WAIDPS - Wireless Auditing, Intrusion Detection & Prevention System

WAIDPS is an open source wireless swissknife written in Python and work on Linux environment. This is a multipurpose tools designed for audit (penetration testing) networks, detect wireless intrusion (WEP/WPA/WPS attacks) and also intrusion prevention (stopping station from associating to access point). Apart from these, it will harvest all WiFi information in the surrounding and store in databases. This will be useful when it comes to auditing a network if the access point is ‘MAC filtered’ or ‘hidden SSID’ and there isn’t any existing client at that moment.

WAIDS may be useful to penetration testers, wireless trainers, law enforcement agencies and those who is interested to know more about wireless auditing and protection. The primarily purpose for this script is to detect intrusion. Once wireless detect is found, it display on screen and also log to file on the attack. Additional features are added to current script where previous WIDS does not have are :

• automatically save the attack packets into a file
• interactive mode where users are allow to perform many functions
• allow user to analyse captured packets
• load previously saved pcap file or any other pcap file to be examine
• customizing filters
• customize detection threshold (sensitivity of IDS in detection)

At present, WAIDS is able to detect the following wireless attacks and will subsequently add other detection found in the previous WIDS.

• Association / Authentication flooding
• Detect mass deauthentication which may indicate a possible WPA attack for handshake
• Detect possible WEP attack using the ARP request replay method
• Detect possible WEP attack using chopchop method
• Detect possible WPS pin bruteforce attack by Reaver, Bully, etc.
• Detection of Evil-Twin
• Detection of Rogue Access Point

The whole structure of the Wireless Auditing, Intrusion Detection & Prevention System will comprise of

Harvesting WiFi Information         [Done]

Intrusion Detection                         [Partially Done]

Intrusion Prevention                       [Partially Done]

Auditing (Testing network)            [Coming Soon]

Other additional item include analyzing of packets, display of captured dump, display network barchart and much more.

Requirements

No special equipment is required to use this script as long as you have the following :

1. Root access (admin)
2. Wireless interface which is capable of monitoring and injection
3. Python 2.7 installed
4. Aircrack-NG suite installed
5. TShark installed
6. TCPDump installed
7. Mergecap installed (for joining pcap files)
8. xterm  installed

Read more here.

Download WAIDPS

Read More

Damn Vulnerable Web App - PHP/MySQL Training Web Application that is Damn Vulnerable

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

WARNING!

Damn Vulnerable Web App is damn vulnerable! Do not upload it to your hosting provider's public html folder or any working web server as it will be hacked. I recommend downloading and installing XAMPP onto a local machine inside your LAN which is used solely for testing.

We do not take responsibility for the way in which any one uses Damn Vulnerable Web App (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA it is not our responsibility it is the responsibility of the person/s who uploaded and installed it.

Download Damn Vulnerable Web App

Read More

Web Security Dojo - Training Environment for Web Application Security Penetration Testing

A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo

What?

Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v10.04.2, which is patched with the appropriate updates and VM additions for easy use.

Why?

The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for self-teaching and skill assessment, as well as training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started – tools, targets, and documentation.

Feature Overview

Targets include:

• OWASP’s WebGoat
• Google’s Gruyere
• Damn Vulnerable Web App
• Hacme Casino
• OWASP InsecureWebApp
• w3af’s test website
• simple training targets by Maven Security (including REST and JSON)

Tools: (starred = new this version)

• Burp Suite (free version)
• w3af
• sqlmap
• arachni *
• metasploit
• Zed Attack Proxy *
• OWASP Skavenger
• OWASP Dirbuster
• Paros
• Webscarab
• Ratproxy
• skipfish
• websecurify
• davtest
• J-Baah
• JBroFuzz
• Watobo *
• RATS
• helpful Firefox add-ons

Download Web Security Dojo

Read More

NoPo - NoSQL Honeypot Framework

NoSQL-Honeypot-Framework (NoPo) is an open source honeypot for nosql databases that automates the process of detecting attackers,logging attack incidents. The simulation engines are deployed using the twisted framework.Currently the framework holds support for redis.

N.B : The framework is under development and is prone to bugs

Installation
You can download NoPo by cloning the Git repository:

git clone https://github.com/torque59/nosqlpot.git

pip install -r requirements.txt

NoPo works out of the box with Python version 2.6.x and 2.7.x on any platform.

Added Features:

• First Ever Honeypot for NoSQL Databases
• Support For Config Files
• Simulates Protocol Specification as of Servers
• Support for Redis

Usage
Get a list of basic options :

python nopo.py -h

Deploy an nosql engine:

python nopo.py -deploy redis

Deploy an nosql engine with a configuration file:

python nopo.py -deploy redis -config filename

Log commands,session to file :

python nopo.py -deploy redis -out log.out

Download NoPo

Read More

Pixiewps - Bruteforce Offline the WPS Pin (Pixie Dust Attack)

Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). It is meant for educational purposes only. All credits for the research go to Dominique Bongard.

