Hackers Group Of India

Turbodiff v1.01 BETA Released – Detect Differences Between Binaries

2009-12-02T11:45:00.000-08:00

Turbodiff is a binary diffing tool developed as an IDA plugin. It discovers and analyzes differences between the functions of two binaries.

Requirements

“Turbodiff 1.01 beta release 1″ works with IDA starting from v5.0.

Instructions

For the binaries:
Download the plugin and store it at the directory “..\IDA\plugins”.

If you want to compile it on your own: We have compiled it and tested it using Borland C. For the free version of IDA Pro (4.9) you’ll need to first:

1.Generate the ida_free.lib library. To do this execute: “implib -c ida_free.lib ida_free.def”
2.Next, you must have the linker use this library.
3.Compile.
Comparing two files:

1.Open the first file to be compared with IDA and run /Option 1 (take info from this idb)/ from the plugin. Close.
2.Open the second file to be compared with IDA and run /Option 1 (take info from this idb)/ from the plugin.
Use /Option 2 (compare with…)/ from the plugin, and when prompted to select a file, select the first file.
3.Chose if you want a log file to be genreated and run. Once finished a functions table will popup (watch Figure 1) describing results. The results are then saved for later usage.

You can download Turbodiff here:
IDA PRO v4.9 Sources and plugin (Free version)
IDA starting with version v5 Sources and plugin

Cain & Abel v4.9.35 – Password Sniffer, Cracker and Brute-Forcing Tool

2009-12-02T11:39:00.000-08:00

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol’s standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some “non standard” utilities for Microsoft Windows users.

Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. Please carefully read the License Agreement included in the program before using it.

The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.

Most recently added is the support for Windows 2008 Terminal Server in APR-RDP sniffer filter.

You can download Cain & Abel v4.9.35 here:
ca_setup.exe

Katana v1 (Kyuzo) – Portable Multi-Boot Security Suite

2009-12-02T11:34:00.000-08:00

The Katana: Portable Multi-Boot Security Suite is designed to fulfill many of your computer security needs. The idea behind this tool is to bring together many of the best security distributions and applications to run from one USB Flash Drive. Instead of keeping track of dozens of CDs and DVDs loaded with your favorite security tools, you can keep them all conveniently in your pocket.

Katana includes distributions which focus on Penetration Testing, Auditing, Password Cracking, Forensics and Honey Pots. Katana comes with over 100 portable Windows applications, such as Wireshark, HiJackThis, Unstoppable Copier, Firefox, and OllyDBG. It also includes the following distributions:

•Backtrack 4 pre
•the Ultimate Boot CD
•Ophcrack Live
•Damn Small Linux
•the Ultimate Boot CD for Windows
•Got Root? Slax
•Organizational Systems Wireless Auditor (OSWA) Assistant
•Damn Vulnerable Linux

Katana is also highly customizable. You can modify Katana by adding or removing distributions and portable apps with ease. You can add functionality to distributions like the Ultimate Boot CD, Got Root? Slax and UBCD4Win. You can also load your personal scripts and documents to keep them conveniently with you on your flash drive to use in concert with the provided tools.

You can download Katana v1 here:
katana-v1.rar
katana-v1.torrent

Metasploit 3.3 Released! Exploitation Framework

2009-12-02T11:16:00.000-08:00

What is Metasploit?

The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

What does it do?

The framework consists of tools, libraries, modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload.

It’s come a long way since it’s early versions and has picked up huge supports from the community.

•Metasploit now has 445 exploit modules and 216 auxiliary modules (from 320 and 99 respectively in v3.2)
•Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (375k lines of Ruby)
•Over 180 tickets were closed during the 3.3 development process

Full release notes for v3.3 are here.

You can download Metasploit v3.3 here:
Windows – framework-3.3.exe
Linux – framework-3.3.tar.bz2

Websecurify – Web Security Testing Framework

2009-09-27T13:15:00.000-07:00

Websecurify is a web and web2.0 security initiative specializing in researching security issues and building the next generation of tools to defeat and protect web technologies.

