Tuesday, 23 July 2013

[SET v5.2] The Social-Engineer Toolkit "Urban Camping"



The Social-Engineer Toolkit (SET) version 5.2 codename “Urban Camping” has been released. This version adds a complete rewrite of the PowerShell injection techniques within SET and incorporates an automatic process downgrade attack detailed here: https://www.trustedsec.com/may-2013/native-powershell-x86-shellcode-injection-on-64-bit-platforms/. The attack will automatically detect if PowerShell is installed, then detect what platform its running on. If 64 bit is detected, it will automatically downgrade the process to a 32 bit process for native shellcode injection.

Changelog


* incorporated the new x86 PowerShell downgrade attack. This will automatically use x86 shellcode regardless of operating system. (https://www.trustedsec.com/may-2013/native-powershell-x86-shellcode-injection-on-64-bit-platforms/)
* changed platform detection from if($env:PROCESSOR_ARCHITECTURE -eq “AMD64″) to [IntPtr]::Size -eq 6 (thanks Matthew Graeber)
* rewrote payload generator in powershell menu to use new process downgrade attack
* rewrote java applet to use the new process downgrade attack
* rewrote powershell generation within setcore to use the powershell downgrade attack
* changed the default Java Applet wording to “Applet verified as safe (TRUSTED)”.
* fixed a bug that would cause SQL bruter to error out when specifying a single host and the host was not alive
* fixed a bug that would allow you use web templates with webjacking and tabnabbing which it should not have
* removed old encoding methods when using standard metasploit executables
* fixed an issue that would not allow SSL and harvester to work correctly – this required manually patching socket.py and keeping a patched version in the root directory upon launch. This is due to a bug in pyopenssl and unhandled packet handling within socket.py
* added more stability to the SSL harvester when using pem certificate files
* added powershell downgrade attack to psexec powershell attack
* added ExitOnSession to false when using psexec command
* added set EnableStageEncoding true when using psexec command for stager encoding with shikata
* added better stability to the powershell injection attacks with multiple detection points
* fixed an issue that would cause an error message when reusing credential harvester
* added proper cleanup on new socket.py – has to be in SET root – weird issue when os.chdir or sys.path.append – doesn’t recognize
* removed man left in the middle from the web attacks menu
* streched the text on the menu to be full line versus manual splitting
* added new code and binary for pyinjector to evade AV
* added new code and binary for multipyinjector to evade AV
* officially removed the “set” command and moved to se-toolkit, set was a linux command and conflicted – use se-toolkit from here on out
* simplified the replace code for the shellcode powershell injection technique in setcore
* improved string encryption on the java applet attack
* added -noprofile flag option to powershell injection for x86 downgrade attack
* slimmed down the code used for the powershell injection attacks, allows more space for shellcode

[Suricata v1.4.4] Next Generation Intrusion Detection and Prevention Engine


The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

OISF is part of and funded by the Department of Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members. 

 The Suricata Engine and the HTP Library are available to use under the GPLv2. 

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.

Download Suricata v1.4.4:

Linux/Mac/FreeBSD/UNIX/Windows Source: 
http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz
PGP Signature:
http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz.sig
Windows (win32) installer:
https://redmine.openinfosecfoundation.org/attachments/download/919/Suricata1.4.4-1-32bit.msi

[HconSTF Pentest Browser] Open Source Penetration Testing / Ethical Hacking Framework


HconSTF is Open Source Penetration Testing Framework based on different browser technologies, Which helps any security professional to assists in the Penetration testing or vulnerability scanning assessments.contains webtools which are powerful in doing xss(cross site scripting), Sql injection, siXSS, CSRF, Trace XSS, RFI, LFI, etc. Even useful to anybody interested in information security domain - students, Security Professionals,web developers, manual vulnerability assessments and much more.

Wednesday, 17 July 2013

[Patator v0.5] Multi-purpose brute-forcer, with a modular design and a flexible usage


Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.


