ZAP 2.4.2 - Penetration Testing Tool for Testing Web Applications

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Release 2.4.2

The following changes were made in this release:

Enhancements:

• Issue 1306 : Java PermSize command line flag removed in Java 8
• Issue 1593 : Auto-scroll in Spider tab
• Issue 1600 : Dont report X-Frame-Options alert on 403 and 404 pages
• Issue 1654 : httpSessions/createEmptySession should initialize a site that was not previously visited
• Issue 1702 : Add "recurse" option to the spider API
• Issue 1715 : Unable to pass arguments when launching ZAP from the command line on Mac OS X
• Issue 1766 : Remove context via the API
• Issue 1768 : Update to use a more recent user-agent
• Issue 1778 : Passive scan AJAX spider requests
• Issue 1790 : Move Buffer Overflow Scanner from Beta to Release
• Issue 1793 : Allow active scan scripts to check if the scan was stopped
• Issue 1795 : Allow JVM options to be configured via GUI
• Issue 1799 : Minor Feature Request: Allow URL to be pasted into start Spider dialog.
• Issue 1802 : Minor Enhancement: Change active Pause Button to a Play button
• Issue 1849 : Option to merge related issues in reports
• Issue 1857 : Libraries that were updated
• Issue 1865 : Increase maximum db size

Bug fixes:

• Issue 1760 : Unable to initialize home directory! xml/config.xml (No such file or directory)
• Issue 1763 : Automatic check for updates fails to report new versions
• Issue 1770 : Exceptions when calling (some) context API actions in daemon mode
• Issue 1771 : For OSX the zap.sh in the core download hard-codes the relative java location
• Issue 1772 : On OS X, Found Java version lies
• Issue 1777 : "Cannot locate configuration source null.policy" after opening "Active Scan" dialogue
• Issue 1781 : ZAP errors with "Unsupported option '-psn_x_xxxxxxx'" on OS X
• Issue 1784 : NullPointerException when active scanning through the API with a target without scheme
• Issue 1785 : Plugin enabled even if dependencies are not, "hangs" active scan
• Issue 1787 : Context not used by the Spider even if selected
• Issue 1788 : Scan Progress Pane Needs Sorting Change
• Issue 1789 : Forced Browse/AJAX Spider messages not restored to Sites tab
• Issue 1792 : Report not generated in daemon mode
• Issue 1798 : Stop Attack Feature Locks up ZAP?
• Issue 1804 : Disable processing of XML external entities by default
• Issue 1805 : ZAP API might not return the response in requested format on errors
• Issue 1858 : Spider might report wrong progress after finishing
• Issue 1872 : EDT accessed in daemon mode

Download ZAP 2.4.2

Read More

Wfuzz - The Web Application Bruteforcer

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

Some features

• Multiple Injection points capability with multiple dictionaries
• Recursion (When doing directory bruteforce)
• Post, headers and authentication data brute forcing
• Output to HTML
• Colored output
• Hide results by return code, word numbers, line numbers, regex.
• Cookies fuzzing
• Multi threading
• Proxy support
• SOCK support
• Time delays between requests
• Authentication support (NTLM, Basic)
• All parameters bruteforcing (POST and GET)
• Multiple encoders per payload
• Payload combinations with iterators
• Baseline request (to filter results against)
• Brute force HTTP methods
• Multiple proxy support (each request through a different proxy)
• HEAD scan (faster for resource discovery)
• Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more.i (Many dictionaries are from Darkraver's Dirb, www.open-labs.org)

Payloads

• File
• List
• hexrand
• range
• names
• hexrange

Encodings

• random_uppercase
• urlencode
• binary_ascii
• base64
• double_nibble_hex
• uri_hex
• sha1
• md5
• double_urlencode
• utf8
• utf8_binary
• html
• html decimal
• custom
• many more...

Iterators

• Product
• Zip
• Chain

Download Wfuzz

Read More

Sn1per - Automated Pentest Recon Scanner

Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.

Features

• Automatically collects basic recon (ie. whois, ping, DNS, etc.)
• Automatically launches Google hacking queries against a target domain
• Automatically enumerates open ports
• Automatically brute forces sub-domains and DNS info
• Automatically runs targeted nmap scripts against open ports
• Automatically scans all web applications for common vulnerabilities
• Automatically brute forces all open services

Install

chmod +x install.sh
./install.sh

Installs all dependencies. Best run from Kali Linux.

