MITMf - Framework for Man-In-The-Middle attacks

Framework for Man-In-The-Middle attacks

Available plugins

• SMBtrap - Exploits the 'SMB Trap' vulnerability on connected clients
• Screenshotter - Uses HTML5 Canvas to render an accurate screenshot of a clients browser
• Responder - LLMNR, NBT-NS, WPAD and MDNS poisoner
• SSLstrip+ - Partially bypass HSTS
• Spoof - Redirect traffic using ARP spoofing, ICMP redirects or DHCP spoofing
• BeEFAutorun - Autoruns BeEF modules based on a client's OS or browser type
• AppCachePoison - Perform app cache poisoning attacks
• Ferret-NG - Transperently hijacks sessions
• BrowserProfiler - Attempts to enumerate all browser plugins of connected clients
• CacheKill - Kills page caching by modifying headers
• FilePwn - Backdoor executables sent over HTTP using the Backdoor Factory and BDFProxy
• Inject - Inject arbitrary content into HTML content
• BrowserSniper - Performs drive-by attacks on clients with out-of-date browser plugins
• jskeylogger - Injects a Javascript keylogger into a client's webpages
• Replace - Replace arbitary content in HTML content
• SMBAuth - Evoke SMB challenge-response authentication attempts
• Upsidedownternet - Flips images 180 degrees

How to install on Kali

apt-get install mitmf

Installation
If MITMf is not in your distro's repo or you just want the latest version:

• Run the command git clone https://github.com/byt3bl33d3r/MITMf.git to clone this directory
• Run the setup.sh script
• Run the command pip install --upgrade -r requirements.txt to install all Python dependencies

On Kali Linux, if you get an error while installing the pypcap package or when starting MITMf you see: ImportError: no module named pcap, run apt-get install python-pypcap to fix it

Download MITMf

Read More

Proxenet - Hacker Friendly Proxy for Web Application Penetration Tests

Proxenet is a hacker friendly proxy for web application penetration tests.

proxenet is a multi-threaded proxy which allows you manipulate your HTTP requests and responses using your favorite scripting language. No need to learn Java (like for Burp) or Python (like for mitmproxy). proxenetsupports heaps of languages (see the section "Language Versions") and more can be easily added.

proxenet is not script kiddie friendly, neither GUI friendly. If this is what you are looking for, here are a few links for you:

• ZAP
• Burp
• ProxyStrike

Or the best way, write your own GUI as a proxenet plugin!

Why ?

The idea behind proxenet came after a lot of frustration from attempting to write extensions for Burp. Moreover, only a few proxies already existing supports the possibility to add new extensions. And when they do, they are (one) language specific - despite Burp persistent attempts to make unnatural bindings (Python over Java or worse Ruby over Java.

Being written in pure C, it is fast, efficient and easily pluggable to anything else. It is the utimate real DIY web proxy for pentest(ers).

Features

Here are a sample of features already supported by proxenet:

• Written in C
  • Fast (heavy thread use)
  • Efficient (POSIX compatible)
  • Low memory footprint (for the core)
• Can interact with any language
• Provides plugins support for the following languages:
  • C
  • Python
  • Lua
  • Ruby
  • Perl
  • Tcl
  • Java
• SSL
  • Full SSL interception (internal CA)
  • SSL client certificate authentication
• IPv4/IPv6
• HTTP Proxy forwarding
• White-list/Black-list hosts filtering
• Command interface out-of-band
• Nice TTY colors :D
• 100% Open-Source

... and more !

The best of both world ?

Some people might miss the beautiful interface some other GUI-friendly proxies provide. So be it! Plug proxenet as a relay behind your favorite Burp, Zap, Proxystrike, burst, etc. and enjoy the show!

How to start

$ git clone https://github.com/hugsy/proxenet.git
$ cd proxenet && cmake . && make

Download Proxenet

Read More

The Exploit-Database Git Repository

This is the official repository of The Exploit Database, a project sponsored by Offensive Security.

The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

This repository is updated daily with the most recently added submissions.