Currently it supports the following modules:
* ftp_login : Brute-force FTP
* ssh_login : Brute-force SSH
* telnet_login : Brute-force Telnet
* smtp_login : Brute-force SMTP
* smtp_vrfy : Enumerate valid users using the SMTP VRFY command
* smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
* finger_lookup : Enumerate valid users using Finger
* http_fuzz : Brute-force HTTP/HTTPS
* pop_login : Brute-force POP
* pop_passd : Brute-force poppassd (not POP3)
* imap_login : Brute-force IMAP
* ldap_login : Brute-force LDAP
* smb_login : Brute-force SMB
* smb_lookupsid : Brute-force SMB SID-lookup
* vmauthd_login : Brute-force VMware Authentication Daemon
* mssql_login : Brute-force MSSQL
* oracle_login : Brute-force Oracle
* mysql_login : Brute-force MySQL
* mysql_query : Brute-force MySQL queries
* pgsql_login : Brute-force PostgreSQL
* vnc_login : Brute-force VNC
* dns_forward : Brute-force DNS
* dns_reverse : Brute-force DNS (reverse lookup subnets)
* snmp_login : Brute-force SNMPv1/2 and SNMPv3
* unzip_pass : Brute-force the password of encrypted ZIP files
* keystore_pass : Brute-force the password of Java keystore files

[Hash Console v1.5] All-in-one Command-line tool to generate hash md5, sha1, sha256, sha384, sha512, lm, ntlm, base64, crc32, rot13


Hash Console is the all-in-one command-line based tool to quickly generate more than 15 different type of hashes. It can generate hash for any given file or simple text.


Hashes or checksums are used for multiple purposes including file integrity verification, encryption, password storage etc. Hash Console help you easily and quickly quickly computing the hash for given file or text.


Currently it supports following popular hash types
  • MD5 family (md2, md4, md5)
  • SHA family (sha1, sha256, sha384, sha512)
  • BASE64
  • ROT13
  • CRC32
  • ADLER32
  • HAVAL256
  • LM
  • NTLM
  • RIPEMD160
  • WHIRLPOOL

Being a command-line tool makes it ideal for automation and easy to use on remote systems.

[OWASP Zed Attack Proxy 2.1.0] An easy to use integrated penetration testing tool for finding vulnerabilities in web applications


The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.


Some of ZAP's functionality:

Some of ZAP's features:
  • Open source
  • Cross platform
  • Easy to install (just requires java 1.7)
  • Completely free (no paid for 'Pro' version)
  • Ease of use a priority
  • Comprehensive help pages
  • Fully internationalized
  • Translated into a dozen languages
  • Community based, with involvement actively encouraged
  • Under active development by an international team of volunteers

It supports the following languages:
  • English
  • Arabic
  • Albanian
  • Brazilian Portuguese
  • Chinese
  • Danish
  • Filipino
  • French
  • German
  • Greek
  • Indonesian
  • Italian
  • Japanese
  • Korean
  • Persian
  • Polish
  • Russian
  • Spanish 

[Facebook Password Decryptor v5.0] Facebook Password Recovery Software



Facebook Password Decryptor is the FREE software to instantly recover Facebook account passwords stored by popular Web Browsers and Messengers.

It is one of our most popular software with over One Million downloads worldwide.

It supports recovering of the stored Facebook login password from most of the popular Internet browsers and messengers.


Here is the complete list of supported applications.


  • Internet Explorer (v4.0 - v10.0)
  • Firefox
  • Google Chrome
  • Chrome Canary/SXS
  • CoolNovo Browser
  • Opera Browser
  • Apple Safari
  • Flock Browser
  • Comodo Dragon Browser
  • SeaMonkey Browser
  • Paltalk Messenger
  • Miranda Messenger
It presents both GUI interface as well as command line version making it useful tool for Penetration testers and Forensic investigators.

[MAC Address Scanner] Desktop Tool to Find MAC address of Remote Computers on Local Network


MAC Address Scanner is the free desktop tool to remotely scan and find MAC Address of all systems on your local network.

It allows you to scan either a single host or range of hosts at a time. During the scan, it displays the current status for each host. After the completion, you can generate detailed scan report in HTML/XML/TEXT format.

Note that you can find MAC address for all systems within your subnet only. For all others, you will see the MAC address of the Gateway or Router.

On certain secure WiFi configurations with MAC filtering enabled, this tool can help Pentesters to find out active MAC addresses and then use them to connect to such wireless network.

Being GUI based tool makes it very easy to use for all level of users including beginners.

