.5.iso

or you can read more here.

MagicTree v1.0 Released – Productivity Tool For Penetration Testers

MagicTree is a productivity tool for penetration testers. It allows consolidating data coming from various security tools, query and re-use the data and generate reports. It’s aim is to automate the boring and the mind-numbing work, so you can spend your time hacking.
Version 1.0 includes a lot of bug fixes and a number of new features, such as:

• Support for Acunetix data import
• Support for W3AF data import
• Support for OpenVAS 4 XML format
• Importing data from flat text files
• Simplified manual creation of ports
• Copy/paste and drag and drop support for tree nodes, table view data, queries and tasks
• mt:sort() custom XPath function for sorting data, such as findings, in TableView and reports
• More sophisticated auto-creation of tree nodes. We now support netblocks in various formats (192.168.1.1/24 , 192.168.1.0-192.168.1.255, 192.168.1.0/255.255.255.0), DNS names, IP addresses and URLs.
• Search in output files panel
• Creating cross-references by drag and drop
• Better support for KDE and XFCE desktop environments on Linux. View in browser and opening reports now works on both.

The full changelog is available here – ChangeLog-1.0.txt

You can download MagicTree v1.0 here:

MagicTree-1.0-build1615.jar

Or read more here.

NetworkMiner v1.1 Released – Windows Packet Analyzer & Sniffer

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main user interface view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).
NetworkMiner has, since the first release in 2007, become popular tool among incident response teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.

New in v1.1

The new version supports features such as:

• Extraction of Google Analytics data
• Better parsing of SMB data
• Support for PPP frames
• Even more stable than the 1.0 release

You can download NetworkMiner v1.1 here:

NetworkMiner_1-1.zip

Or read more here.

Lilith – Web Application Security Audit Tool

LiLith is a tool written in Perl to audit web applications. This tool analyses webpages and looks for html form tags , which often refer to dynamic pages that might be subject to SQL injection or other flaws. It works as an ordinary spider and analyses pages, following hyperlinks, injecting special characters that have a special meaning to any underlying platform.

Any Web applications scanner can never perform a full 100% correct audit. Therefore, a manual re-check is necessary. Hence, be aware that Lilith might come up with several false positives.

LiLith is a program that verifies the security of a web application. As a security consultant, the author often sees web applications that contain security flaws. A web application is a complex entity and cannot be fully checked with “just any tool”, therefor I recommend you to manually verify any results.

How the entire “scanning” process works is different from so called “CGI scanners”, such as nikto and n-stealth. This program will surf to a website and crawls through all the links, just as a user would to. On any possible input field, such as text boxes, page id’s, … LiLith will attempt to inject any characters that might have a special meaning for any underlying technology such as SQL.

For more information, it is recommended to read the following white paper: web dissection using lilith.

You can download Lilith here:

lilith-06atar.gz

Or read more here.

WAVSEP – Web Application Vulnerability Scanner Evaluation Project

The benchmark tests the SQL Injection and Reflected XSS vulnerability detection accuracy of12 commercial web application scanners and 48 free & open source web application scanners, and discusses the capabilities of many others (including information about a potential Trojan horse in one of them).

In addition to the benchmark, the author has published a detailed feature comparison between all the scanners (which generally include every open source or free to use web application vulnerability scanner commonly available)

The research compares the following aspects of these tools:

• Number & Type of Vulnerability Detection Features
• SQL Injection Detection Accuracy
• Reflected Cross Site Scripting Detection Accuracy
• General & Special Scanning Features

And what the author believes to me most important is that during his research he has developed a toolkit that can be used by any individual or organization to test the accuracy of web application scanners in a very detailed and accurate manner.

I for one applaud his efforts and I think this is a great project, of course there’s no completely objective ranking for these kind of things – but this study does give you a good idea of where different apps stand especially in terms of SQL Injection and XSS detection.

A lot of the tools we’ve written about here at Darknet come out tops (unsurprisingly).