Key Features

1.JavaScript – Websecurify Security Testing Framework is the first tool of its kind to be written entirely in JavaScript using only standard technologies adopted by the leading browsers.
2.Multiple Environments – The core technology can run in normal browsers, xulrunner, xpcshell (command line), inside Java or as part of a custom V8 (Chrome’s JavaScript Engine) build. The core is written with extensibility in mind so that more environments can be supported without changing even a single line of code.
3.Multi-platform – The tool is available and successfully runs on Windows, Mac OS, Linux and other operating systems.
4.Automatic Updates – Every single piece of the tool is subjected to automatic updates. This means that newer and more advanced versions of the tool can be shipped to your front door without you lifting your finger. This however is completely optional. The automatic update can be turned off if needed.
5.Extensions – Because the tool comes wrapped in xulrunner by default (keep in mind that we can support any other JavaScript environment) we benefit from all cool features that Firefox has, such as extensions. Extensions are easy to write and maintain and can customize every single aspect of the tool and there are already tones of resources and documentation, including books and what not, out there to teach you exactly how to do that. We will be providing documentation as well.

You can download Websecurify 0.3 here:

Windows – Websecurify 0.3.exe
Linux – Websecurify 0.3.tgz
Mac – Websecurify 0.3.dmg

bsqlbf v2.3 Released – Blind SQL Injection Brute Forcing Tool

2009-08-03T02:20:00.000-07:00

This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections.

Bsqlbf first hit the net back in April 2006 with bsqlbf v1.1, then the v2.0 update in June 2008 .This new update adds much better Oracle support.

Databases supported:

•MS-SQL
•MySQL
•PostgreSQL
•Oracle

The 6 Attack Models

•Type 0: Blind SQL Injection based on true and false conditions returned by back-end server

•Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.

•Type 2: Blind SQL Injection in “order by” and “group by”.

•Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)

•Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)

•Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)

New additions

-type: Type of injection:

3: Type 3 is extracting data with DBA privileges
(e.g. Oracle password hashes from sys.user$)
4: Type 4 is O.S code execution(default: ping 127.0.0.1)
5: Type 5 is Reading O.S files(default: c:\boot.ini)

Type 4 (O.S code execution) supports the following sub types:

-stype: How you want to execute command:

0: SType 0 (default) is based on java,
universal but won’t work against XE
1: SType 1 against oracle 9 with plsql_native_make_utility
2: SType 2 against oracle 10 with dbms_scheduler

You can download bsqlbf v2.3 here:
bsqlbf-v2-3.pl

Wireshark 1.2.1 Released – Network Protocol Analyzer

2009-08-03T02:27:00.000-07:00

Wireshark is the world’s foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Many of you will know it as Ethereal.

Features

•Deep inspection of hundreds of protocols, with more being added all the time

•Live capture and offline analysis

•Standard three-pane packet browser

•Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others

•Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility

•The most powerful display filters in the industry

•Rich VoIP analysis

•Capture files compressed with gzip can be decompressed on the fly

You can see the full changelog for version 1.2.1 here:
Wireshark 1.2.1 Release Notes

You can download Wireshark 1.2.1 here:
Windows 32-bit – wireshark-win32-1.2.1.exe
Source code – wireshark-1.2.1.tar.bz2

GFI LANguard 9 Review – Network Security Scanner & Vulnerability Management Tool

2009-08-03T01:50:00.000-07:00

GFI released version 9 of their scanner (overview here) with improvements to the scanning engine and the interface (including the monitoring dashboard which gives you a good heads-up of the scan results).

One of the big positives with LANguard was the ability to detect patch levels and automatically roll out patches over the network. This makes it a very comprehensive solution, the recent versions also include checks to ensure 3rd party software such as Anti-virus solutions are also up to date (full features here).

