Burp Suite Professional 1.6.26 - The Leading Toolkit for Web Application Security Testing

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

 Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Burp Suite contains the following key components:

• An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
• An application-aware Spider, for crawling content and functionality.
• An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
• An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
• A Repeater tool, for manipulating and resending individual requests.
• A Sequencer tool, for testing the randomness of session tokens.
• The ability to save your work and resume working later.
• Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

Burp is easy to use and intuitive, allowing new users to begin working right away. Burp is also highly configurable, and contains numerous powerful features to assist the most experienced testers with their work.

Release Notes v1.6.26

This release adds the ability to detect blind server-side XML/SOAP injection by triggering interactions with Burp Collaborator.

Previously, Burp Scanner has detected XML/SOAP injection by submitting some XML-breaking syntax like:

]]>>

and analyzing responses for any resulting error messages.

Burp now sends payloads like:

<nzf xmlns="http://a.b/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://a.b/ http://kuiqswhjt3era6olyl63pyd.burpcollaborator.net/nzf.xsd">
nzf</nzf>

and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

Note that this type of technique is effective even when the original parameter value does not contain XML, and there is no indication within the request or response that XML/SOAP is being used on the server side.

The new scan check uses both schema location and XInclude to cause the server-side XML parser to interact with the Collaborator server.

In addition, when the original parameter value does contain XML being submitted by the client, Burp now also uses the schema location and XInclude techniques to try to induce external service interactions. (We believe that Burp is now aware of all available tricks for inducing a server-side XML parser to interact with an external network service. But we would be very happy to hear of any others that people know about.)

Download Burp Suite Professional 1.6.26

Read More

Sonar.js - Framework for identifying and launching exploits against internal network hosts

A framework for identifying and launching exploits against internal network hosts. Works via WebRTC IP enumeration, WebSocket host scanning, and external resource fingerprinting.

How does it work?

Upon loading the sonar.js payload in a modern web browser the following will happen:

• sonar.js will use WebRTC to enumerate what internal IPs the user loading the payload has.
• sonar.js then attempts to find live hosts on the internal network via WebSockets.
• If a live host is found, sonar.js begins to attempt to fingerprint the host by linking to it via <img src="x"> and <link rel="stylesheet" type="text/css" href="x"> and hooking the onload event. If the expected resources load successfully it will trigger the pre-set JavaScript callback to start the user-supplied exploit.
• If the user changes networks, sonar.js starts the process all over again on the newly joined network.

Fingerprints

sonar.js works off of a database of fingerprints. A fingerprint is simply a list of known resources on a device that can be linked to and detected via onload. Examples of this include images, CSS stylesheets, and even external JavaScript.

An example fingerprint database can be seen below:

var fingerprints = [
    {
        'name': "ASUS RT-N66U",
        'fingerprints': ["/images/New_ui/asustitle.png","/images/loading.gif","/images/alertImg.png","/images/New_ui/networkmap/line_one.png","/images/New_ui/networkmap/lock.png","/images/New_ui/networkmap/line_two.png","/index_style.css","/form_style.css","/NM_style.css","/other.css"],
        'callback': function( ip ) {
            // Insert exploit here
        },
    },
    {
        'name': "Linksys WRT54G",
        'fingerprints': ["/UILinksys.gif","/UI_10.gif","/UI_07.gif","/UI_06.gif","/UI_03.gif","/UI_02.gif","/UI_Cisco.gif","/style.css"],
        'callback': function( ip ) {
            // Insert exploit here
        },
    },
]

The above database contains fingerprints for two devices, the ASUS RT-N66U WiFi router and the Linksys WRT54G WiFi router.

Each database entry has the following:

• name: A field to identify what device the fingerprint is for. This could be something like HP Officejet 4500 printer or Linksys WRT54G Router.
• fingerprints: This is an array of relative links to resources such as CSS stylesheets, images, or even JavaScript files. If you expect these resources to be on a non-standard port such as 8080, set the resource with the port included: :8080/unique.css. Keep in mind using external resources with active content such as JavaScript is dangerous as it can interrupt the regular flow of execution.
• callback: If all of these resources are found to exist on the enumerated host then the callback function is called with a single argument of the device's IP address.

By creating your own fingerprints you can build custom exploits that will be launched against internal devices once they are detected by sonar.js. Common exploits include things such as Cross-site Request Forgery (CSRF), Cross-site Scripting (XSS), etc. The idea being that you can use these vulnerabilities to do things such as modifying router DNS configurations, dumping files from an internal fileserver, and more.