Usage

./sn1per

SAMPLE REPORT:

https://gist.githubusercontent.com/1N3/070d14c364e5f23bfe5e/raw/8e152e740ba50cd49bb3366ec91cf7d08ca02715/Sn1per%2520Sample%2520Report

Download Sn1per

Read More

Droopescan - Scanner to identify issues with several CMSs, mainly Drupal & Silverstripe

A plugin-based scanner that aids security researchers in identifying issues with several CMS:

• Drupal.
• SilverStripe.

Partial functionality for:

• Wordpress.
• Joomla.

computer:~/droopescan$ droopescan scan drupal -u http://example.org/ -t 8
[+] No themes found.

[+] Possible interesting urls found:
    Default changelog file - https://www.example.org/CHANGELOG.txt
    Default admin - https://www.example.org/user/login

[+] Possible version(s):
    7.34

[+] Plugins found:
    views https://www.example.org/sites/all/modules/views/
        https://www.example.org/sites/all/modules/views/README.txt
        https://www.example.org/sites/all/modules/views/LICENSE.txt
    token https://www.example.org/sites/all/modules/token/
        https://www.example.org/sites/all/modules/token/README.txt
        https://www.example.org/sites/all/modules/token/LICENSE.txt
    pathauto https://www.example.org/sites/all/modules/pathauto/
        https://www.example.org/sites/all/modules/pathauto/README.txt
        https://www.example.org/sites/all/modules/pathauto/LICENSE.txt
        https://www.example.org/sites/all/modules/pathauto/API.txt
    libraries https://www.example.org/sites/all/modules/libraries/
        https://www.example.org/sites/all/modules/libraries/CHANGELOG.txt
        https://www.example.org/sites/all/modules/libraries/README.txt
        https://www.example.org/sites/all/modules/libraries/LICENSE.txt
    entity https://www.example.org/sites/all/modules/entity/
        https://www.example.org/sites/all/modules/entity/README.txt
        https://www.example.org/sites/all/modules/entity/LICENSE.txt
    google_analytics https://www.example.org/sites/all/modules/google_analytics/
        https://www.example.org/sites/all/modules/google_analytics/README.txt
        https://www.example.org/sites/all/modules/google_analytics/LICENSE.txt
    ctools https://www.example.org/sites/all/modules/ctools/
        https://www.example.org/sites/all/modules/ctools/CHANGELOG.txt
        https://www.example.org/sites/all/modules/ctools/LICENSE.txt
        https://www.example.org/sites/all/modules/ctools/API.txt
    features https://www.example.org/sites/all/modules/features/
        https://www.example.org/sites/all/modules/features/CHANGELOG.txt
        https://www.example.org/sites/all/modules/features/README.txt
        https://www.example.org/sites/all/modules/features/LICENSE.txt
        https://www.example.org/sites/all/modules/features/API.txt
    [... snip for README ...]

[+] Scan finished (0:04:59.502427 elapsed)

You can get a full list of options by running:

droopescan --help
droopescan scan --help

Why not X?

Because droopescan:

• is fast
• is stable
• is up to date
• allows simultaneous scanning of multiple sites
• is 100% python

Installation

Installation is easy using pip:

apt-get install python-pip
pip install droopescan

Manual installation is as follows:

git clone https://github.com/droope/droopescan.git
cd droopescan
pip install -r requirements.txt
droopescan scan --help

The master branch corresponds to the latest release (what is in pypi). Development branch is unstable and all pull requests must be made against it. More notes regarding installation can be found here.

Features

Scan types.

Droopescan aims to be the most accurate by default, while not overloading the target server due to excessive concurrent requests. Due to this, by default, a large number of requests will be made with four threads; change these settings by using the --number and --threads arguments respectively.

This tool is able to perform four kinds of tests. By default all tests are ran, but you can specify one of the following with the -e or --enumerate flag:

• p -- Plugin checks: Performs several thousand HTTP requests and returns a listing of all plugins found to be installed in the target host.
• t -- Theme checks: As above, but for themes.
• v -- Version checks: Downloads several files and, based on the checksums of these files, returns a list of all possible versions.
• i -- Interesting url checks: Checks for interesting urls (admin panels, readme files, etc.)

More notes regarding scanning can be found here.