It’s as easy to install and get up and running as ever, if you do have any issues the Installation Guide is here [PDF].

Getting started with a scan is as easy as clicking 1 button, the interface has been simplified and it’s a lot more attractive . In fact it’s simple enough that non-security IT folks could use it without much problem.

After a scan is complete you have a choice to Analyze or Remediate. The Analysis section will give you fairly detailed instructions on any vulnerabilities found (including a vulnerability level) and full system information including shares, patch levels and so on.

The Remediate section will inform you of missing patches and allow you to apply these. Other than the standard MS patches and service packs you can also deploy 3rd party applications and uninstall rogue software.

Most things in the scanner can be scheduled too so for example if you want to scan outside of office ours or roll out software/patches at the weekend you can set LANguard to do that.

The dashboard is a nice addition which gives you an overview of the network security and the changes in vulnerabilities over time.

It also comes with the generic network utilities like Whois, DNS Lookup, Traceroute & SNMP Walk.

All in all it’s a great tool, especially for those managing Windows based networks. It makes your life a LOT easiest and it makes it easier to manage patches and software across the Domain.

It’s not a hardcore security tool, which means it also appeals to people more in the Sys Admin & Network areas of the industry. If you have any Windows machines do give it a look, perhaps start with the free version below.

You can download the latest version here:
GFI LANguard 9 Download

Pricing is done on a per-IP basis with prices starting from around $32USD per IP for a 10-24 IP block.

There is also a FREE version available here:

GFI LANguard 9 5-IP Freeware edition

Chinese Firm Writes First SMS Worm

2009-08-03T01:39:00.000-07:00

Once again China is at the forefront! A group of Chinese companies has managed to develop the first SMS worm!

" Three Chinese companies — XiaMen Jinlonghuatian Technology, ShenZhen ChenGuangWuXian Technology, and XinZhongLi TianJin — created the ‘Sexy Space’ worms or Yxe Worm (Worm:SymbOS/Yxe.D) and submitted to Symbian OS-based phones through the express signing procedure, said F-Secure Security Labs recently.

“The worm is the first text message worm in history,” said Chia Wing Fei, security response senior manager at F-Secure. “Our labs have received few confirmed reports from China and Middle East at the moment.”

The first stage of Symbian’s signing process is done automatically using an antivirus engine, said Chia, adding that once an application has been submitted and scanned, random samples are then submitted for human audit.

However, most applications are not inspected by humans through the express signing procedure, he noted.

An attacker can therefore put a web link pointing to the worm’s web site into a text message and invite the user to download the worm by clicking the link, Chia said. Once activated, the worm will install itself on the device, and send a similar text messages to all phonebook contacts listed, he added.

“These messages are sent in your name and from your phone. It means you will pay for each SMS sent by the worm. A typical cost for a single text message might be 5 cents. If you have 500 contacts in your phone, an infection would cost you 500 times 5 cents,” Chia noted. "

Source: Network World

sqlmap 0.7 Released – Automatic SQL Injection Tool

2009-08-03T01:08:00.000-07:00

Sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications.

Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Recent Changes
Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:

•Adapted Metasploit wrapping functions to work with latest 3.3 development version too.

•Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.

•Reset takeover OOB features (if any of –os-pwn, –os-smbrelay or –os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter.

•This make sqlmap 0.7 to work again on Windows too.

•Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).

•HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.

For a complete list of changes view the ChangeLog.

The manual is available here – README.pdf [PDF]

You can download sqlmap 0.7 here:
Linux Source: sqlmap-0.7.tar.gz
Windows Portable: sqlmap-0.7_exe.zip

Kon-Boot – Reset Windows & Linux Passwords

2009-07-21T01:55:00.000-07:00

Kon-Boot is an prototype piece of software which allows to change contents of a Linux kernel (and now Windows kernel also!!!) on the fly (while booting).

In the current compilation state it allows to log into a Linux system as ’root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password.