[bWAPP bee-box] Linux VMware virtual machine pre-installed with bWAPP


bee-box is a custom Linux VMware virtual machine pre-installed with bWAPP.

bee-box gives you several ways to hack and deface the bWAPP website.


It's even possible to hack the bee-box to get root access...

With bee-box you have the opportunity to explore all bWAPP vulnerabilities!

This project is part of the ITSEC Games project. ITSEC Games are a fun approach to IT security education.

IT security, ethical hacking, training and fun... all mixed together.


[DLL Finder v1.5] Tool to quickly find the matching DLL in all running Processes


DLL Finder is the command-line tool to quickly find the matching DLL in all running Processes.

For each discovered DLL in a process it displays,

  • Target Process Name
  • Process ID
  • Full DLL Name
  • DLL Base Address
  • DLL Load Count
  • DLL File Path


On 64 bit system, 32-bit processes are shown with suffix "*32" for easier identification.

It is mainly useful for developers and reserachers. Being a command-line tool makes it easy for automation.        


Wednesday, 10 July 2013

[Netsparker v3.0.2.0 Community Edition] Web Application Security Scanner


Netsparker can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology they are built on, just like an actual attacker.

It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more. It has exploitation built on it, for example you can get a reverse shell out of an identified SQL Injection or extract data via running custom SQL queries.


Changelog v3.0.2.0

New Features
  • Scan Policy Editor that allows you to build own scan policies for more efficient web application security scans.
  • Oracle CHR encoding and decoding facility in the Encoder pane
  • Support for multiple exclude and include URL patterns which can also be specified in REGEX
  • Knowledge base node where additional information about the scanned website is reported to the user
  • New PCI Compliance Report template
New Security Tests
  • Ruby on Rails Remote Code Execution vulnerability
  • Off the shelf Web Application Fingerprinting and detection of known security issues (Such as WordPress, Joomla and Drupal)
  • Version disclosure checks for Apache module mod_ssl, Ruby and WEBrick HTTP web server
  • Identification of phpMyAdmin and Webalizer
  • Detection of SHTML error messages that could disclose sensitive information
  • New WebDAV engine that detects WebDAV implementation security issues and vulnerabilities
  • Server-Side Includes (SSI) Injection checks
Improvements
  • Default include and exclude URL pattern has been improved
  • DOM Parser now supports proxies and client certification support
  • The performance of the Controlled Scan user interface has been improved
  • HTTP Response text editor automatically scrolls to the first highlighted text when viewed
  • Improved vulnerability classifications
  • Vulnerability templates text has been improved
  • Updated the look and feel of the vulnerability templates
  • Version vulnerability database updated with new web applications version for better finger printing
  • Cross-site scripting exploit generation improved
  • Improved confirmed vulnerability representation on Detailed Scan Report
  • Internal Path Disclosure for Windows and Unix security tests have been improved
  • Improved version disclosure security tests for Perl and ASP.NET MVC
  • Start a Scan user interface by moving rarely used settings to Netsparker general settings
  • Improved the performance of security scans which are started using the same Netsparker process
  • Scope documentation text has been updated
  • Updated WASC links to point to the exact threat classification page
  • Improved custom 404 detection on sites where the start URL is redirected
Bug Fixes
  • Fixed a bug in XSS report templates where plus char encoding was wrong
  • Fixed a bug which causes multibyte unicode characters to be corrupted upon retrieval
  • Fixed a bug where “Auto Complete Enabled” isn’t reported
  • Fixed a bug where Community Edition was asking for exporting sessions
  • Fixed a bug causes redundant responses to be stored on redirects
  • Fixed a bug causing a NullReferenceException during reporting
  • Fixed a bug where custom cookies are not preserved when an exported session is imported
  • Fixed a bug on report templates where extra fields were missing when there are multiple fields
  • Fixed the radio button overlap issue on Encoder panel for high DPIs
  • Fixed an issue where CSRF tokens weren’t applied for time based (blind) engines in late confirmation
  • Fixed an issue where data grids on Settings dialog were preventing to cancel the dialog when an invalid row is present
  • Fixed an issue where some logouts occurred on attack phase couldn’t be detected
  • Fixed a bug which causes requests to URLs containing text HTMLElementInputClass
  • Fixed a bug where the injection request/response could be clipped wrong in the middle of HTML tags
  • Fixed the size of the Configure Authentication wizard for higher DPIs
  • Fixed an issue with CLI interpretation where built-in profiles couldn’t be specified
  • Fixed the COMException thrown on Configure Authentication wizard on pages that contain JavaScript calls to window.close()
  • Fixed clipped text issue on scan summary dashboard severity bar chart
  • Fixed the anchors to vulnerability details in OWASP Top Ten 2010 report template
  • Fixed incorrect buttons sizes on message dialogs on high DPI settings
  • Fixed a startup crash which occurs on systems where “Use FIPS compliant algorithms for encryption, hashing, and signing” group policy setting is enabled
  • Fixed click sounds on vulnerability view tab
  • Fixed an issue where find next button was not working on HTTP Request / Response tab
  • Fixed a bug on Configure Authentication wizard occurs when the response contains multiple headers with same names
Note: Due to major updates to the scan files, Netsparker version 3 cannot open scans exported with previous versions of Netsparker (.nss files).
Full Changelog: here