For an easier way to create fingerprints, see the following Chrome extension which generates fingerprint template code automatically for the page you're on:

Click Here to Install Chrome Extension

What can be done using sonar.js?

By using sonar.js a pentesting team can build web exploits against things such as internal logging servers, routers, printers, VOIP phones, and more. Due to internal networks often being less guarded, attacks such as CSRF and XSS can be powerful to take over the configurations of devices on a hosts internal network.

Download Sonar.js

Read More

AutoBrowser - Create Report and Screenshots of HTTP/s Based Ports on the Network

AutoBrowser is a tool written in python for penetration testers. The purpose of this tool is to create report and screenshots of http/s based ports on the network. It analyze Nmap Report or scan with Nmap, Check the results with http/s request on each host using headless web browser, Grab a screenshot of the response page content.

• This tool is designed for IT professionals to perform penetration testing to scan and analyze NMAP results.

Proof of concept video (From version: 2.0)

Examples

Delimiting the values on the CLI arguments it must be by double quotes only!

• Get the argument details of scan method: python AutoBrowser.py scan --help
• Scan with Nmap and Checks the results and create folder by name project_name: python AutoBrowser.py scan "192.168.1.1/24" -a="-sT -sV -T3" -p project_name
• Get the argument details of analyze method:python AutoBrowser.py analyze --help
• Analyzing Nmap XML report and create folder by name report_analyze: python AutoBrowser.py analyze nmap_file.xml --project report_analyze

Requirements:

Linux Installation:

1. sudo apt-get install python-pip python2.7-dev libxext-dev python-qt4 qt4-dev-tools build-essential nmap
2. sudo pip install -r requirements.txt

MacOSx Installation:

1. Install Xcode Command Line Tools (AppStore)
2. ruby -e "$(curl -fsSL https://raw.github.com/mxcl/homebrew/go)"
3. brew install pyqt nmap
4. sudo easy_install pip
5. sudo pip install -r requirements.txt

Windows Installation:

1. Install setuptools
2. Install pip
3. Install PyQt4
4. install Nmap
5. Open Command Prompt(cmd) as Administrator -> Goto python folder -> Scripts (cd c:\Python27\Scripts)
6. pip install -r (Full Path To requirements.txt)

Download AutoBrowser

Read More

TestDisk - Partition Recovery and File Undelete for Windows, Linux and Mac

TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software: certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.

TestDisk can:

• Fix partition table, recover deleted partition
• Recover FAT32 boot sector from its backup
• Rebuild FAT12/FAT16/FAT32 boot sector
• Fix FAT tables
• Rebuild NTFS boot sector
• Recover NTFS boot sector from its backup
• Fix MFT using MFT mirror
• Locate ext2/ext3/ext4 Backup SuperBlock
• Undelete files from FAT, exFAT, NTFS and ext2 filesystem
• Copy files from deleted FAT, exFAT, NTFS and ext2/ext3/ext4 partitions.

TestDisk has features for both novices and experts. For those who know little or nothing about data recovery techniques, TestDisk can be used to collect detailed information about a non-booting drive which can then be sent to a tech for further analysis. Those more familiar with such procedures should find TestDisk a handy tool in performing onsite recovery.

Operating systems 

TestDisk can run under

• DOS (either real or in a Windows 9x DOS-box),
• Windows (NT4, 2000, XP, 2003, Vista, 2008, Windows 7 (x86 & x64),
• Linux,
• FreeBSD, NetBSD, OpenBSD,
• SunOS and
• MacOS X

Filesystems

TestDisk can find lost partitions for all of these file systems:

• BeFS ( BeOS )
• BSD disklabel ( FreeBSD/OpenBSD/NetBSD )
• CramFS, Compressed File System
• DOS/Windows FAT12, FAT16 and FAT32
• XBox FATX
• Windows exFAT
• HFS, HFS+ and HFSX, Hierarchical File System
• JFS, IBM's Journaled File System
• Linux btrfs
• Linux ext2, ext3 and ext4
• Linux GFS2
• Linux LUKS encrypted partition
• Linux RAID md 0.9/1.0/1.1/1.2
  • RAID 1: mirroring
  • RAID 4: striped array with parity device
  • RAID 5: striped array with distributed parity information
  • RAID 6: striped array with distributed dual redundancy information
• Linux Swap (versions 1 and 2)
• LVM and LVM2, Linux Logical Volume Manager
• Mac partition map
• Novell Storage Services NSS
• NTFS ( Windows NT/2000/XP/2003/Vista/2008/7 )
• ReiserFS 3.5, 3.6 and 4
• Sun Solaris i386 disklabel
• Unix File System UFS and UFS2 (Sun/BSD/...)
• XFS, SGI's Journaled File System
• Wii WBFS
• Sun ZFS

Download TestDisk

Read More

Intrigue - Intelligence Gathering Framework

Intrigue-core is an API-first intelligence gathering framework for Internet reconnaissance and research.

