Exploring Android Platform - Mercury

The Heavy Metal That Poisoned  the Droid

Mercury is a framework for exploring the Android platform; to find vulnerabilities and share proof-of-concept exploits.

A number of published security assessment methodologies currently exist to support researchers reviewing the security of Android applications and devices. The majority of these methodologies include static analysis methods and require the use of custom scripts and tools to perform single tasks. The general process of assessing the security of Android applications typically involves the following steps:


 ºDownload the target application packages
 ºExtract the application manifests
 ºDecompile the application into readable source code or byte code representations
 ºAnalyse the application manifests and code
 ºWrite a custom application to test anomalies in the entry points of the applications
 ºExploring Android Platform: Mercury documentation


This general process often requires a separate approach for each step, many different tools and lots of time, especially when a large number of applications need to be assessed as part of a project. If the process can be  simplified and tools provided to automate the repetitive parts, it would enable a security researcher to assess applications and devices in a more consistent manner and ultimately perform more comprehensive assessments.  This could also be done in less time whilst providing more assurance. Mercury is a framework that solves this problem by providing interactive tools that allow for dynamic interactions  with the target applications running on a device. This dynamic interaction greatly benefits vulnerability hunters and auditors who are under time constraints. At the time of writing, there were no known frameworks for performing dynamic analysis on Android, making Mercury unique in its space.

This paper will lay the foundations for performing dynamic analysis and finding ways to automate some of the tasks that are needed when assessing the security of Android applications and devices. It will also delve into some  techniques that could be used by malicious applications with minimal permissions to steal information from devices.

Exploring Android Platform

Mercury allows you to assume the role of a low-privileged Android app, and to interact with both other apps and the system.

Use dynamic analysis on Android applications and devices for quicker security assessments
Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices
Write custom tests and exploits, using the easy extensions interface

Mercury allows you to:

1. Interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services
2. Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
3. Find information on installed packages with optional search filters to allow for better control
4. Built-in commands that can check application attack vectors on installed applications
5. Transfer files between the Android device and your computer
6. Create new modules to exploit your latest finding on Android, and playing with those that others have found


Mercury does all of this over the network: it does not require ADB.

Download Mercury

Read More

Python Script Searching - Dark D0rk3r

Dark D0rk3r

Dark D0rk3r is a python script that performs dork searching and searches for local file inclusion and SQL injection errors.

Download Dark D0rk3r 

Read More

SQLi and Web Attack Framework - Enema SQLi

Enema is not auto-hacking software for script kiddies.This is dynamic tool for professional pentesters

Enema SQLi Features:

1. Multi-platform.
2. User-friendly graphical interface.
3. Multithreaded.
4. Dump.
5. Customise your queries
6. Create your custom plugins to automate attacks

Supported for today:

1. POST, GET, Headers (User-Agent, Cookie, Referer, X-Forwarded-For, Custom Header …)
2. MSSQL >=2000 and MySQL>=5.0

Injection methods supported for today:

1. Error based injection.
2. Union based injection (using subquery).
3. Blind (time and boolean based)


SQLi and Web Attack Framework

SQLi and Web Attack Framework: Enema SQLi usage

Latest development version:

 svn checkout http://enema.googlecode.com/svn/trunk/ enema

 svn checkout http://enema-plugins.googlecode.com/svn/trunk/ plugins

Download Enema SQLi

Read More

Linux Live USB Creator - LiLi

LinuxLive USB Creator is a free and open-source software for Windows. It will help you in your journey of discovery with Linux. For you, LiLi creates portable, bootable and virtualized USB stick running Linux.

 LiLi is designed to be used by both beginners and geeks.  If you are a beginner, LiLi will let you try Linux for the first time, keeping Windows clean of any modifications. And if you are a geek, LiLi will allow you to test almost any Linux distributions directly from Windows, or just install them from a USB flash drive instead of CDs.


Linux Live USB Creator

Free and Open-source

LinuxLive USB Creator is a completely free and open-sourcesoftware for Windows only. It has been built with simplicity in mind and it can be used by anyone. All you have to do is to pick up a Linux in the list and give it a try.