It was mainly created for Ubuntu, later the author has made a few add-ons to cover some other Linux distributions.

Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

Latest Updates – Kon-Boot for Windows

Kon-Boot was moved to Windows platforms. So now it provides support for Microsoft Windows systems and also the Linux systems listed below. Kon-Boot for Windows enables logging in to any password protected machine profile without without any knowledge of the password. This tool changes the contents of Windows kernel while booting, everything is done virtually – without any interferences with physical system changes. So far following systems were tested to work correctly with Kon-Boot:

•Windows Server 2008 Standard SP2 (v.275)
•Windows Vista Business SP0
•Windows Vista Ultimate SP1
•Windows Vista Ultimate SP0
•Windows Server 2003 Enterprise
•Windows XP
•Windows XP SP1
•Windows XP SP2
•Windows XP SP3
•Windows 7

No special usage instructions are required for Windows users, just boot from Kon-Boot CD/Floppy, select your profile and put any password you want. You lost your password? Now it doesnt matter at all.

It has been tested with the following Linux distributions:

•Gentoo 2.6.24-gentoo-r5 GRUB 0.97
•Ubuntu 2.6.24.3-debug GRUB 0.97
•Debian 2.6.18-6-6861 GRUB 0.97
•Fedora 2.6.25.9-76.fc9.i6862 GRUB 0.97

You can download Kon-Boot here:

Floppy Image – FD0-konboot-v1.1-2in1.zip
CD ISO Image – CD-konboot-v1.1-2in1.zip

The Middler – User Session Cloning & MITM Tool

2009-07-21T01:47:00.000-07:00

The Middler is a Man in the Middle tool to demonstrate protocol middling attacks. Led by Jay Beale, the project involves a team of authors including InGuardians agents Justin Searle and Matt Carpenter. The Middler is intended to man in the middle, or “middle” for short, every protocol for which we can create code.

The current codebase is in the alpha state, but a beta release is coming soon, with better documentation , easier installation, and even more plug-ins.

Plug-ins

•plugin-beef.py – inject the Browser Exploitation Framework (BeEF) into any HTTP requests originating on the local LAN
•plugin-metasploit.py – inject an IFRAME into cleartext (HTTP) requests that loads Metasploit browser exploits
•plugin-keylogger.py – inject a JavaScript? onKeyPress event handler to cleartext forms that get submitted via HTTPS, forcing the browser to send the password character-by-character to the attacker’s server, before the form is submitted.
The author team has done a tremendous amount of research, design and pseudo-code work, fleshing out attacks on web-based e-mail systems and social networking sites.

Dependencies

The Middler depends on the following Python modules:

•scapy
•libpcap
•readline
•libdnet
•beautifulsoup

You can download The Middler here:
middler-alpha-2009022301.tgz

MultiISO LiveDVD v1.0 – BackTrack, Knoppix & Ophcrack

2009-07-21T01:41:00.000-07:00

MultiISO LiveDVD is an integrated Live DVD technology which combines some of the very popular Live CD ISOs already available on the internet. It can be used for security reconnaissance, vulnerability identification, penetration testing, system rescue, media center and multimedia, system recovery, etc. It’s a all-in-one multipurpose LiveDVD put together. There’s something in it for everyone.

MultiISO LiveDVD Version 1.0 consists of:

•Backtrack 3
•Damn Small Linux (DSL) 4.2.5
•GeeXboX 1.1
•Damn Vulnerable Linux (Strychnine) 1.4 edition
•Knoppix 5.1.1, MPentoo 2006.1
•Ophcrack 1.2.2 (remastered to contain SSTIC04-5k [720MB] table sets)
•Puppy Linux 3.01
•Byzantine OS i586-20040404

You can download MultiISO LiveDVD here (to conserve bandwidth only a Torrent link is available, please seed after downloading):

Torrent: EmErgEs_MultiBOOT_ISO.torrent (4.03GB)

MD5SUM: 1b1f37ed6b6f958cde0529a8a1f06637
SHA1SUM: 593ffbfa3c4b665220dcd63b2e4b77bacde5237d

Damn Vulnerable Web App – Learn & Practise Web Hacking

2009-07-21T01:25:00.000-07:00

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be light weight, easy to use and full of vulnerabilities to exploit. Used to learn or teach the art of web application security.