[Arachni v0.4.3] Ruby framework aimed towards helping penetration testers

Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

Arachni is smart, it trains itself by learning from the HTTP responses it receives during the audit process.

Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity.

This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.



Changelog v0.4.3

Framework (v0.4.3)
  • Stable multi-Instance scans, taking advantage of SMP/Grid architectures for higher efficiency and performance.
  • Automated Grid load-balancing.
  • Platform fingerprinting for tailor-made audits resulting in less bandwidth consumption, less server stress and smaller scan runtimes.
Web User Interface (v0.4.1)
  • Support for PostgreSQL.
  • Support for importing data and configuration from the previous 0.4.2-0.4 packages.
Packages
  • Downgraded to require GLIBC >= 2.12 for improved portability.
More Information: here

Sunday, 7 July 2013

[Snort 2.9.5] Network intrusion prevention and detection system (IDS/IPS)


Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.


[*] New additions

* Added tracking of FTP data channel for file transfers as file_data for Snort rules.

* Add support for doing PAF based on services loaded thru the attribute table and hardened PAF code/removed --disable-paf

* Added decoding support for Cisco ERSPAN

* Added tracking of HTTP uploads as file_data for Snort rules.

* Added ability to use event filters with PPM rules

* Added a control channel command to reload the Snort configuration to give feedback on new configuration.  This improves on the older sigHUP which would just result in Snort exiting and restarting if the new configuration required a restart.

* Added a configuration option to perfmon to write flow-ip data to a file

* New decoding alert for IPv6 Routing type 0 header.

* Added the ability to sync basic session state from one Snort to another via a side channel communication between the two Snort instances.  NOTE:  This is currently experimental.

[*] Improvements

* Improved Stream's midstream pickup handling for TCP state processing,
  sequence validation, and reassembly.  Thanks to John Eure.

* Added a parse error for a rule if there is a relative content used after a content that is 'fast_pattern only'.

* Improved HTTP PAF reassembly capabilities to be better aligned on PDU boundaries, terminate if not actually HTTP, and to include all appropriate line feeds.

* Hardened the code related to dynamic modules.  Removed --disable- dynamicplugin configuration option since rule and preprocessor shared libraries are here to stay.

* Improved parsing of IP lists for reputation

* Update to Teredo processing and Snort rule evaluation when the inner IPv6 packet doesn't have payload.  Thanks to Yun Zheng Hu & L0rd Ch0de1m0rt for reporting the issue & crafting traffic to reproduce. 

* Improved logging of packets associated with alerts when a Stream reassembled packet triggers multiple Snort rules.

* Improvements to the Snort manual including documentation of specific rule options and configuration items.  Thanks to Nicholas Horton and many others.

* Removed a bunch of dead code paths, updated to use more current memory functions for easier code maintenance and portability.  Thanks to William Parker.

[*] Deletions

* Remove deprecated unified support, use unified2 for all of your logging needs.

