Kon-Boot – Reset Windows & Linux Passwords

Kon-Boot is an prototype piece of software which allows to change contents of a Linux kernel (and now Windows kernel also!!!) on the fly (while booting).

In the current compilation state it allows to log into a Linux system as ’root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password.

It was mainly created for Ubuntu, later the author has made a few add-ons to cover some other Linux distributions.

Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

Latest Updates – Kon-Boot for Windows

Kon-Boot was moved to Windows platforms. So now it provides support for Microsoft Windows systems and also the Linux systems listed below. Kon-Boot for Windows enables logging in to any password protected machine profile without without any knowledge of the password. This tool changes the contents of Windows kernel while booting, everything is done virtually – without any interferences with physical system changes. So far following systems were tested to work correctly with Kon-Boot:

•Windows Server 2008 Standard SP2 (v.275)
•Windows Vista Business SP0
•Windows Vista Ultimate SP1
•Windows Vista Ultimate SP0
•Windows Server 2003 Enterprise
•Windows XP
•Windows XP SP1
•Windows XP SP2
•Windows XP SP3
•Windows 7

No special usage instructions are required for Windows users, just boot from Kon-Boot CD/Floppy, select your profile and put any password you want. You lost your password? Now it doesnt matter at all.

It has been tested with the following Linux distributions:

•Gentoo 2.6.24-gentoo-r5 GRUB 0.97
•Ubuntu 2.6.24.3-debug GRUB 0.97
•Debian 2.6.18-6-6861 GRUB 0.97
•Fedora 2.6.25.9-76.fc9.i6862 GRUB 0.97

You can download Kon-Boot here:

Floppy Image – FD0-konboot-v1.1-2in1.zip
CD ISO Image – CD-konboot-v1.1-2in1.zip

The Middler – User Session Cloning & MITM Tool

The Middler is a Man in the Middle tool to demonstrate protocol middling attacks. Led by Jay Beale, the project involves a team of authors including InGuardians agents Justin Searle and Matt Carpenter. The Middler is intended to man in the middle, or “middle” for short, every protocol for which we can create code.

The current codebase is in the alpha state, but a beta release is coming soon, with better documentation , easier installation, and even more plug-ins.

Plug-ins

•plugin-beef.py – inject the Browser Exploitation Framework (BeEF) into any HTTP requests originating on the local LAN
•plugin-metasploit.py – inject an IFRAME into cleartext (HTTP) requests that loads Metasploit browser exploits
•plugin-keylogger.py – inject a JavaScript? onKeyPress event handler to cleartext forms that get submitted via HTTPS, forcing the browser to send the password character-by-character to the attacker’s server, before the form is submitted.
The author team has done a tremendous amount of research, design and pseudo-code work, fleshing out attacks on web-based e-mail systems and social networking sites.

Dependencies

The Middler depends on the following Python modules:

•scapy
•libpcap
•readline
•libdnet
•beautifulsoup

You can download The Middler here:
middler-alpha-2009022301.tgz

MultiISO LiveDVD v1.0 – BackTrack, Knoppix & Ophcrack

MultiISO LiveDVD is an integrated Live DVD technology which combines some of the very popular Live CD ISOs already available on the internet. It can be used for security reconnaissance, vulnerability identification, penetration testing, system rescue, media center and multimedia, system recovery, etc. It’s a all-in-one multipurpose LiveDVD put together. There’s something in it for everyone.

MultiISO LiveDVD Version 1.0 consists of:

•Backtrack 3
•Damn Small Linux (DSL) 4.2.5
•GeeXboX 1.1
•Damn Vulnerable Linux (Strychnine) 1.4 edition
•Knoppix 5.1.1, MPentoo 2006.1
•Ophcrack 1.2.2 (remastered to contain SSTIC04-5k [720MB] table sets)
•Puppy Linux 3.01
•Byzantine OS i586-20040404

You can download MultiISO LiveDVD here (to conserve bandwidth only a Torrent link is available, please seed after downloading):

Torrent: EmErgEs_MultiBOOT_ISO.torrent (4.03GB)

MD5SUM: 1b1f37ed6b6f958cde0529a8a1f06637
SHA1SUM: 593ffbfa3c4b665220dcd63b2e4b77bacde5237d

Damn Vulnerable Web App – Learn & Practise Web Hacking

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be light weight, easy to use and full of vulnerabilities to exploit. Used to learn or teach the art of web application security.

Vulnerabilities

•SQL Injection
•XSS (Cross Site Scripting)
•LFI (Local File Inclusion)
•RFI (Remote File Inclusion)

•Command Execution

•Upload Script
•Login Brute Force

Changes

•Added Acunetix scan report.
•All links use http://hiderefer.com to hide referrer header.
•Updated/added ‘more info’ links.
•Moved change log info to CHANGELOG.txt.
•Fixed the exec.php UTF-8 output.
•Moved Help/View source buttons to footer.
•Fixed phpInfo bug.
•Made DVWA IE friendly.
•Fixed html bugs.
•Improved README.txt and fixed typos.
•Made SQL injection possible in sqli_med.php.

WARNING

It should come as no shock..but this application is damn vulnerable! Do not upload it to your hosting provider’s public html folder or any working web server as it will be hacked. It’s recommend that you download and install XAMP onto a local machine inside your LAN which is used solely for testing.

You can download DVWA 1.0.4 here:
dvwa_v1.0.4.zip

bsqlbf v2.3 Released – Blind SQL Injection Brute Forcing Tool

This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections.

Databases supported:

•MS-SQL
•MySQL
•PostgreSQL
•Oracle

The 6 Attack Models

•Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
•Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
•Type 2: Blind SQL Injection in “order by” and “group by”.
•Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
•Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
•Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)

New additions

-type: Type of injection:

3: Type 3 is extracting data with DBA privileges
(e.g. Oracle password hashes from sys.user$)
4: Type 4 is O.S code execution(default: ping 127.0.0.1)
5: Type 5 is Reading O.S files(default: c:\boot.ini)

Type 4 (O.S code execution) supports the following sub types:

-stype: How you want to execute command:

0: SType 0 (default) is based on java,
universal but won’t work against XE
1: SType 1 against oracle 9 with plsql_native_make_utility
2: SType 2 against oracle 10 with dbms_scheduler

You can download bsqlbf v2.3 here:
bsqlbf-v2-3.pl