The benchmark and reports (about 13 in total) can be found here:

http://sectooladdict.blogspot.com/

The framework for assessing vulnerability scanners was implemented in JEE and can be downloaded here:

wavsep-v1.0.3-war.zip

Or you can read more here.

winAUTOPWN v2.7 Released – Windows Autohacking Tool

winAUTOPWN and bsdAUTOPWN are minimal Interactive Frameworks which act as a frontend for quick systems vulnerability exploitation. It takes inputs like IP address, Hostname, CMS Path, etc. and does a smart multi-threaded portscan for TCP ports 1 to 65535. Exploits capable of giving Remote Shells, which are released publicly over the Internet by active contributors and exploit writers are constantly added to winAUTOPWN/bsdAUTOPWN. A lot of these exploits are written in scripting languages like python, perl and php. Presence of these language interpreters is essential for successful exploitations using winAUTOPWN/bsdAUTOPWN.

Exploits written in languages like C, Delphi, ASM which can be compiled are pre-compiled and added along-with others. On successful exploitation winAUTOPWN/bsdAUTOPWN gives a remote shell and waits for the attacker to use the shell before trying other exploits. This way the attacker can count and check the number of exploits which actually worked on a Target System.

New in v2.7

This version covers almost all remote exploits up-till mid-July 2011 and a few older ones as well. This version incorporates a few new commandline parameters: -perlrevshURL (for a PERL Reverse Shell URL), – mailFROM (smtpsender) and -mailTO (smtpreceiver). These are the commandline arguments required for a few exploits which require remote connect-back using a perl shell and email server exploits requiring authentication respectively. This version also tackles various internal bugs and fixes them.

A complete list of all Exploits in winAUTOPWN is available in CHANGELOG.TXT
A complete list of User Interface changes is available in UI_CHANGES.txt

Also, in this version :

• BSDAUTOPWN has been upgraded to version 1.5.
• In this release you will also find pre-compiled binaries for :
• FreeBSD x86
• FreeBSD x64
• DragonFly BSD x86

You can download winAUTOPWN v2.7 here:

winAUTOPWN_2.7.RAR

Or read more here.

Arachni v0.3 Released – Web Application Security Scanner Framework

For those who are not aware, Arachni is a fully automated system which tries to enforce the fire and forget principle. As soon as a scan is started it will not bother you for anything nor require further user interaction. Upon completion, the scan results will be saved in a file which you can later convert to several different formats (HTML, Plain Text, XML, etc.)

The project was initially started as an educational exercise though it has since evolved into a powerful and modular framework allowing for fast, accurate and flexible security/vulnerability assessments..

More than that, Arachni is highly extend-able allowing for anyone to improve upon it by adding custom components and tailoring most aspects to meet most needs.

The author notified us of a major new release (v0.3) which has some great new features, a few of those being:

• A new custom-written, lightweight Spider
• Add-on support for the WebUI
  • Scan scheduler
  • AutoDeploy — Convert any SSH enabled Linux box into a Dispatcher
• Improved accuracy of differential analysis audits
• Improved accuracy of timing attack audits
• Highly optimized timing attacks

If you are interested in the WebUI aspect you can check out some screenshots here, the more comprehensive ChangeLog is also available here.

For those of you into benchmarking and testing you might be interested to know that during a recent test Arachni was the only (from a long list of commercial and F/OSS systems) that hit 100% on both XSS and SQLi tests in the WAVSEP benchmark:

Commercial Web Application Scanner Benchmark

The author is doing a great job with this tool and rapidly closing the gap between free security scanners and the very expensive commercial options. If you do have any feedback on Arachni v0.3 drop a comment here or hit up the Arachni Google Group.

You can download Arachni v0.3 here:

arachni-v0.3-cde.tar.gz

Or read more here.

Websecurify – Integrated Web Security Testing Environment

Websecurify is an integrated web security testing environment, which can be used to identify web vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. The platform is designed to perform automated as well as manual vulnerability tests and it is constantly improved and fine-tuned by a team of world class web application security penetration testers and the feedback from an active open source community.

The penetration testing platform is the only one of its kind. Websecurify is in effect built on the top of a browser and can understand all modern web technologies including upcoming web standards and current technologies such as HTML5.