No reboot needed

Are you sick of having to reboot your PC to try Linux? No need with LinuxLive USB Creator. It has a built-in virtualization feature that lets you run your Linux within Windows just out of the box!


Supports many Linux distributions

Wow! Did you see that never-ending list? They are almost all there: Ubuntu, Fedora, Debian, OpenSUSE, Mint, Slax, CentOS, ArchLinux, Gentoo, PCLinuxOS, Sabayon, BackTrack, Puppy Linux



Persistence

Having a Live USB key is better than just using a Live CD because you can even save your data and install software. This feature is called persistence (available only on selected Linux).
Read the FAQ for more information.


SmartClean & SmartDownload

SmartClean uninstalls properly any previous Live USB installations and SmartDownload lets you download any supported Linux in 2 clicks automatically selecting the best mirror to download from.
SmartClean also lets you clean your USB key in 1 click.


And a lot more !

ºIntelligent processing: LiLi works with many Linux, even if they are not officially supported
ºHidden installation: LiLi hides the Linux installation, your USB key stays clean
ºFile integrity: tells you if your ISO is corrupted
ºKeeps your data on your USB device (formats only if needed)
ºIntelligent formatting: can format disks bigger than 32 GB
ºAuto-update: automatic updates when new Linux distributions are available
ºAlso works with .IMG files (experimental)

Download  LiLi

Read More

Backup and Recovery - ReDo

First and foremost, Redo Backup & Recovery is free. Based on xPUD and partclone, this open source tool not only works with Windows but also supports Linux. Then, contrary to what most popular backup and recovery programs do, Redo provides a bare-metal restore, meaning that even if your hard drive melts, you can have an up and running system (on a new hard drive, of course) in no longer than 10 minutes.

Redo is a disaster recovery tool, hence it works outside of any OS environment. The downloaded package comes as an ISO file which you can easily burn to a CD-ROM or USB drive, and Redo’s GUI will boot in less than a minute. There are no installation requirements, and it can automatically find local network shares as well. You also get a healthy choice between which language to use

The team behind Redo Backup can’t argue that their tool is the most comprehensive on the market, but they can argue that it’s the easiest to use. Boot up with a Live CD or Live USB copy of Redo Backup and you’re only a few clicks away from backing up your system—or restoring it if your hard drive went to the great data center in the sky.

You can easily copy your files to a local drive but where Redo Backup really shines is support for network shares. When you run Redo Backup it seeks out available shared folders on your network so you can use them for remote backup of individual files or an entire disk image. Redo Backup also includes a web browser so you can access the web to download drivers and troubleshoot your computer problems. It’s a great backup and disk recovery solution, especially if you’d like to skip learning arcane commands or keeping a bulky manual on hand

Easy rescue system with GUI tools for full system backup, bare metal recovery, partition editing, recovering deleted files, data protection, web browsing, and more. Uses partclone (like Clonezilla) with a UI like Ghost or Acronis. Runs from CD/USB.

All your documents and settings will be restored to the exact same state they were in when the last snapshot was taken. Redo Backup and Recovery is a live CD, so it does not matter if you use Windows or Linux. You can use the same tool to backup and restore every machine. And because it is open source released under the GPL, it is completely free for personal and commercial use.

More Features, Less Complex

Redo Backup has the most features coupled with the simplest, most user-friendly interface:

ºEasy graphical user interface boots from CD in less than a minute
ºNo installation needed; runs from a CD-ROM or a USB stick
ºSaves and restores Windows and Linux machines
ºAutomatically finds local network shares
ºAccess your files even if you can’t log in
ºRecover deleted pictures, documents, and other files
ºInternet access with a full-featured browser to download drivers
ºLive CD download size is only about 250MB
ºOver 750,000 downloads

Download ReDo

Read More

Yet Another Man in The Middle Automation Script - Yamas

Yamas is a tool that aims at facilitating mitm attacks by automating the whole process from setting up ip forwarding and modifying iptables, to the ARP cache poisoning (either using ettercap or arpspoof).