Wednesday, 3 July 2013

[Zarp v0.1.2] The Python Network Attack Tool

Zarp is a network attack tool centered around the exploitation of local networks. This does not include system exploitation, but rather abusing networking protocols and stacks to take over, infiltrate, and knock out. Sessions can be managed to quickly poison and sniff multiple systems at once, dumping sensitive information automatically or to the attacker directly. Various sniffers are included to automatically parse usernames and passwords from various protocols, as well as view HTTP traffic and more. DoS attacks are included to knock out various systems and applications. These tools open up the possibility for very complex attack scenarios on live networks quickly, cleanly, and quietly.

The long-term goal of zarp is to become the master command center of a network; to provide a modular, well-defined framework that provides a powerful overview and in-depth analysis of an entire network. This will come to light with the future inclusion of a web application front-end, which acts as the television screen, whereas the CLI interface will be the remote. This will provide network topology reports, host relationships, and more. zarp aims to be your window into the potential exploitability of a network and its hosts, not an exploitation platform itself; it is the manipulation of relationships and trust felt within local intranets. Look for zeb, the web-app frontend to zarp, sometime in the future.

Tool Overview


Poisoners

These tools work as expected; poisoning hosts for performing MitM, session hijacking, etc. Currently included are ARP, DNS, DHCP, NBNS, ICMP redirect, and LLMNR.
  • DHCP
There are a couple of ways to do DHCP poisoning; zarp implements DHCP poisoning by deploying a ‘rogue’ DHCP server that listens for DHCP-ACK or DHCP-DISCOVER packets. If a DHCP-DISCOVER is detected, an IP address is reserved and assigned to the host and an ARP poisoning session is automatically deployed. If a DHCP-ACK is detected, we attempt to give them the address they’re requesting. This occurs in cases where a returning device would like its IP address back. If we cannot give them the address, we generate a new one and hand it out.
  • DNS
DNS poisoning is performed by matching DNS requests and responding with a malicious packet. zarp (v.10) requires that an ARP poison be active, but this may change. DNS RR poisoning is currently in development.


Denial of Service

Modules used for denial of servicing hosts. Various attacks currently exist for different systems, including Teardrop, IPv6 NDP RA, Nestea, LAND, TCP SYN, and SMB2.


Sniffers

These post-poisoning modules are useful for intercepting interesting traffic. Currently included are HTTP, Password, Traffic, and Database sniffers.


Scanners

Scan networks for victims. Included are Network Scanner, Service Scanner, Access Point Scanner, and Passive Scanner.


Services

Pretend you’re useful; harvest credentials from automatic login tools or unaware users. Spoofed services have been custom written to act as honeypots; none of these services can actually be used to do useful things as intended. Currently included are HTTP, SSH, FTP, SMB, WiFi AP, and telnet.

[Salted Hash Kracker v1.5] Recover the Password from Salted Hash text


Salted Hash Kracker is the free all-in-one tool to recover the Password from Salted Hash text.


These days most websites and applications use salt based hash generation to prevent it from being cracked easily using precomputed hash tables such as Rainbow Crack. In such cases, 'Salted Hash Kracker' will help you to recover the lost password from salted hash text.

It also allow you to specify the salt position either in the beginning of password(salt+password) or at the end of the password (password+salt). In case you want to perform normal hash cracking without the salt then just leave the 'Salt field' blank.

Currently it supports password recovery from following popular Hash types
  • MD5
  • SHA1
  • SHA256
  • SHA384
  • SHA512

It uses dictionary based cracking method which makes the cracking operation simple and easier. You can find good collection of password dictionaries (also called wordlist) here & here

[Chrome Password Decryptor v4.6] Recover all stored passwords from Google Chrome


Chrome Password Decryptor is the FREE tool to instantly recover all stored passwords from Google Chrome browser.

It automatically detect the default Chrome profile path for the current user and displays all the stored login passwords in clear text after decrypting them. It also shows all the blacklisted website entries for which user has prompted Chrome to not to remember the passwords.
 
Another useful feature of this tool is the Save option which can be used to save the login secrets to the local file in standard HTML/XML/Text format. This will be very useful in following cases
  • To take backup of the login secrets for the stored websites
  • To transfer the secrets from one system to another.
  • To store the website passwords at more secured centralized location
  • To recover the passwords in case Chrome becomes not accessible or non functional.
 
It presents the command line interface which is more helpful for Penetration testers in their work. Apart from normal users who can use it to recover their lost password, it can come in handy for Forensic investigators.