Main Features

• Available for all major platforms (Windows, Mac OS, Linux)
• Simple to use user interface
• Builtin internationalization support
• Easily extensible with the help of add-ons and plugins
• Exportable and customisable reports with any level of detail
• Moduler and reusable design
• Powerful manual testing tools and helper facilities
• Team sharing support
• Powerful analytical and scanning technology
• Built-in service and support integration
• Scriptable support for JavaScript and Python
• Extensible via many languages including JavaScript, Python, C, C++ and Java

Websecurify uses several key technologies combined together to achieve the best possible result when performing automatic and manual tests. At the core of the platform sits a Web Browser. This allows Websecurify to gain a fine-grained control over the targeted web application and as such detect vulnerabilities that are difficult to find with other tools.

The carefully engineered user interface is simple to use but powerful. All tools and platform features are integrated with each other. This allows smooth transition from one type of task to another and it also makes it easier to work with the complex flow of data, gathered during the penetration test.

You can download Websecurify here:

Windows: Websecurify%200.8.exe
Mac: Websecurify%200.8.dmg
Linux: Websecurify%200.8.tgz

Or you can read more here.

Mantra Security Toolkit 0.6.1 Released – Browser Based Hacking Framework

Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers,security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software.

The software is intended to be lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.

Mantra can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, and covering tracks. Apart from that it also contains a set of tools targeted for web developers and code debuggers which makes it handy for both offensive security and defensive security related tasks.

Project Goals

• Create an ecosystem for hackers based on browser
• To bring the attention of security people to the potential of a browser based security platform
• Provide easy to use and portable platform for demonstrating common web based attacks( read training )
• To associate with other security tools/products to make a better environment.

You can download Mantra 0.6.1 here:

Linux 32-bit – Mantra Security Toolkit – Gandiva.tar.bz2
Windows – OWASP Mantra Security Toolkit – Gandiva.exe

Or read more here.

WPScan – WordPress Security/Vulnerability Scanner

WPScan is a vulnerability scanner which checks the security of WordPress installations using a black box approach (scanning without any prior knowledge of what has been installed etc).

Features

• Username enumeration (from author querystring and location header)
• Weak password cracking (multithreaded)
• Version enumeration (from generator meta tag)
• Vulnerability enumeration (based on version)
• Plugin enumeration (2220 most popular by default)
• Plugin vulnerability enumeration (based on version) (todo)
• Plugin enumeration list generation
• Other misc WordPress checks (theme name, dir listing, …)

Requirements

WPScan requires two non native Ruby gems, typhoeus and xml-simple. It should work on both Ruby 1.8.x and 1.9.x.

sudo apt-get install libcurl4-gnutls-dev
sudo gem install –user-install typhoeus
sudo gem install –user-install xml-simple

The full README is available here.

You can download WPScan by checking it out from the SVN repository on Google Code:

svn checkout http://wpscan.googlecode.com/svn/trunk/ wpscan-read-only

Or you can read more here.

Zed Attack Proxy – ZAProxy v1.3.0 Released – Integrated Penetration Testing Tool

ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Main Features

• Intercepting Proxy
• Automated scanner
• Passive scanner
• Brute Force scanner
• Spider
• Fuzzer
• Port scanner
• Dynamic SSL certificates
• API
• Beanshell integration

What’s New?

A new version has been released, v1.3.0, the release adds the following main features:

• Fuzzing, using the JBroFuzz library
• Dynamic SSL Certificates
• Daemon mode and API
• BeanShell integration
• Full internationalization
• Out of the box support for 10 languages

You can download ZAP v1.3.0 here:

Windows Installer – ZAP_1.3.0_Windows.exe
Linux Installer – ZAP_1.3.0_Linux.tar.gz
Mac OSX Installer – ZAP_1.3.0_Mac_OS_X.zip

Or read more here.

Burp Suite Free Edition v1.4 – Web Application Security Testing Tool

For the two people here who don’t know what this tool does, Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

And now, we’re happy to announce there’s a new version out and it’s available for download now!