Setting up a development environment

The following are presumed available and configured in your environment

• redis
• sudo
• nmap
• zmap
• masscan
• java runtime

Sudo is used to allow root access for certain commands ^ , so make sure this doesn't require a password:

your-username ALL = NOPASSWD: /usr/bin/masscan, /usr/sbin/zmap, /usr/bin/nmap

Starting up...

Make sure you have redis installed and running. (Use Homebrew if you're on OSX).

Install all gem dependencies with Bundler (http://bundler.io/)

$ bundle install

Start the web and background workers. Intrigue will start on 127.0.0.0:7777.

$ foreman start

Now, browse to the web interface.

Using the web interface

To use the web interface, browse to http://127.0.0.1:7777

Getting started should be pretty straightforward, try running a "dns_brute_sub" task on your domain. Now, try with the "use_file" option set to true.

API usage via core-cli:

A command line utility has been added for convenience, core-cli.
List all available tasks:

$ bundle exec ./core-cli.rb list

Start a task:

$ bundle exec ./core-cli.rb start dns_lookup_forward DnsRecord#intrigue.io

Start a task with options:

$ bundle exec ./core-cli.rb start dns_brute_sub DnsRecord#intrigue.io resolver=8.8.8.8#brute_list=1,2,3,4,www#use_permutations=true
[+] Starting task
[+] Task complete!
[+] Start Results
  DnsRecord#www.intrigue.io
  IpAddress#192.0.78.13
[ ] End Results
[+] Task Log:
[ ] : Got allowed option: resolver
[ ] : Allowed option: {:name=>"resolver", :type=>"String", :regex=>"ip_address", :default=>"8.8.8.8"}
[ ] : Regex should match an IP Address
[ ] : No need to convert resolver to a string
[+] : Allowed user_option! {"name"=>"resolver", "value"=>"8.8.8.8"}
[ ] : Got allowed option: brute_list
[ ] : Allowed option: {:name=>"brute_list", :type=>"String", :regex=>"alpha_numeric_list", :default=>["mx", "mx1", "mx2", "www", "ww2", "ns1", "ns2", "ns3", "test", "mail", "owa", "vpn", "admin", "intranet", "gateway", "secure", "admin", "service", "tools", "doc", "docs", "network", "help", "en", "sharepoint", "portal", "public", "private", "pub", "zeus", "mickey", "time", "web", "it", "my", "photos", "safe", "download", "dl", "search", "staging"]}
[ ] : Regex should match an alpha-numeric list
[ ] : No need to convert brute_list to a string
[+] : Allowed user_option! {"name"=>"brute_list", "value"=>"1,2,3,4,www"}
[ ] : Got allowed option: use_permutations
[ ] : Allowed option: {:name=>"use_permutations", :type=>"Boolean", :regex=>"boolean", :default=>true}
[ ] : Regex should match a boolean
[+] : Allowed user_option! {"name"=>"use_permutations", "value"=>true}
[ ] : user_options: [{"resolver"=>"8.8.8.8"}, {"brute_list"=>"1,2,3,4,www"}, {"use_permutations"=>true}]
[ ] : Task: dns_brute_sub
[ ] : Id: fddc7313-52f6-4d5a-9aad-fd39b0428ca5
[ ] : Task entity: {"type"=>"DnsRecord", "attributes"=>{"name"=>"intrigue.io"}}
[ ] : Task options: [{"resolver"=>"8.8.8.8"}, {"brute_list"=>"1,2,3,4,www"}, {"use_permutations"=>true}]
[ ] : Option configured: resolver=8.8.8.8
[ ] : Option configured: use_file=false
[ ] : Option configured: brute_file=dns_sub.list
[ ] : Option configured: use_mashed_domains=false
[ ] : Option configured: brute_list=1,2,3,4,www
[ ] : Option configured: use_permutations=true
[ ] : Using provided brute list
[+] : Using subdomain list: ["1", "2", "3", "4", "www"]
[+] : Looks like no wildcard dns. Moving on.
[-] : Hit exception: no address for 1.intrigue.io
[-] : Hit exception: no address for 2.intrigue.io
[-] : Hit exception: no address for 3.intrigue.io
[-] : Hit exception: no address for 4.intrigue.io
[+] : Resolved Address 192.0.78.13 for www.intrigue.io
[+] : Creating entity: DnsRecord, {:name=>"www.intrigue.io"}
[+] : Creating entity: IpAddress, {:name=>"192.0.78.13"}
[ ] : Adding permutations: www1, www2
[-] : Hit exception: no address for www1.intrigue.io
[-] : Hit exception: no address for www2.intrigue.io
[+] : Ship it!
[ ] : Sending to Webhook: http://localhost:7777/v1/task_runs/fddc7313-52f6-4d5a-9aad-fd39b0428ca5