Vulnerabilities

•SQL Injection
•XSS (Cross Site Scripting)
•LFI (Local File Inclusion)
•RFI (Remote File Inclusion)

•Command Execution

•Upload Script
•Login Brute Force

Changes

•Added Acunetix scan report.
•All links use http://hiderefer.com to hide referrer header.
•Updated/added ‘more info’ links.
•Moved change log info to CHANGELOG.txt.
•Fixed the exec.php UTF-8 output.
•Moved Help/View source buttons to footer.
•Fixed phpInfo bug.
•Made DVWA IE friendly.
•Fixed html bugs.
•Improved README.txt and fixed typos.
•Made SQL injection possible in sqli_med.php.

WARNING

It should come as no shock..but this application is damn vulnerable! Do not upload it to your hosting provider’s public html folder or any working web server as it will be hacked. It’s recommend that you download and install XAMP onto a local machine inside your LAN which is used solely for testing.

You can download DVWA 1.0.4 here:
dvwa_v1.0.4.zip

bsqlbf v2.3 Released – Blind SQL Injection Brute Forcing Tool

2009-07-21T01:07:00.000-07:00

This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections.

Databases supported:

•MS-SQL
•MySQL
•PostgreSQL
•Oracle

The 6 Attack Models

•Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
•Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
•Type 2: Blind SQL Injection in “order by” and “group by”.
•Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
•Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
•Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)

New additions

-type: Type of injection:

3: Type 3 is extracting data with DBA privileges
(e.g. Oracle password hashes from sys.user$)
4: Type 4 is O.S code execution(default: ping 127.0.0.1)
5: Type 5 is Reading O.S files(default: c:\boot.ini)

Type 4 (O.S code execution) supports the following sub types:

-stype: How you want to execute command:

0: SType 0 (default) is based on java,
universal but won’t work against XE
1: SType 1 against oracle 9 with plsql_native_make_utility
2: SType 2 against oracle 10 with dbms_scheduler

You can download bsqlbf v2.3 here:
bsqlbf-v2-3.pl

Fiddler - Web Debugging Proxy For HTTP(S)

2009-05-18T12:03:00.000-07:00

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and “fiddle” with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.

Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.

If you want some info on how to use Fiddler for debugging you can check here:

Fiddler Can Make Debugging Easy

You can download Fiddler here:

Fiddler2Setup.exe

FBController - The Ultimate Utility to Control Facebook Accounts

2009-05-18T11:56:00.000-07:00

Just to put a downer on all the script kiddies, this utility WILL NOT hack/crack Facebook passwords or accounts.

You need to feed it biscuits (cookies) before you can do anything.

You can get the target’s cookie by sniffing, XSS, social engineering, ARP Poison-Sniffing, Scroogle search or however you like.

Once you have the cookies you can use FBController to have Full control over the target’s Facebook account.

Login to your Facebook account and sniff your own cookie OR collect a few live Facebook Biscuit/s of your Target/s.

Till now FBController version 1.0 uses your Target’s provided cookie and only :

A > Downloads the HomePage.
B > Allows you to Update the Target’s Wall and
C > Retrieve your Target’s Friend’s List

There are many APIs available to write apps and 3rd party Tools for FB in Java, Perl, .NET, etc.