New Features

• The ability to compare site maps
• Functions to help with testing access controls using your browser
• Support for preset request macros
• Session handling rules to help you work with difficult situations
• In-browser rendering of responses from all Burp tools
• Auto recognition and rendering of character sets
• Support for upstream SOCKS proxies
• Headless mode for unattended scripted usage
• Support for more types of redirection
• Support for NTLMv2 and IPv6
• Numerous enhancements to Burp’s extensibility
• Greater stability on OSX

You can download Burp Suite Free Edition v1.4 here:

burpsuite_v1.4.zip

Or read more here.

BackTrack 5 Released – The Most Advanced Linux Security Distribution & LiveCD

The BackTrack Dev team has worked furiously in the past months on BackTrack 5, code name “revolution” – they released it on May 10th. This new revision has been built from scratch, and boasts several major improvements over all our previous releases. It’s based on Ubuntu Lucid LTS – Kernel 2.6.38, patched with all relevant wireless injection patches. Fully open source and GPL compliant.

The interesting part for me is that the new .ISO downloads offer multiple versions, including a choice between GNOME and KDE desktops and the images include ARM, 32-Bit and 64-Bit versions.

New in Version 5

• Based on Ubuntu 10.04 LTS;
• Linux kernel 2.6.38 (with wireless injection patches);
• KDE 4.6;
• GNOME 2.6;
• 32-bit and 64-bit support;
• Metasploit 3.7.0;
• Forensics mode (a forensically sound instance);
• Stealth mode (without generating network traffic);
• Initial ARM image of BackTrack (for Android-powered devices);
• All support for Backtrack 4 will end on May 10th, 2011 and BackTrack 4 will not be available for download from our official mirrors from that date onwards.

As for the ARM image, they have had some joy getting BackTrack running on a Motorola Xoom tablet – check it out here.

You can download BackTrack version 5 here:

http://www.backtrack-linux.org/downloads/

sslsnoop v0.6 – Dump Live Session Keys From SSH & Decrypt Traffic On The Fly

sslsnoop dumps live session keys from openssh and can also decrypt the traffic on the fly.

1. Works if scapy doesn’t drop packets. using pcap instead of SOCK_RAW helps a lot now.
2. Works better on interactive traffic with no traffic at the time of the ptrace. It follows the flow, after that.
3. Dumps one file by fd in outputs/
4. Attaching a process is quickier with –addr 0xb788aa98 as provided by haystack INFO:abouchet:found instance @ 0xb788aa98
5. how to get a pickled session_state file : $ sudo haystack –pid `pgrep ssh` sslsnoop.ctypes_openssh.session_state search > ss.pickled

Not all ciphers are implemented.

Workings ciphers: aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc
Partially workings ciphers (INBOUND only ?!): aes128-cbc, aes192-cbc, aes256-cbc
Non workings ciphers: 3des-cbc, 3des, ssh1-blowfish, arcfour, arcfour1280

It can also dump DSA and RSA keys from ssh-agent or sshd ( or others ).

You can download sslsnoop here:

trolldbois-sslsnoop.zip

Or read more here.

OWASP Hatkit Proxy Project – HTTP/TCP Intercepting Proxy Tool

The primary purpose of the Hatkit Proxy is to create a minimal, lightweight proxy which stores traffic into an offline storage where further analysis can be performed, i.e. all kinds of analysis which is currently implemented by the proxies themselves.

Also, since the http traffic is stored in a MongoDB, the traffic is stored at an object-level, retaining the structure of the parsed traffic.

Features

• Swing-based UI,
• Interception capabilities with manual edit, both for TCP and HTTP traffic,
• Syntax highlightning (html/form-data/http) based on JFlex,
• Storage of http traffic into MongoDB database,
• Possibilities to intercept in Fully Qualified mode (like all other http-proxies) OR Non-fully qualified mode. The latter means that interception is performed *after* the host has been parsed, thereby enabling the user to submit non-valid http content.
• A set of filters to either ignore or process traffic which is routed to the proxy. The ‘ignored’ traffic will be streamed to the endpoint with minimal impact on performance.

Known Issues

• HTTP-intercept: Some button/checkboxes in the interception window does not work
• TCP-intercept: The statistics counters are incorrect.