Check for a list of subdomains on intrigue.io:

$ bundle exec ./core-cli.rb start dns_brute_sub DnsRecord#intrigue.io resolver=8.8.8.8#brute_list=a,b,c,proxy,test,www

Check the Alexa top 1000 domains for the existence of security headers:

$ for x in `cat data/domains.txt | head -n 1000`; do bundle exec ./core-cli.rb start dns_brute_sub DnsRecord#$x;done

API usage via rubygem

$ gem install intrigue
$ irb

> require 'intrigue'
> x =  Intrigue.new

  # Create an entity hash, must have a :type key
  # and (in the case of most tasks)  a :attributes key
  # with a hash containing a :name key (as shown below)
> entity = {
    :type => "String",
    :attributes => { :name => "intrigue.io"}
  }

  # Create a list of options (this can be empty)
> options_list = [
    { :name => "resolver", :value => "8.8.8.8" }
  ]

> x.start "example", entity_hash, options_list
> id  = x.start "example", entity_hash, options_list
> puts x.get_log id
> puts x.get_result id

API usage via curl:

You can use the tried and true curl utility to request a task run. Specify the task type, specify an entity, and the appropriate options:

$ curl -s -X POST -H "Content-Type: application/json" -d '{ "task": "example", "entity": { "type": "String", "attributes": { "name": "8.8.8.8" } }, "options": {} }' http://127.0.0.1:7777/v1/task_runs

Download Intrigue-core

Read More

FruityWifi v2.2 - Wireless Network Auditing Tool

FruityWifi is an open source tool to audit wireless networks. It allows the user to deploy advanced attacks by directly using the web interface or by sending messages to it.

Initialy the application was created to be used with the Raspberry-Pi, but it can be installed on any Debian based system.

FruityWifi v2.0 has many upgrades. A new interface, new modules, Realtek chipsets support, Mobile Broadband (3G/4G) support, a new control panel, and more.

A more flexible control panel. Now it is possible to use FruityWifi combining multiple networks and setups:

- Ethernet ⇔ Ethernet,

- Ethernet ⇔ 3G/4G,

- Ethernet ⇔ Wifi,

- Wifi ⇔ Wifi,

- Wifi ⇔ 3G/4G, etc.

Within the new options on the control panel we can change the AP mode between Hostapd or Airmon-ng allowing to use more chipsets like Realtek.

It is possible customize each one of the network interfaces which allows the user to keep the current setup or change it completely.

Changelog

v2.2

• Wireless service has been replaced by AP module
• Mobile support has been added
• Bootstrap support has been added
• Token auth has been added
• minor fix

v2.1

• Hostapd Mana support has been added
• Phishing service has been replaced by phishing module
• Karma service has been replaced by karma module
• Sudo has been implemented (replacement for danger)
• Logs path can be changed
• Squid dependencies have been removed from FruityWifi installer
• Phishing dependencies have been removed from FruityWifi installer
• New AP options available: hostapd, hostapd-mana, hostapd-karma, airmon-ng
• Domain name can be changed from config panel
• New install options have been added to install-FruityWifi.sh
• Install/Remove have been updated

Download FruityWifi

Read More

NetRipper - Smart Traffic Sniffing for Penetration Testers

NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

NetRipper was released at Defcon 23, Las Vegas, Nevada.

Abstract

The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application.

Tested applications

NetRipper should be able to capture network traffic from: Putty, WinSCP, SQL Server Management Studio, Lync (Skype for Business), Microsoft Outlook, Google Chrome, Mozilla Firefox. The list is not limited to these applications but other tools may require special support.