Target specification

You can specify a particular host to scan by passing the -u or --urlparameter:

    droopescan scan drupal -u example.org

You can also omit the drupal argument. This will trigger “CMS identification”, like so:

    droopescan scan -u example.org

Multiple URLs may be scanned utilising the -U or --url-file parameter. This parameter should be set to the path of a file which contains a list of URLs.

    droopescan scan drupal -U list_of_urls.txt

The drupal parameter may also be ommited in this example. For each site, it will make several GET requests in order to perform CMS identification, and if the site is deemed to be a supported CMS, it is scanned and added to the output list. This can be useful, for example, to run droopescan across all your organisation's sites.

    droopescan scan -U list_of_urls.txt

The code block below contains an example list of URLs, one per line:

http://localhost/drupal/6.0/
http://localhost/drupal/6.1/
http://localhost/drupal/6.10/
http://localhost/drupal/6.11/
http://localhost/drupal/6.12/

A file containing URLs and a value to override the default host header with separated by tabs or spaces is also OK for URL files. This can be handy when conducting a scan through a large range of hosts and you want to prevent unnecessary DNS queries. To clarify, an example below:

192.168.1.1 example.org
http://192.168.1.1/ example.org
http://192.168.1.2/drupal/  example.org

It is quite tempting to test whether the scanner works for a particular CMS by scanning the official site (e.g. wordpress.org for wordpress), but the official sites rarely run vainilla installations of their respective CMS or do unorthodox things. For example, wordpress.org runs the bleeding edge version of wordpress, which will not be identified as wordpress by droopescan at all because the checksums do not match any known wordpress version.

Authentication

The application fully supports .netrc files and http_proxy environment variables.

You can set the http_proxy and https_proxy variables. These allow you to set a parent HTTP proxy, in which you can handle more complex types of authentication (e.g. Fiddler, ZAP, Burp)

export http_proxy='user:password@localhost:8080'
export https_proxy='user:password@localhost:8080'
droopescan scan drupal --url http://localhost/drupal

Another option is to use a .netrc file for basic authentication. An example ~/.netrc file could look as follows:

machine secret.google.com
    login admin@google.com
    password Winter01

WARNING: By design, to allow intercepting proxies and the testing of applications with bad SSL, droopescan allows self-signed or otherwise invalid certificates. ˙ ͜ʟ˙

Output

This application supports both "standard output", meant for human consumption, or JSON, which is more suitable for machine consumption. This output is stable between major versions.
This can be controlled with the --output flag. Some sample JSON output would look as follows (minus the excessive whitespace):

{
  "themes": {
    "is_empty": true,
    "finds": [

    ]
  },
  "interesting urls": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/CHANGELOG.txt",
        "description": "Default changelog file."
      },
      {
        "url": "https:\/\/www.drupal.org\/user\/login",
        "description": "Default admin."
      }
    ]
  },
  "version": {
    "is_empty": false,
    "finds": [
      "7.29",
      "7.30",
      "7.31"
    ]
  },
  "plugins": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/sites\/all\/modules\/views\/",
        "name": "views"
      },
      [...snip...]
    ]
  }
}

Some attributes might be missing from the JSON object if parts of the scan are not ran.
This is how multi-site output looks like; each line contains a valid JSON object as shown above.