You can download OWASP Hatkit Proxy here:

hatkit_proxy-0.5.1.zip

Or read more here.

sqlmap 0.9 Released – Automatic Blind SQL Injection Tool

Well sqlmap 0.9 has been released and has a considerable amount of changes including an almost entirely re-written SQL Injection detection engine.

For those that aren’t familiar with the tool, sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

New Features/Changes

• Rewritten SQL injection detection engine (Bernardo and Miroslav).
• Support to directly connect to the database without passing via a SQL injection, -d switch (Bernardo and Miroslav).
• Added full support for both time-based blind SQL injection and error-based SQL injection techniques (Bernardo and Miroslav).
• Implemented support for SQLite 2 and 3 (Bernardo and Miroslav).
• Implemented support for Firebird (Bernardo and Miroslav).
• Implemented support for Microsoft Access, Sybase and SAP MaxDB (Miroslav).
• Added support to tamper injection data with –tamper switch (Bernardo and Miroslav).
• Added automatic recognition of password hashes format and support to crack them with a dictionary-based attack (Miroslav).
• Added support to fetch unicode data (Bernardo and Miroslav).
• Added support to use persistent HTTP(s) connection for speed improvement, –keep-alive switch (Miroslav).
• Implemented several optimization switches to speed up the exploitation of SQL injections (Bernardo and Miroslav).
• Support to parse and test forms on target url, –forms switch (Bernardo and Miroslav).
• Added switches to brute-force tables names and columns names with a dictionary attack, –common-tables and –common-columns.

The complete changelog is available for viewing here.

You can also download the user manual here [PDF] – sqlmap README

You can download sqlmap 0.9 here:

sqlmap-0.9.tar.gz

Or read more here.

Wophcrack – Web Based Interface For Ophcrack Password Cracking Tool

Well here is a nifty web-based interface for it. Rainbow Tables are really useful when cracking password hashes, but one major disadvantage of these tables is their size which can be hundreds of gigs for complex tables. The author thought it would be extremely useful to have a personal web interface for your rainbow tables which you can access from anywhere on the web anywhere without having to carry the large tables with you everywhere you go. And well here we are, Wophcrack (Web)Ophcrack.

When cracking LM or NTLM hashes Ophcrack is a great tool as we discussed recently, it provides both a GUI and CLI options along with some free and paid tables. The author basically wrote a quick and dirty PHP based web frontend for Ophcrack.

Wophcrack was designed to work on Backtrack 4 R2, Although it can be install on any Linux distribution with some small adjustments, Wophcrack can also easily edited to support Rainbow Crack.

You can download Wophcrack here:

wophcrack.zip

Or read more here.

Ophcrack 3.3.1 & LiveCD – Free Rainbow Table Password Cracking Tool

Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms. It works based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman’s original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds.

Features

• Runs on Windows, Linux/Unix, Mac OS X
• Cracks LM and NTLM hashes.
• Free tables available for Windows XP and Vista.
• Brute-force module for simple passwords.
• Audit mode and CSV export.
• Real-time graphs to analyze the passwords.
• LiveCD available to simplify the cracking.
• Loads hashes from encrypted SAM recovered from a Windows partition, Vista included.
• Free and open source software (GPL).

You can find the various tables they offer here (mostly free with some paid):

Ophcrack Rainbow Tables

You can download Ophcrack 3.3.1 here:

Windows – ophcrack-win32-installer-3.3.1.exe
Source – ophcrack-3.3.1.tar.bz2

Or download the LiveCD here:

To crack XP hashes – ophcrack-xp-livecd-2.3.1.iso
To crack Vista hashes – ophcrack-vista-livecd-2.3.1.iso

Or read more here.

Arachni v0.2.2.1 – Web Application Security Scanner Framework

Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

Arachni is smart, it trains itself by learning from the HTTP responses it receives during the audit process. Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while traveling through the paths of a web application’s cyclomatic complexity. This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.

Finally, Arachni yields great performance due to its asynchronous HTTP model (courtesy of Typhoeus). Thus, you’ll only be limited by the responsiveness of the server under audit and your available bandwidth.