Included with this repository is the searchsploit utility, which will allow you to search through the exploits using one or more terms.

root@kali:~# searchsploit -h
Usage  : searchsploit [OPTIONS] term1 [term2] ... [termN]
Example: searchsploit oracle windows local

=========
 OPTIONS
=========
 -c         - Perform case-sensitive searches; by default,
              searches will try to be greedy
 -v         - By setting verbose output, description lines
              are allowed to overflow their columns
 -h, --help - Show help screen

NOTES:
 - Use any number of search terms you would like (minimum: 1)
 - Search terms are not case sensitive, and order is irrelevant

root@kali:~# searchsploit afd windows local
----------------------------------------------------------------|----------------------------------
Description                                                     |  Path
----------------------------------------------------------------|----------------------------------
MS Windows XP/2003 AFD.sys Privilege Escalation Exploit (K-plug | /windows/local/6757.txt
Microsoft Windows xp AFD.sys Local Kernel DoS Exploit           | /windows/dos/17133.c
Windows XP/2003 Afd.sys - Local Privilege Escalation Exploit (M | /windows/local/18176.py
Windows - AfdJoinLeaf Privilege Escalation (MS11-080)           | /windows/local/21844.rb
----------------------------------------------------------------|----------------------------------
root@kali:~#

Download The Exploit-Database Git Repository

Read More

BypassWAF - Burp Plugin to Bypass Some WAF Devices

Add headers to all Burp requests to bypass some WAF products. This extension will automatically add the following headers to all requests.

  X-Originating-IP: 127.0.0.1
  X-Forwarded-For: 127.0.0.1
  X-Remote-IP: 127.0.0.1
  X-Remote-Addr: 127.0.0.1

Usage

Steps include:

1. Add extension to burp
2. Create a session handling rule in Burp that invokes this extension
3. Modify the scope to include applicable tools and URLs
4. Configure the bypass options on the "Bypass WAF" tab
5. Test away

Read more here.

Features

All of the features are based on Jason Haddix's work found here, and Ivan Ristic's WAF bypass work found here and here.

Bypass WAF contains the following features:

A description of each feature follows:

1. Users can modify the X-Originating-IP, X-Forwarded-For, X-Remote-IP, X-Remote-Addr headers sent in each request. This is probably the top bypass technique i the tool. It isn't unusual for a WAF to be configured to trust itself (127.0.0.1) or an upstream proxy device, which is what this bypass targets.
2. The "Content-Type" header can remain unchanged in each request, removed from all requests, or by modified to one of the many other options for each request. Some WAFs will only decode/evaluate requests based on known content types, this feature targets that weakness.
3. The "Host" header can also be modified. Poorly configured WAFs might be configured to only evaluate requests based on the correct FQDN of the host found in this header, which is what this bypass targets.
4. The request type option allows the Burp user to only use the remaining bypass techniques on the given request method of "GET" or "POST", or to apply them on all requests.
5. The path injection feature can leave a request unmodified, inject random path info information (/path/to/example.php/randomvalue?restofquery), or inject a random path parameter (/path/to/example.php;randomparam=randomvalue?resetofquery). This can be used to bypass poorly written rules that rely on path information.
6. The path obfuscation feature modifies the last forward slash in the path to a random value, or by default does nothing. The last slash can be modified to one of many values that in many cases results in a still valid request but can bypass poorly written WAF rules that rely on path information.
7. The parameter obfuscation feature is language specific. PHP will discard a + at the beginning of each parameter, but a poorly written WAF rule might be written for specific parameter names, thus ignoring parameters with a + at the beginning. Similarly, ASP discards a % at the beginning of each parameter.
8. The "Set Configuration" button activates all the settings that you have chosen.

All of these features can be combined to provide multiple bypass options.

Download BypassWAF

Read More

SQLiPy - Plugin for Burp Suite that integrates SQLMap using the SQLMap API

SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.

SQLMap comes with a RESTful based server that will execute SQLMap scans. This plugin can start the API for you or connect to an already running API to perform a scan.