Yet Another Man in The Middle Automation Script


The traffic is stripped off ssl with the famous sslstrip 0.9. If any mitm script does that, Yamas has a unique and appreciated feature: it parses the logs as the attack keeps running, so that credentials are displayed just as they are sniffed. The parsing method is a home-made 100% pure bash script that -so far- never missed anything. And if it did, just report it to me and I’ll update the file used to parse the logs. This update is independent from the whole update process, making it a very flexible parser.

Download  Yamas

Read More

Wi-Fi network scanner - inSSIDer

The free inSSIDer software utility for Windows, iOS, and Android is one of the most useful and easy-to-interpret wireless networking tools I’ve encountered. InSSIDer displays information about the wireless networks in proximity to you, including an access point’s MAC address, encryption type, signal strength, and channel. InSSIDer is a great tool for wireless networking novices, because it has an easy-to-understand interface and includes an abundance of help and tutorials. Experienced Wi-Fi professionals may find the software a bit too light and might be more interested in a more robust program such as WiFiBuilder or Wireshark. But home power users looking to tweak their networks and those managing smaller business Wi-Fi networks would benefit by getting acquainted with inSSIDer.

What’s great about inSSIDer is that you can use it for several real-world purposes for your wireless network. For instance, say you are trying to find the best location to place an access point or router. Position the device and then fire up inSSIDER to see what  signal strength the software reports. This is really useful if you are trying to setup a Wi-Fi network in a place with lots of thick walls, glass or mirrors or multiple levels.

You can also use inSSIDer to tweak your wireless channel. In the U.S, there are 11 wi-fi channels. The channels recommended to set access points on are 1, 6, and 11, because they don’t overlap. So if you see many wireless networks in your area using channel 11 for example, by using inSSIDer you can change your access point or router to operate on channel 6 to tweak performance.


Yes, it may be lightweight for those who deploy wireless networks professionally. But anyone managing a home or small business wireless network will certainly benefit from the information inSSIDer provides. It earns a 4.5 out of 5 star rating and is easily a PCMag Editors’ Choice for networking utilities.

Download inSSIDer

Read More

Open Source MySQL Injection - sqlsus

sqlsus is an open source MySQL injection and takeover tool, written in perl.

Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more…Whenever relevant, sqlsus will mimic a MySQL console output.

sqlsus focuses on speed and efficiency, optimising the available injection space, making the best use (I can think of) of MySQL functions.It uses stacked subqueries and an powerful blind injection algorithm to maximise the data gathered per web server hit. Using multithreading on top of that, sqlsus is an extremely fast database dumper, be it for inband or blind injection. If the privileges are high enough, sqlsus will be a great help for uploading a backdoor through the injection point, and takeover the web server. It uses SQLite as a backend, for an easier use of what has been dumped, and integrates a lot of usual features (see below) such as cookie support, socks/http proxying, https..

Requirements

sqlsus has been designed to work on Linux. If it works on other platforms, that’s good.
If it doesn’t work on your platform, well.. grab a Linux box.
You will need the following perl modules :

ºLWP::UserAgent
ºDBD::SQLite
ºHTML::LinkExtractor
ºLWP::Protocol::socks (for socks proxy support)

And a proper Term::ReadLine package is definitely recommended (yet not mandatory)

You will probably also want to install sqlite3, the command line interface for SQLite 3.

Or, if you are on a debian system :

apt-get install libwww-perl libdbd-sqlite3-perl libhtml-linkextractor-perl libterm-readline-gnu-perl liblwp-protocol-socks-perl sqlite3


It also requires previous SQL injection knowledge, and.. well.. a brain helps.

Open Source MySQL Injection:

ºBoth quoted and numeric injections are supported.
ºDatabases names, tables names, columns names, count(*) per table, privileges… On MySQL > 5, the database structure can be grabbed in one command from within sqlsus.
ºDiscovery of the exact injection space, going through all possible restrictions (web server, suhosin patch…), to inject as much as possible at once.
ºAll quoted texts can be translated as their hex equivalent to bypass any quotes filtering (eg: magic_quotes_gpc) (eg : “sqlsus” will become 0x73716c737573).
ºsqlsus also supports these types of injection :
inband (UNION w/ stacked subqueries) : the result of the request will be in the HTML returned by the web server
blind (boolean-based or time-based) : when you can’t see the result of the request directly
ºSupport for GET and POST parameters injection vectors.
ºSupport for HTTP proxy and HTTP simple authentication.
ºSupport for HTTPS.
ºSupport for socks proxy.
ºSupport for cookies.
ºSupport for binary data retrieving.
ºFull SQLite backend, storing queries / results as they come, databases structure, key variables. This allows you to recall a command and its cached answer, even in a later re-use of the session.
ºPossibility to clone a database / table / column, into a local SQLite database, and continue over different sessions.
ºIf you can’t access the information_schema database, or if it doesn’t exist, sqlsus will help you bruteforce the names of the tables and columns.
ºPossibility to change the current database and still use all the commands transparently.
ºAuto-detection of the length restriction in place, be it the web server or the layer above (eg: suhosin).

Inband

If your query is likely to return more than one row, sqlsus will use as many subqueries it can use at a time (per query), staying under a configurable limit. Therefore, it can grab up to thousands of records in just 1 server hit (depending on the available injection space) (cf inband demo) Once you have found an inband injection, you need to find the correct number of columns for UNION. sqlsus will do the job for you, identifying the needed number of columns, and which of them are suitable for injection. To speed things up, multithreading (actually, multiple processes (fork)) can be used.

Blind

Blind injection is supported, using conditional responses, and multithreading (actually, again, multiple processes (fork)).

The engine has been optimised in speed and server hit :

ºkeep all the threads busy with small relevant tasks.
ºmatch each item against a few regular expressions, prior to bruteforcing, to determine the character space to use, reducing a lot the number of hits required.

Takeover


If the database user has the FILE privilege, and if you can use quotes in your injection (mandatory for a SELECT INTO OUTFILE), then sqlsus will help you place a php backdoor on the remote system, recursively looking for writable directories. You can use download <file> from sqlsus shell, to download an arbitrary (world readable) file from the remote server. The file will be stored in the local filesystem, rebuilding the path tree to the file in the data directory. sqlsus has the ability to crawl the website at a configurable depth, looking for all the directories it can find, via hypertext links, img links, etc… Then, it tries to upload a tiny php uploader on each candidate directory until it finds one world writable, later used to upload the backdoor itself. All sqlsus needs (besides what has been said above) is the document_root used server side. You can find it by downloading/reading the relevant files on the web server. It ships with a PHP backdoor you can upload and a controller, to help you execute system commands, PHP commands, and SQL queries as if you were sitting on a normal direct MySQL connection.

Download sqlsus

Read More

Extreme GPU - Bruteforcer

Extreme GPU Bruteforcer is a professional solution for the recovery of passwords from hashes using GPU. The software supports hashes of the following types: MySQL, MySQL5, DES(Unix), MD4, MD5, MD5(Unix), MD5(APR), MD5(phpBB3), MD5(WordPress), LM, NTLM, SHA-1 and many others.

On modern graphics cards from NVIDIA that support the CUDA technology, the software demonstrates outstanding operation speed. For example, an average attack speed on NVIDIA GTS250 is 420 million passwords per second for MD5 hashes, 700 million passwords per second for MySQL hashes and 550 million passwords per second for NTLM hashes.

Extreme GPU Bruteforcer Features: 

ºSupports over 300 hashing algorithms.
ºContains over 50 additional utilities for handling hashes, passwords, and dictionaries.
ºUnlimited loadable hashes, dictionaries, rules, and masks.
ºMultithreading.
º64 bits.
ºMaximum optimization for working with large hash lists.
ºMaximum optimization for working with dictionaries.
ºOptimization for newest CPU.
ºHashing modules as stand-alone DLL files.
ºConvenient control over operation using command files.
ºHEX user names and salts.
ºRecovery of Unicode passwords.
ºAnd much more.


The solution implements several unique attacks, including mask and dictionary attacks, which allow recovering even the strongest passwords incredibly fast. Utilizing the power of multiple graphics cards running simultaneously (supports up to 32 GPU), the software allows reaching incredible search speeds of billions of passwords per second!


The number of salted hashes the software can handle simultaneously: 800; the number of unsalted hashes: unlimited

Download HM

Read More