Note: Despite the fact that Arachni is mostly targeted towards web application security, it can easily be used for general purpose scraping, data-mining, etc with the addition of custom modules.

Module, report and plugin writers are allowed to easily and quickly create and deploy their components with the minimum amount of restrictions imposed upon them, while provided with the necessary infrastructure to accomplish their goals. Furthermore, they are encouraged to take full advantage of the Ruby language under a unified framework that will increase their productivity without stifling them or complicating their tasks.

Although some parts of the Framework are fairly complex you will never have to deal them directly. From a user’s or a component developer’s point of view everything appears simple and straight-forward all the while providing power, performance and flexibility.

There is a new version of Arachni which features numerous optimizations, new modules, new plug-ins and a brand new, although experimental, Web user interface (adding support for distributed deployment, parallel scans and basic report management).

The changelog for this version is extremely long and you can view the full list of changes on the authors blog here – Arachni v0.2.2.1 is out!. You can also view the release changelog here.

All available installation options and usage instructions can be found in the homepage and the GitHub page.

With the new release, there is also the new Arachni Google Group, if you’re hacking or using Arachni and have a related questions you can contact the author and the community here.

You can download Arachni v0.2.2.1 here:

Zapotek-arachni-v0.2.2.1.zip

Or read more here.

NiX Brute Force – Parallel Log-in Brute Forcing/Password Cracking Tool

NiX Brute Forcer is a tool that uses brute force in parallel to log into a system without having authentication credentials beforehand. This tool is intended to demonstrate the importance of choosing strong passwords. The goal of NiX is to support a variety of services that allow remote authentication such as: MySQL, SSH, FTP, IMAP. It is based on NiX Proxy Checker.

Features

• Basic Authorization & FORM support in both standard and HTTPS (SSL) mode
• HTTP/SOCKS 4 and 5 proxy support
• FORM auto-detection & Manual FORM input configuration.
• It is multi-threaded
• Wordlist shuffling via macros
• Auto-removal of dead or unreliable proxy and when site protection mechanism blocks the proxy
• Integrated proxy randomization to defeat certain protection mechanisms
• With Success and Failure Keys results are 99% accurate
• Advanced coding and timeout settings makes it outperform any other brute forcer

The full changelog including the latest version is here.

You can download NiX Brute Force here:

NIX_BruteForce.bz2

Or read more here.

Mausezahn – Fast Traffic Generator/Packet Crafting Tool

Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet. It is mainly used to test VoIP or multicast networks but also for security audits to check whether your systems are hardened enough for specific attacks.

Mausezahn can be used for example:

• As traffic generator (e. g. to stress multicast networks)
• To precisely measure jitter (delay variations) between two hosts (e. g. for VoIP-SLA verification)
• As didactical tool during a datacom lecture or for lab exercises
• For penetration testing of firewalls and IDS
• For DoS attacks on networks (for audit purposes of course)
• To find bugs in network software or appliances
• For reconnaissance attacks using ping sweeps and port scans
• To test network behaviour under strange circumstances (stress test, malformed packets)

Mausezahn is basically a versatile packet creation tool on the command line with a simple syntax and context help. It could also be used within (bash-) scripts to perform combination of tests. By the way, Mausezahn is quite fast; when started on my old PIII-Laptop (1.4 GHz, Gigabit Ethernet) I measured 755 Mbit/s using the interface packet counters of an HP ProCurve 5400 switch.

Currently Mausezahn is only available for Linux platforms. Please do NOT PORT Mausezahn to Windows! (Here is a nice explanation why; I really share Felix von Leitner’s point of view.)

Yoiu can download Mausezahn here:

mz-0.40.tar.gz

Or read more here.

Mantra Security Toolkit – Free & Open Source Browser-Based Security Framework

Mantra is a dream that came true. It is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers, security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software. Mantra is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, and covering tracks. Apart from that it also contains a set of tools targeted for web developers and code debuggers which makes it handy for both offensive security and defensive security related tasks.

Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.