Requirements

Jython 2.7 beta, due to the use of json
Java 1.7 or 1.8 (the beta version of Jython 2.7 requires this)

Usage

SQLiPy relies on a running instance of the SQLMap API server. You can manually start the server with:

  python sqlmapapi.py -s -H <ip> -p <port>

Or, you can use the SQLMap API tab to select the IP/Port on which to run, as well as the path to python and sqlmapapi.py on your system.

Once the SQLMap API is running, it is just a matter of right mouse clicking in the 'Request' sub tab of either the Target or Proxy main tabs and choosing 'SQLiPy Scan'.

This will populate the SQLMap Scanner tab of the plugin with information about that request. Clicking the 'Start Scan' button will execute a scan.

If the page is vulnerable to SQL injection, then a thread from the plugin will poll the results and add them to the Scanner Results tab.

Read more here.

Download SQLiPy

Read More

I2P - The Invisible Internet Project

I2P is an anonymous network, exposing a simple layer that applications can use to anonymously and securely send messages to each other. The network itself is strictly message based (a la IP), but there is a library available to allow reliable streaming communication on top of it (a la TCP). All communication is end to end encrypted (in total there are four layers of encryption used when sending a message), and even the end points ("destinations") are cryptographic identifiers (essentially a pair of public keys).

How does it work?

To anonymize the messages sent, each client application has their I2P "router" build a few inbound and outbound "tunnels" - a sequence of peers that pass messages in one direction (to and from the client, respectively). In turn, when a client wants to send a message to another client, the client passes that message out one of their outbound tunnels targeting one of the other client's inbound tunnels, eventually reaching the destination. Every participant in the network chooses the length of these tunnels, and in doing so, makes a tradeoff between anonymity, latency, and throughput according to their own needs. The result is that the number of peers relaying each end to end message is the absolute minimum necessary to meet both the sender's and the receiver's threat model.

The first time a client wants to contact another client, they make a query against the fully distributed "network database" - a custom structured distributed hash table (DHT) based off the Kademlia algorithm. This is done to find the other client's inbound tunnels efficiently, but subsequent messages between them usually includes that data so no further network database lookups are required.

What can you do with it?

Within the I2P network, applications are not restricted in how they can communicate - those that typically use UDP can make use of the base I2P functionality, and those that typically use TCP can use the TCP-like streaming library. We have a generic TCP/I2P bridge application ("I2PTunnel") that enables people to forward TCP streams into the I2P network as well as to receive streams out of the network and forward them towards a specific TCP/IP address.

I2PTunnel is currently used to let people run their own anonymous website ("eepsite") by running a normal webserver and pointing an I2PTunnel 'server' at it, which people can access anonymously over I2P with a normal web browser by running an I2PTunnel HTTP proxy ("eepproxy"). In addition, we use the same technique to run an anonymous IRC network (where the IRC server is hosted anonymously, and standard IRC clients use an I2PTunnel to contact it). There are other application development efforts going on as well, such as one to build an optimized swarming file transfer application (a la BitTorrent), a distributed data store (a la Freenet / MNet), and a blogging system (a fully distributed LiveJournal), but those are not ready for use yet.

I2P is not inherently an "outproxy" network - the client you send a message to is the cryptographic identifier, not some IP address, so the message must be addressed to someone running I2P. However, it is possible for that client to be an outproxy, allowing you to anonymously make use of their Internet connection. To demonstrate this, the "eepproxy" will accept normal non-I2P URLs (e.g. "http://www.i2p.net") and forward them to a specific destination that runs a squid HTTP proxy, allowing simple anonymous browsing of the normal web. Simple outproxies like that are not viable in the long run for several reasons (including the cost of running one as well as the anonymity and security issues they introduce), but in certain circumstances the technique could be appropriate.

The I2P development team is an open group, welcome to all who are interested in getting involved, and all of the code is open source. The core I2P SDK and the current router implementation is done in Java (currently working with both sun and kaffe, gcj support planned for later), and there is a simple socket based API for accessing the network from other languages (with a C library available, and both Python and Perl in development). The network is actively being developed and has not yet reached the 1.0 release, but the current roadmap describes our schedule.