DEPENDENCIES

Pixiewps requires libssl. To install it:

    sudo apt-get install libssl-dev

INSTALLATION
Pixiewps can be built and installed by running:

    ~/pixiewps$ cd src
    ~/pixiewps/src$ make
    ~/pixiewps/src$ sudo make install

USAGE

 Usage: pixiewps <arguments>

 Required Arguments:

    -e, --pke           : Enrollee public key
    -r, --pkr           : Registrar public key
    -s, --e-hash1       : Enrollee Hash1
    -z, --e-hash2       : Enrollee Hash2
    -a, --authkey       : Authentication session key

 Optional Arguments:

    -n, --e-nonce       : Enrollee nonce
    -m, --r-nonce       : Registrar nonce
    -b, --e-bssid       : Enrollee BSSID
    -S, --dh-small      : Small Diffie-Hellman keys (PKr not needed)   [No]
    -f, --force         : Bruteforce the whole keyspace                [No]
    -v, --verbosity     : Verbosity level 1-3, 1 is quietest            [3]

    -h, --help          : Display this usage screen

USAGE EXAMPLE
A common usage example is:

    pixiewps --pke <pke> --pkr <pkr> --e-hash1 <e-hash1> --e-hash2 <e-hash2> --authkey <authkey> --e-nonce <e-nonce>

which requires a modified version of Reaver or Bully which prints AuthKey. The recommended version is reaver-wps-fork-t6x.

If the following message is shown:

[!] The AP /might be/ vulnerable. Try again with --force or with another (newer) set of data.

then the AP might be vulnerable and Pixiewps should be run again with the same set of data along with the option --force or alternatively with a newer set of data.

DESCRIPTION OF ARGUMENTS

    -e, --pke

        Enrollee's DH public key, found in M1.

    -r, --pkr

        Registrar's DH public key, found in M2 or can be avoided by specifying
        --dh-small in both Reaver and Pixiewps.

    -s, --e-hash1

        Enrollee Hash-1, found in M3.

    -z, --e-hash2

        Enrollee Hash-2, found in M3.

    -a, --authkey

        Registration Protocol authentication session key. Although for this parameter a
        modified version of Reaver or Bully is needed, it can be avoided by specifying
        small Diffie-Hellman keys in both Reaver and Pixiewps and supplying --e-nonce,
        --r-nonce and --e-bssid.

    -n, --e-nonce

        Enrollee's nonce, found in M1.

    -m, --r-nonce

        Registrar's nonce, found in M2.

    -b, --e-bssid

        Enrollee's BSSID.

    -S, --dh-small

        Small Diffie-Hellman keys. The same option MUST be specified in Reaver
        (1.3 or later versions) too. This option should be avoided when possible.

    -f, --force

        Force Pixiewps to bruteforce the whole keyspace (only for one type of PRNG).
        It could take up to several minutes to complete.

    -v, --verbosity

        Verbosity level (1-3). Level 3 displays the most information.

    -h, --help

        Display usage screen.

Download Pixiewps

Read More

PyPhisher - A Simple Python Tool for Phishing

If you are looking to make a phishing testing or demonstration you can check PyPhisher. This tool was created for the purpose of phishing during a penetration test. This tool is python based that provide user a way to send emails with a customized template that he design. you can have an html format that is similar to any organization and replace the links that you want to send.

This was inspired by SpearPhiser beta by Dave Kennedy from Trustedsec and a feature found in Cobalt Strike by Rapheal Mudge from Strategic Cyber

Usage:

PyPhisher.py --server mail.server.com --port 25 --username user --password password --html phish.txt --url_replace phishlink.com --subject Read!! --sender important@phish.com --sendto target@company.com

Available options:

--server          The SMTP server that you are going to be using to send the email
--port            The port number that is setup for SMTP
--html            The pre-crafted html that will be used in the email
--url_replace     The url that will be used to replace all links in the email
--subject         The subject that will appear in the email message
--sender          The sender that will appear on the email example
--sendto          Who you would like to send the email to

Download PyPhisher

Read More

AsHttp - Shell Command to Expose any other Command as HTTP

ashttp provide a simple way to expose any shell command by HTTP. For example, to expose top by HTTP, try : ashttp -p8080 top ; then try http://localhost:8080.

Dependencies

ashttp depends on hl_vt100, a headless VT100 emulator.
To get and compile hl_vt100 :

$ git clone https://github.com/JulienPalard/vt100-emulator.git
$ aptitude install python-dev
$ make python_module
$ python setup.py install

Usage

ashttp can serve any text application over HTTP, like :

$ ashttp -p 8080 top

to serve a top on port 8080

$ ashttp -p 8080 watch -n 1 ls -lah /tmp

to serve an actualized directory listing of /tmp

Download AsHttp

Read More

Plecost - Wordpress Vulnerabilities Finder

Plecost is a vulnerability fingerprinting and vulnerability finder for Wordpress blog engine.