The Mantra is a powerful set of tools to make the attacker’s task easier. The beta version of Mantra Security Toolkit contains following tools built onto it –

Mantra Tools List

You can also always suggest any tools/ scripts that you would like see in the next release.

Supports forums are available here.

You can download Mantra here:

Windows – MantraPortable Alpha Release 200.12.exe
Linux – mantra-portable-pre-alpha.tar.bz2

Or read more here.

Inguma Is Back – The Penetration Testing & Vulnerability Research Toolkit

A new version has just been released almost 3 years later with some major changes and a big GUI revamp. Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits. While the current exploitation capabilities in Inguma may be limited, this program provides numerous tools for information gathering and target auditing.

There are some good docs to get you up and running too:

• Installation Guide
• Getting Started
• Console Quick Start
• GUI Quick Start
• Full Documentation

The announcement from the developers blog is here:

We are back

You can download Inguma 0.2 here:

inguma-0.2.tar.gz

Or read more here.

cross_fuzz – A Cross-Document DOM Binding Fuzzer

cross_fuzz is an amazingly effective but notoriously annoying cross-document DOM binding fuzzer that helped identify about one hundred bugs in all browsers on the market – many of said bugs exploitable – and it is still finding more.

The fuzzer owes much of its efficiency to dynamically generating extremely long-winding sequences of DOM operations across multiple documents, inspecting returned objects, recursing into them, and creating circular node references that stress-test garbage collection mechanisms.

The cross_fuzz fuzzing Algorithm

1. Open two windows with documents of any (DOM-enabled) type. Simple HTML, XHTML, and SVG documents are randomly selected as targets by default – although any other, possibly plugin-supported formats could be targeted instead.
2. Crawl DOM hierarchy of the first document, collecting encountered object references for later reuse. Visited objects and collected references are tagged using an injected property to avoid infinite recursion; a secondary blacklist is used to prevent navigating away or descending into the master window. Critically, random shuffling and recursion fanout control are used to ensure good coverage.
3. Repeat DOM crawl, randomly tweaking encountered object properties by setting them to a one of the previously recorded references (or, with some probability, to one of a handful of hardcoded “interesting” values).
4. Repeat DOM crawl, randomly calling encountered object methods. Call parameters are synthesized using collected references and “interesting” values, as noted above. If a method returns an object, its output is subsequently crawled and tweaked in a similar manner.
5. Randomly destroy first document using one of the several possible methods, toggle garbage collection.
6. Perform the same set of crawl & tweak operations for the second document, but use references collected from the first document for overwriting properties and calling methods in the second one.
7. Randomly destroy document windows, carry over a percentage of collected references to the next fuzzing cycle.

This design can make it unexpectedly difficult to get clean, deterministic repros; to that effect, in the current versions of all the affected browsers, we are still seeing a collection of elusive problems when running the tool – and some not-so-elusive ones. I believe that at this point, a broader community involvement may be instrumental to tracking down and resolving these bugs.

I also believe that at least one of the vulnerabilities discovered by cross_fuzz may be known to third parties – which makes getting this tool out a priority.

You can download cross_fuzz here:

http://lcamtuf.coredump.cx/cross_fuzz

Or read more here.

IOCTL Fuzzer v1.2 – Fuzzing Tool For Windows Kernel Drivers

IOCTL Fuzzer is a tool designed to automate the task of searching vulnerabilities in Windows kernel drivers by performing fuzz tests on them.

The fuzzer’s own driver hooks NtDeviceIoControlFile in order to take control of all IOCTL requests throughout the system.

While processing IOCTLs, the fuzzer will spoof those IOCTLs conforming to conditions specified in the configuration file. A spoofed IOCTL is identical to the original in all respects except the input data, which is changed to randomly generated fuzz.

IOCTL Fuzzer works on Windows XP, 2003 Server, Vista, Windows 7 and 2008 Server.

New in 1.2 version

• Windows 7 support
• Full support of 64-bit versions of Windows
• Exceptions monitoring
• “Fair Fuzzing” feature
• Different data generation modes
• Boot fuzzing (during OS initialization)

You can download IOCTL Fuzzer v1.2 here:

ioctl_fuzzer-1.2.zip

Or read more here.