Download I2P

Read More

WAIDPS - Wireless Auditing, Intrusion Detection & Prevention System

WAIDPS is an open source wireless swissknife written in Python and work on Linux environment. This is a multipurpose tools designed for audit (penetration testing) networks, detect wireless intrusion (WEP/WPA/WPS attacks) and also intrusion prevention (stopping station from associating to access point). Apart from these, it will harvest all WiFi information in the surrounding and store in databases. This will be useful when it comes to auditing a network if the access point is ‘MAC filtered’ or ‘hidden SSID’ and there isn’t any existing client at that moment.

WAIDS may be useful to penetration testers, wireless trainers, law enforcement agencies and those who is interested to know more about wireless auditing and protection. The primarily purpose for this script is to detect intrusion. Once wireless detect is found, it display on screen and also log to file on the attack. Additional features are added to current script where previous WIDS does not have are :

• automatically save the attack packets into a file
• interactive mode where users are allow to perform many functions
• allow user to analyse captured packets
• load previously saved pcap file or any other pcap file to be examine
• customizing filters
• customize detection threshold (sensitivity of IDS in detection)

At present, WAIDS is able to detect the following wireless attacks and will subsequently add other detection found in the previous WIDS.

• Association / Authentication flooding
• Detect mass deauthentication which may indicate a possible WPA attack for handshake
• Detect possible WEP attack using the ARP request replay method
• Detect possible WEP attack using chopchop method
• Detect possible WPS pin bruteforce attack by Reaver, Bully, etc.
• Detection of Evil-Twin
• Detection of Rogue Access Point

The whole structure of the Wireless Auditing, Intrusion Detection & Prevention System will comprise of

Harvesting WiFi Information         [Done]

Intrusion Detection                         [Partially Done]

Intrusion Prevention                       [Partially Done]

Auditing (Testing network)            [Coming Soon]

Other additional item include analyzing of packets, display of captured dump, display network barchart and much more.

Requirements

No special equipment is required to use this script as long as you have the following :

1. Root access (admin)
2. Wireless interface which is capable of monitoring and injection
3. Python 2.7 installed
4. Aircrack-NG suite installed
5. TShark installed
6. TCPDump installed
7. Mergecap installed (for joining pcap files)
8. xterm  installed

Read more here.

Download WAIDPS

Read More

Damn Vulnerable Web App - PHP/MySQL Training Web Application that is Damn Vulnerable

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

WARNING!

Damn Vulnerable Web App is damn vulnerable! Do not upload it to your hosting provider's public html folder or any working web server as it will be hacked. I recommend downloading and installing XAMPP onto a local machine inside your LAN which is used solely for testing.

We do not take responsibility for the way in which any one uses Damn Vulnerable Web App (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA it is not our responsibility it is the responsibility of the person/s who uploaded and installed it.

Download Damn Vulnerable Web App

Read More

Web Security Dojo - Training Environment for Web Application Security Penetration Testing

A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo

What?

Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v10.04.2, which is patched with the appropriate updates and VM additions for easy use.

Why?

The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for self-teaching and skill assessment, as well as training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started – tools, targets, and documentation.

Feature Overview

Targets include:

• OWASP’s WebGoat
• Google’s Gruyere
• Damn Vulnerable Web App
• Hacme Casino
• OWASP InsecureWebApp
• w3af’s test website
• simple training targets by Maven Security (including REST and JSON)

Tools: (starred = new this version)

• Burp Suite (free version)
• w3af
• sqlmap
• arachni *
• metasploit
• Zed Attack Proxy *
• OWASP Skavenger
• OWASP Dirbuster
• Paros
• Webscarab
• Ratproxy
• skipfish
• websecurify
• davtest
• J-Baah
• JBroFuzz
• Watobo *
• RATS
• helpful Firefox add-ons

Download Web Security Dojo

Read More