    $ droopescan scan drupal -U six_and_above.txt -e v
    {"host": "http://localhost/drupal-7.6/", "version": {"is_empty": false, "finds": ["7.6"]}}
    {"host": "http://localhost/drupal-7.7/", "version": {"is_empty": false, "finds": ["7.7"]}}
    {"host": "http://localhost/drupal-7.8/", "version": {"is_empty": false, "finds": ["7.8"]}}
    {"host": "http://localhost/drupal-7.9/", "version": {"is_empty": false, "finds": ["7.9"]}}
    {"host": "http://localhost/drupal-7.10/", "version": {"is_empty": false, "finds": ["7.10"]}}
    {"host": "http://localhost/drupal-7.11/", "version": {"is_empty": false, "finds": ["7.11"]}}
    {"host": "http://localhost/drupal-7.12/", "version": {"is_empty": false, "finds": ["7.12"]}}
    {"host": "http://localhost/drupal-7.13/", "version": {"is_empty": false, "finds": ["7.13"]}}
    {"host": "http://localhost/drupal-7.14/", "version": {"is_empty": false, "finds": ["7.14"]}}
    {"host": "http://localhost/drupal-7.15/", "version": {"is_empty": false, "finds": ["7.15"]}}
    {"host": "http://localhost/drupal-7.16/", "version": {"is_empty": false, "finds": ["7.16"]}}
    {"host": "http://localhost/drupal-7.17/", "version": {"is_empty": false, "finds": ["7.17"]}}
    {"host": "http://localhost/drupal-7.18/", "version": {"is_empty": false, "finds": ["7.18"]}}
    {"host": "http://localhost/drupal-7.19/", "version": {"is_empty": false, "finds": ["7.19"]}}
    {"host": "http://localhost/drupal-7.20/", "version": {"is_empty": false, "finds": ["7.20"]}}
    {"host": "http://localhost/drupal-7.21/", "version": {"is_empty": false, "finds": ["7.21"]}}
    {"host": "http://localhost/drupal-7.22/", "version": {"is_empty": false, "finds": ["7.22"]}}
    {"host": "http://localhost/drupal-7.23/", "version": {"is_empty": false, "finds": ["7.23"]}}
    {"host": "http://localhost/drupal-7.24/", "version": {"is_empty": false, "finds": ["7.24"]}}
    {"host": "http://localhost/drupal-7.25/", "version": {"is_empty": false, "finds": ["7.25"]}}
    {"host": "http://localhost/drupal-7.26/", "version": {"is_empty": false, "finds": ["7.26"]}}
    {"host": "http://localhost/drupal-7.27/", "version": {"is_empty": false, "finds": ["7.27"]}}
    {"host": "http://localhost/drupal-7.28/", "version": {"is_empty": false, "finds": ["7.28"]}}
    {"host": "http://localhost/drupal-7.29/", "version": {"is_empty": false, "finds": ["7.29"]}}
    {"host": "http://localhost/drupal-7.30/", "version": {"is_empty": false, "finds": ["7.30"]}}
    {"host": "http://localhost/drupal-7.31/", "version": {"is_empty": false, "finds": ["7.31"]}}
    {"host": "http://localhost/drupal-7.32/", "version": {"is_empty": false, "finds": ["7.32"]}}
    {"host": "http://localhost/drupal-7.33/", "version": {"is_empty": false, "finds": ["7.33"]}}
    {"host": "http://localhost/drupal-7.34/", "version": {"is_empty": false, "finds": ["7.34"]}}

Download Droopescan

Read More

Discover - Custom bash scripts used to automate various pentesting tasks

For use with Kali Linux. Custom bash scripts used to automate various pentesting tasks.

Download, setup & usage

• git clone git://github.com/leebaird/discover.git /opt/discover/
• All scripts must be ran from this location.
• cd /opt/discover/
• ./setup.sh
• ./discover.sh

RECON
1.  Domain
2.  Person
3.  Parse salesforce

SCANNING
4.  Generate target list
5.  CIDR
6.  List
7.  IP or domain

WEB
8.  Open multiple tabs in Iceweasel
9.  Nikto
10. SSL

MISC
11. Crack WiFi
12. Parse XML
13. Start a Metasploit listener
14. Update
15. Exit

RECON

Domain

RECON

1.  Passive
2.  Active
3.  Previous menu

• Passive combines goofile, goog-mail, goohost, theHarvester, Metasploit, dnsrecon, URLCrazy, Whois and multiple webistes.
• Active combines Nmap, dnsrecon, Fierce, lbd, WAF00W, traceroute and Whatweb.

Person

RECON

First name:
Last name:

• Combines info from multiple websites.

Parse salesforce

Create a free account at salesforce (https://connect.data.com/login).
Perform a search on your target company > select the company name > see all.
Copy the results into a new file.

Enter the location of your list: 

• Gather names and positions into a clean list.

SCANNING

Generate target list

SCANNING

1.  Local area network
2.  NetBIOS
3.  netdiscover
4.  Ping sweep
5.  Previous menu

• Use different tools to create a target list including Angry IP Scanner, arp-scan, netdiscover and nmap pingsweep.

CIDR, List, IP or domain

Type of scan: 

1.  External
2.  Internal
3.  Previous menu

• External scan will set the nmap source port to 53 and the max-rrt-timeout to 1500ms.
• Internal scan will set the nmap source port to 88 and the max-rrt-timeout to 500ms.
• Nmap is used to perform host discovery, port scanning, service enumeration and OS identification.
• Matching nmap scripts are used for additional enumeration.
• Matching Metasploit auxiliary modules are also leveraged.

WEB

Open multiple tabs in Icewease

Open multiple tabs in Iceweasel with:

1.  List
2.  Directories from a domain's robot.txt.
3.  Previous menu

• Use a list containing IPs and/or URLs.
• Use wget to pull a domain's robot.txt file, then open all of the directories.

Nikto

Run multiple instances of Nikto in parallel.