FBConTroller was entirely written without knowing any of Facebook’s Dev API’s. Considering the above along with Facebook’s complexity, the next version might take some time to get released

You can download FBController here:

FBConTroller.RAR

Durzosploit v0.1 - JavaScript Exploit Generation Framework

2009-05-18T11:49:00.000-07:00

Durzosploit is a JavaScript exploit generation framework that works through the console. This goal of that project is to quickly and easily generate working exploits for cross-site scripting vulnerabilities in popular web applications or web sites.

Please note that Durzosploit does not find browser vulnerabilities, it only is an framework containing exploits you can use.

At present there aren’t many exploits:

•twitter.com/update_status - Updates a target’s status
•twitter.com/update_settings - Updates your target’s settings
•facebook.com/what_is_on_your_mind - Write your message in your target’s mind
•drupal/edit_user_profile - Drupal 6.x - edit the profile of the user
•drupal/logout - Drupal 6.x - makes target logout
So far the author’s focus has been on the framework itself; allowing people to quickly write their exploits and adding some automated obfuscators.

Durzosploit provides some obfuscators to automatically pack/minify your generated exploit.

You can download the latest version from the Durzosploit SVN here:

svn co svn://www.engineeringforfun.com/svn/durzosploit/trunk

Pangolin - Automatic SQL Injection Tool

2009-05-18T11:43:00.000-07:00

Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.

Database Support

•Access: Informations (Database Path; Root Path; Drivers); Data
•MSSql: Informations; Data; FileReader; RegReader; FileWriter; Cmd; DirTree
•MySql: Informations; Data; FileReader; FileWriter;
•Oracle: Inforatmions (Version; IP; Database; Accounts ……); Data; and any others;
•Informix: Informatons; Data
•DB2: Informatons; Data; and more;
•Sybase: Informatons; Data; and more;
•PostgreSQL: Informatons; Data; FileReader;
•Sqlite: Informatons; Data

At present, most of the functions are directed at MSSQL and MySql coupled with Oracle and Access. Other small and medium-sized companies are using DB2, Informix, Sybase, PostgreSQL, as well as Sqlite which isn’t so common.

You can download Pangolin here:

pangolin_free_edition_2.1.2.924.rar (Download Page)

Samurai Web Testing Framework 0.6 Released - Web Application Security LiveCD

2009-05-18T11:39:00.000-07:00

" The authors of Samurai have updated and fixed a number of issues with the environment as well as improved performance of the java based tools. They have also included a virtual machine of the environment. This VM requires VMWare. "

For those that don’t know, Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. There are tools used in all four steps of a web pen-test.

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

You can download SamuraiWTF 0.6 here:

samurai-0.6.iso

Charles Web Debugging Proxy - HTTP Monitor & Reverse Proxy

2009-04-22T14:30:00.001-07:00

Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP traffic between their machine and the Internet. This includes requests, responses and the HTTP headers (which contain the cookies and caching information).

Charles can act as a man-in-the-middle for HTTP/SSL communication, enabling you to debug the content of your HTTPS sessions.

Charles simulates modem speeds by effectively throttling your bandwidth and introducing latency, so that you can experience an entire website as a modem user might (bandwidth simulator).

Charles is especially useful for Adobe Flash developers as you can view the contents of LoadVariables, LoadMovie and XML loads. Charles also has native support for Flash Remoting (AMF0 and AMF3).

Charles is also useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables you to see the actual XML that is flowing between the client and the server. Charles natively supports JSON, JSON-RPC and SOAP; displaying each in a simplified tree format for easy viewing and debugging.

You can download Charles Proxy here:

Windows - charles_setup.exe
Linux / Unix - charles.tar.gz
Mac OS X - charles_macosx.zip

EFIPW - Modify Apple EFI Firmware Passwords

2009-04-22T14:22:00.000-07:00

EFIPW is a tool that can be used to decode and modify Apple EFI firmware passwords via the command line. It is designed after the non open source OFPW utility and is designed to work on Intel machines running Leopard or newer. Useful for lab deployments (setting the firmware password of machines as a post install item) and pen tests (recovering the EFI firmware password).