Components

NetRipper.exe - Configures and inject the DLL  
DLL.dll       - Injected DLL, hook APIs and save data to files  
netripper.rb  - Metasploit post-exploitation module

Command line

Injection: NetRipper.exe DLLpath.dll processname.exe  
Example:   NetRipper.exe DLL.dll firefox.exe  

Generate DLL:

  -h,  --help          Print this help message  
  -w,  --write         Full path for the DLL to write the configuration data  
  -l,  --location      Full path where to save data files (default TEMP)  

Plugins:

  -p,  --plaintext     Capture only plain-text data. E.g. true  
  -d,  --datalimit     Limit capture size per request. E.g. 4096  
  -s,  --stringfinder  Find specific strings. E.g. user,pass,config  

Example: NetRipper.exe -w DLL.dll -l TEMP -p true -d 4096 -s user,pass  

Metasploit module

msf > use post/windows/gather/netripper 
msf post(netripper) > show options

Module options (post/windows/gather/netripper):

   Name          Current Setting                  Required  Description
   ----          ---------------                  --------  -----------
   DATALIMIT     4096                             no        The number of bytes to save from requests/responses
   DATAPATH      TEMP                             no        Where to save files. E.g. C:\Windows\Temp or TEMP
   PLAINTEXT     true                             no        True to save only plain-text data
   PROCESSIDS                                     no        Process IDs. E.g. 1244,1256
   PROCESSNAMES                                   no        Process names. E.g. firefox.exe,chrome.exe
   SESSION                                        yes       The session to run this module on.
   STRINGFINDER  user,login,pass,database,config  no        Search for specific strings in captured data

Set PROCESSNAMES and run.

Metasploit installation (Kali)

1. cp netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper.rb
2. mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper
3. g++ -Wall netripper.cpp -o netripper
4. cp netripper /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper
5. cd ../Release
6. cp DLL.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.dll

PowerShell module

@HarmJ0y Added Invoke-NetRipper.ps1 PowerShell implementation of NetRipper.exe

Plugins

1. PlainText - Allows to capture only plain-text data
2. DataLimit - Save only first bytes of requests and responses
3. Stringinder - Find specific string in network traffic

Download NetRipper

Read More

Wifresti - Find your wireless network password from Windows, Linux and Mac OS

Find your wireless network password from Windows , Linux and Mac OS.

Wifresti is a simple Wi-Fi password recovery tool , compatible with Windows , and Unix systems (Linux , Mac OS).

Features

• Recover Wifi password on Windows
• Recover Wifi password on Unix

Requirements

• An operating system (tested on Ubuntu, Windows 10,8,7)
• Python 2.7

Instalation

sudo su
git clone https://github.com/LionSec/wifresti.git && cp wifresti/wifresti.py /usr/bin/wifresti && chmod +x /usr/bin/wifresti
sudo wifresti

Download Wifresti

Read More

SubDomain Analyzer - Get detailed information of a domain

The "SubDomain Analyzer" tool written in Python language. The purpose of "SubDomain Analyzer" getting full detailed information of selected domain. The "SubDomain Analyzer" gets data from domain by following steps:

1. Trying to get the zone tranfer file.
2. Gathers all information from DNS records.
3. Analyzing the DNS records (Analyzing all IP's addresses from DNS records and test class C range from IP address (For example: 127.0.0.1/24) and getting all data that containing the domain being analyzed).
4. Tests subdomains by dictionary attack.

The Subdomain Analyzer can keep new addresses which found on DNS records or IP's analyzer. The Subdomain Analyzer can brings a very qualitative information about the domain being analyzed, additionally, he shows a designed report with all the data.

Examples:

• Analyzing example.com domain: subdomain-analyzer.py example.com
• Analyzing example.com domain, save the records on log file by name log.txt, works with 100 threads and use by another dictionary file by name another-file.txt: subdomain-analyzer.py example.com --output log.txt --threads 100 --sub-domain-list another-file.txt
• Analyzing example.com domain, save the records on log file by name log.txt and append a new sub-domains to sub-domains list file: subdomain-analyzer.py example.com -o log.txt --sub-domain-list

Requirements:

Linux Installation:

1. sudo apt-get install python-dev python-pip
2. sudo pip install -r requirements.txt
3. easy_install prettytable

MacOSx Installation:

1. Install Xcode Command Line Tools (AppStore)
2. sudo easy_install pip, prettytable
3. sudo pip install -r requirements.txt

Windows Installation:

1. Install dnspython
2. Install gevent
3. Install prettytable
4. Open Command Prompt(cmd) as Administrator -> Goto python folder -> Scripts (cd c:\Python27\Scripts)
5. pip install -r (Full Path To requirements.txt)
6. easy_install prettytable

Download SubDomain Analyzer

Read More