1.  List of IPs.
2.  List of IP:port.
3.  Previous menu

SSL

Check for SSL certificate issues.

Enter the location of your list: 

• Use sslscan and sslyze to check for SSL/TLS certificate issues.

MISC

Crack WiFi

• Crack wireless networks.

Parse XML

Parse XML to CSV.

1.  Burp (Base64)
2.  Nessus
3.  Nexpose
4.  Nmap
5.  Qualys
6.  Previous menu

Start a Metasploit listener

• Setup a multi/handler with a windows/meterpreter/reverse_tcp payload on port 443.

Update

• Use to update Kali Linux, Discover scripts, various tools and the locate database.

Download Discover

Read More

SparkyLinux - Lightweight & fast Debian-based Linux Distribution

SparkyLinux is a GNU/Linux distribution created on the “testing” branch of Debian. It features customized lightweight desktops (like E19, LXDE and Openbox), multimedia plugins, selected sets of apps and own custom tools to ease different tasks.

Why Sparky?

SparkyLinux is a Debian-based Linux distribution which provides ready to use, out of the box operating system with a set of slightly customized lightweight desktops.

Sparky is targeted to all the computer’s users who want replace existing, proprietary driven OS to open-sourced.

Sparky is also targeted to two different groups of users:

• Full Editions – with all the tools, codecs, plugins and drivers preinstalled – to the users who want to have everything ready and works from the first system’s run
• Base Editions – with minimal set of tools – to advanced users who like to set up everything as they want

Main features of Sparky

• Debian testing based
• rolling release
• lightweight, fast & simple
• set of desktops to choose: LXDE, Enlightenment, JWM, KDE, LXQt, Openbox, MATE, Xfce
• ultra light base edition with Openbox or JWM desktops
• special gaming edition: GameOver
• CLI Edition (no X) for building customized desktop
• most wireless and mobile network cards supported
• set of selected applications, multimedia codecs and plugins
• own repository with a large set of additional applications
• easy hard drive / USB installation

In general, Sparky is not targeted to Linux beginners, rather to users with some amount of Linux knowledge.

Anyway, the Linux beginners are welcome too – our forums is open for any question.

Download SparkyLinux

Read More

Burp Suite Professional 1.6.26 - The Leading Toolkit for Web Application Security Testing

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

 Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Burp Suite contains the following key components:

• An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
• An application-aware Spider, for crawling content and functionality.
• An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
• An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
• A Repeater tool, for manipulating and resending individual requests.
• A Sequencer tool, for testing the randomness of session tokens.
• The ability to save your work and resume working later.
• Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

Burp is easy to use and intuitive, allowing new users to begin working right away. Burp is also highly configurable, and contains numerous powerful features to assist the most experienced testers with their work.

Release Notes v1.6.26

This release adds the ability to detect blind server-side XML/SOAP injection by triggering interactions with Burp Collaborator.

Previously, Burp Scanner has detected XML/SOAP injection by submitting some XML-breaking syntax like:

]]>>

and analyzing responses for any resulting error messages.

Burp now sends payloads like:

<nzf xmlns="http://a.b/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://a.b/ http://kuiqswhjt3era6olyl63pyd.burpcollaborator.net/nzf.xsd">
nzf</nzf>

and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

Note that this type of technique is effective even when the original parameter value does not contain XML, and there is no indication within the request or response that XML/SOAP is being used on the server side.

The new scan check uses both schema location and XInclude to cause the server-side XML parser to interact with the Collaborator server.

In addition, when the original parameter value does contain XML being submitted by the client, Burp now also uses the schema location and XInclude techniques to try to induce external service interactions. (We believe that Burp is now aware of all available tricks for inducing a server-side XML parser to interact with an external network service. But we would be very happy to hear of any others that people know about.)

Download Burp Suite Professional 1.6.26

Read More

Sonar.js - Framework for identifying and launching exploits against internal network hosts

A framework for identifying and launching exploits against internal network hosts. Works via WebRTC IP enumeration, WebSocket host scanning, and external resource fingerprinting.

How does it work?

Upon loading the sonar.js payload in a modern web browser the following will happen:

• sonar.js will use WebRTC to enumerate what internal IPs the user loading the payload has.
• sonar.js then attempts to find live hosts on the internal network via WebSockets.
• If a live host is found, sonar.js begins to attempt to fingerprint the host by linking to it via <img src="x"> and <link rel="stylesheet" type="text/css" href="x"> and hooking the onload event. If the expected resources load successfully it will trigger the pre-set JavaScript callback to start the user-supplied exploit.
• If the user changes networks, sonar.js starts the process all over again on the newly joined network.