Tested on:
•Core Duo (1st gen) Macbook Pro 15″
•Core 2 Duo Macbook Pro 15″

Technical details on how it works here.

You can download EFIPW v0.1a here:

efipw_v0.1a.zip

ike-scan - IPsec VPN Scanning, Fingerprinting and Testing Tool

2008-11-25T05:20:00.000-08:00

ike-scan is a command-line tool for discovering, fingerprinting and testing IPsec VPN systems. It constructs and sends IKE Phase-1 packets to the specified hosts, and displays any responses that are received.

ike-scan allows you to:
Send IKE packets to any number of destination hosts, using a configurable output bandwidth or packet rate. (This is useful for VPN detection, when you may need to scan large address spaces.)
Construct the outgoing IKE packet in a flexible way. (This includes IKE packets which do not comply with the RFC requirements.)
Decode and display any returned packets.
Crack aggressive mode pre-shared keys. (You can use ike-scan to obtain the PSK hash data, and then use psk-crack to obtain the key.)

You can read more in depth about ike-scan and how to use it - in the User Guide.

ike-scan is free software, licensed under the GPL. It runs on Windows, Linux and most Unix systems. If you don’t already have ike-scan installed on your system, read the installation guide.

You can download ike-scan 1.9 here:

Source distribution: ike-scan-1.9.tar.gz

Windows binary: ike-scan-win32-1.9.zip

Browser Rider - Web Browser Exploitation Framework

2008-11-25T05:12:00.000-08:00

Browser Rider is a hacking framework to build payloads that exploit the browser. The project aims to provide a powerful, simple and flexible interface to any client side exploit.
Browser Rider is not a new concept. Similar tools such as BeEF or Backframe exploited the same concept. However most of the other existing tools out there are unmaintained, not updated and not documented. Browser Rider wants to fill those gaps by providing a better alternative.

Features
Easily create powerful payloads and plugins
Manage payloads automatically with plugins
All data can be saved in a database
Obfuscation
Polymorphism
Control more than one zombie at a time
Simple administration panel

Requirements
PHP 5, with json installed
Mysql
Apache with url_rewrite on
Targets must have Javascript turned on
You can download Browser Rider here:

Browser Rider v20081124 (changelog)

XSS-Proxy - Cross Site Scripting Attack Tool

2008-10-26T13:09:00.000-07:00

XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool. The documents, tools and other content on this site assume you have a basic understanding of XSS issues and existing exploitation methods. If you are not famliar with XSS, then I recommend you check out the primer links/docs below to get a better of idea of what XSS is and how to detect it, fix it, and exploit it.

CERT info on XSSCGISecurity’s Cross Site Scripting FAQ

Gunter Ollmann’s XSS paper

PeterW’s Cross Site Request Forgery (CSRF) Concept

SecureNet’s Session Riding paper

Some Common Misconceptions about XSS

“A user has to click a link to be impacted by XSS.” No - if you visit a page that has
stuff_to_run your browser will run it regardless of you clicking a link. I carefully crafted this example so it would not be run by your browser, but I could have put real script tags/commands here and made you run then transparently.
“XSS only matters with bulliten boards, blogs, and other sites where an attacker can upload script content.” That is one way the attack can happen, but an attacker can also leverage sites that allow HTML/SCRIPT tags to be reflected back to the same user (like a search form that repeats what it was told to look for in the response). These flaws are commonly combined with public site redirects or emails to attack a second site.
“Don’t XSS attacks just create popup windows, alerts and other pesky things?” No - They are commonly used to reveal your cookies or form based login info to attackers. After havesting this info, the attacker uses it to log into the same site as you.
“I understand XSS, but I don’t think it’s a huge issue“. I think you’ll change your mind once you understand this advanced attack. Read the advanced stuff below and play with XSS-Proxy to see how evil XSS really can be.

You can download XSS-Proxy here:
XSS-Proxy_0_0_12-book.pl