Why?

There are a huge number of Wordpress around the world. Most of them are exposed to be attacked and be converted into a virus, malware or illegal porn provider, without the knowledge of the blog owner.

This project try to help sysadmins and blog's owners to make a bit secure their Wordpress.

What's new?

This Plecost 3 version, add a lot of new features and fixes, like:

• Fixed a lot of bugs.
• New engine: without threads or any dependencies, but run more faster. We'll used python 3 asyncio and non-blocking connections. Also consume less memory. Incredible, right? :)
• Changed CVE update system and storage: Now Plecost get vulnerabilities directly from NIST and create a local SQLite data base with filtered information for Wordpress and theirs plugins.
• Wordpress vulnerabilities: Now Plecost also manage Wordpress Vulnerabilities (not only for the Plugins).
• Add local vulnerability database are queryable. You can consult the vulnerabilities for a concrete wordpress or plugins without, using the local database.

You can read entire list in CHANGELOG file.

Installation
Install Plecost is so easy:

$ python3 -m pip install plecost

Remember that Plecost3 only runs in Python 3.

Quick start
Scan a web site si so simple:

$ plecost http://SITE.com

A bit complex scan: increasing verbosity exporting results in JSON format and XML:
JSON

$ plecost -v http://SITE.com -o results.json

XML

$ plecost -v http://SITE.com -o results.xml

Advanced scan options
No check WordPress version, only for plugins:

$ plecost -nc http://SITE.com 

Force scan, even if not Wordpress was detected:

$ plecost -f http://SITE.com

Display only the short banner:

$ plecost -nb http://SITE.com

List available wordlists:

$ plecost -nb -l 

// Plecost - Wordpress finger printer Tool - v1.0.0

Available word lists:
   1 - plugin_list_10.txt
   2 - plugin_list_100.txt
   3 - plugin_list_1000.txt
   4 - plugin_list_250.txt
   5 - plugin_list_50.txt
   6 - plugin_list_huge.txt

Select a wordlist in the list:

$ plecost -nb -w plugin_list_10.txt http://SITE.com

Increasing concurrency (USE THIS OPTION WITH CAUTION. CAN SHUTDOWN TESTED SITE!)

$ plecost --concurrency 10 http://SITE.com

Or...

$ plecost -c 10 http://SITE.com

For more options, consult the --help command:

$ plecost -h

Updating
New versions and vulnerabilities are released diary, you can upload the local database writing:
Updating vulnerability database:

$ plecost --update-cve

Updating plugin list:

$ plecost --update-plugins

ScreenShots

Download Plecost

Read More

YASUO - Scans for Vulnerable & Exploitable 3rd-party Web Applications

Yasuo is a ruby script that scans for vulnerable 3rd-party web applications.

While working on a network security assessment (internal, external, redteam gigs etc.), we often come across vulnerable 3rd-party web applications or web front-ends that allow us to compromise the remote server by exploiting publicly known vulnerabilities. Some of the common & favorite applications are Apache Tomcat administrative interface, JBoss jmx-console, Hudson Jenkins and so on.

If you search through Exploit-db, there are over 10,000 remotely exploitable vulnerabilities that exist in tons of web applications/front-ends and could allow an attacker to completely compromise the back-end server. These vulnerabilities range from RCE to malicious file uploads to SQL injection to RFI/LFI etc.

Yasuo is built to quickly scan the network for such vulnerable applications thus serving pwnable targets on a silver platter.

Setup / Install

You would need to install the following gems:

gem install ruby-nmap net-http-persistent mechanize colorize text-table

Details

Yasuo provides following command-line options:

-r :: If you want Yasuo to perform port scan, use this switch to provide an IP address or IP range or an input file with new-line separated IP addresses

-s :: Provide custom signature file. [./yasuo.rb -s mysignatures.yaml -f nmap.xml] [Default - signatures.yaml]

-f :: If you do not want Yasuo to perform port scan and already have an nmap output in xml format, use this switch to feed the nmap output

-n :: Tells Yasuo to not ping the host while performing the port scan. Standard nmap option.

-p :: Use this switch to provide port number(s)/range

-A :: Use this switch to scan all the 65535 ports. Standard nmap option.

-b [all/form/basic] :: If the discovered application implements authentication, use this switch to brute-force the auth. "all" will brute-force both form & http basic auth. "form" will only brute-force form-based auth. "basic" will only brute-force http basic auth.

-t :: Specify maximum number of threads

-h :: Well, take a guess

Examples

./yasuo -r 127.0.0.1 -p 80,8080,443,8443 -b form

The above command will perform port scan against 127.0.0.1 on ports 80, 8080, 443 and 8443 and will brute-force login for all the applications that implement form-based authentication.

./yasuo -f my_nmap_output.xml -b all

The above command will parse the nmap output file "my_nmap_output.xml" and will brute-force login for all the applications that implement form-based and http basic authentication.

Download YASUO

Read More