Fingerprints

sonar.js works off of a database of fingerprints. A fingerprint is simply a list of known resources on a device that can be linked to and detected via onload. Examples of this include images, CSS stylesheets, and even external JavaScript.

An example fingerprint database can be seen below:

var fingerprints = [
    {
        'name': "ASUS RT-N66U",
        'fingerprints': ["/images/New_ui/asustitle.png","/images/loading.gif","/images/alertImg.png","/images/New_ui/networkmap/line_one.png","/images/New_ui/networkmap/lock.png","/images/New_ui/networkmap/line_two.png","/index_style.css","/form_style.css","/NM_style.css","/other.css"],
        'callback': function( ip ) {
            // Insert exploit here
        },
    },
    {
        'name': "Linksys WRT54G",
        'fingerprints': ["/UILinksys.gif","/UI_10.gif","/UI_07.gif","/UI_06.gif","/UI_03.gif","/UI_02.gif","/UI_Cisco.gif","/style.css"],
        'callback': function( ip ) {
            // Insert exploit here
        },
    },
]

The above database contains fingerprints for two devices, the ASUS RT-N66U WiFi router and the Linksys WRT54G WiFi router.

Each database entry has the following:

• name: A field to identify what device the fingerprint is for. This could be something like HP Officejet 4500 printer or Linksys WRT54G Router.
• fingerprints: This is an array of relative links to resources such as CSS stylesheets, images, or even JavaScript files. If you expect these resources to be on a non-standard port such as 8080, set the resource with the port included: :8080/unique.css. Keep in mind using external resources with active content such as JavaScript is dangerous as it can interrupt the regular flow of execution.
• callback: If all of these resources are found to exist on the enumerated host then the callback function is called with a single argument of the device's IP address.

By creating your own fingerprints you can build custom exploits that will be launched against internal devices once they are detected by sonar.js. Common exploits include things such as Cross-site Request Forgery (CSRF), Cross-site Scripting (XSS), etc. The idea being that you can use these vulnerabilities to do things such as modifying router DNS configurations, dumping files from an internal fileserver, and more.

For an easier way to create fingerprints, see the following Chrome extension which generates fingerprint template code automatically for the page you're on:

Click Here to Install Chrome Extension

What can be done using sonar.js?

By using sonar.js a pentesting team can build web exploits against things such as internal logging servers, routers, printers, VOIP phones, and more. Due to internal networks often being less guarded, attacks such as CSRF and XSS can be powerful to take over the configurations of devices on a hosts internal network.

Download Sonar.js

Read More

AutoBrowser - Create Report and Screenshots of HTTP/s Based Ports on the Network

AutoBrowser is a tool written in python for penetration testers. The purpose of this tool is to create report and screenshots of http/s based ports on the network. It analyze Nmap Report or scan with Nmap, Check the results with http/s request on each host using headless web browser, Grab a screenshot of the response page content.

• This tool is designed for IT professionals to perform penetration testing to scan and analyze NMAP results.

Proof of concept video (From version: 2.0)

Examples

Delimiting the values on the CLI arguments it must be by double quotes only!

• Get the argument details of scan method: python AutoBrowser.py scan --help
• Scan with Nmap and Checks the results and create folder by name project_name: python AutoBrowser.py scan "192.168.1.1/24" -a="-sT -sV -T3" -p project_name
• Get the argument details of analyze method:python AutoBrowser.py analyze --help
• Analyzing Nmap XML report and create folder by name report_analyze: python AutoBrowser.py analyze nmap_file.xml --project report_analyze

Requirements:

Linux Installation:

1. sudo apt-get install python-pip python2.7-dev libxext-dev python-qt4 qt4-dev-tools build-essential nmap
2. sudo pip install -r requirements.txt

MacOSx Installation:

1. Install Xcode Command Line Tools (AppStore)
2. ruby -e "$(curl -fsSL https://raw.github.com/mxcl/homebrew/go)"
3. brew install pyqt nmap
4. sudo easy_install pip
5. sudo pip install -r requirements.txt

Windows Installation:

1. Install setuptools
2. Install pip
3. Install PyQt4
4. install Nmap
5. Open Command Prompt(cmd) as Administrator -> Goto python folder -> Scripts (cd c:\Python27\Scripts)
6. pip install -r (Full Path To requirements.txt)

Download AutoBrowser

Read More