Passive DNS Network Mapper - dnsmap

dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc …

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work (I rarely see zone transfers being publicly allowed these days by the way).

Passive DNS Network Mapper:

ºIPv6 support
ºMakefile included
ºdelay option (-d) added. This is useful in cases where dns map is killing your bandwidth
ºignore IPs option (-i) added. This allows ignoring user-supplied IPs from the results. Useful for domains which cause dns map to produce false positives
ºchanges made to make it compatible with OpenDNS
ºdisclosure of internal IP addresses (RFC 1918) are reported
ºupdated built-in wordlist
ºincluded a standalone three-letter acronym (TLA) subdomains wordlist
ºdomains susceptible to “same site” scripting are reported
ºcompletion time is now displayed to the user
ºmechanism to attempt to bruteforce wildcard-enabled domains
ºunique filename containing timestamp is now created when no specific output filename is supplied by user
ºvarious minor bugs fixed


Installation

$ cd /data/src/
$ wget http://dnsmap.googlecode.com/files/dnsmap-0.30.tar.gz
$ tar xzvf dnsmap-0.30.tar.gz
$ mkdir -p /pentest/enumeration/dns/
$ mv dnsmap-0.30/ /pentest/enumeration/dns/dnsmap/

Compile:

$ cd /pentest/enumeration/dns/dnsmap/
$ gcc -Wall dnsmap.c -o dnsmap

You should now have executable in your directory

Then test that you don’t have any error:

$ ./dnsmap -h

Usage

Basic syntax

$ ./dnsmap <target-domain> [options]

Options

º-w <wordlist-file>Input file to use for brute force
º-r <regular-results-file>Export results as text format
º-c <csv-results-file>Save files as csv format
º-d <delay-millisecs>Maximum delay (in ms) between 2 DNS lookups(default: 10 ms)
º-i <ips-to-ignore>Useful if you’re obtaining false positives

Download dnsmap

Read More

Admin Page Finder Script

This python script looks for a large amount of possible administrative interfaces on a given site

Admin Page Finder Script

Download Admin Finder

Read More

TrueCrypt brute-force password cracker - TrueCrack

TrueCrack is a brute-force password cracker for TrueCrypt volume files. It works on Linux and it is optimized for Nvidia Cuda technology

Algorithms:

ºPBKDF2 (defined in PKCS5 v2.0) is based on RIPEMD160 Key derivation function.
ºXTS block cipher mode for hard disk encryption based on AES.


TrueCrypt brute-force password cracker:

ºDictionary attack: reads the passwords from a file of only words (one password for line).
ºCharset attack: generates the passwords from a set of symbols defined from the user (for example: all possible strings of n characters from the charset “abc” ).


Performance

The execution time of TrueCrack for a dictionary attack is (average word length 10 characters):

        CPU  3.00GHz   GTX650    GTX680
1000     0m  12.031s 0m  3.771s 0m 2.693s
10000    2m   0.421s 0m 15.893s 0m 5.628s
100000  20m   3.811s 2m 20.379s 0m 37.610s


Dictionary attack:

truecrack -t truecrypt_file -w passwords_file [-k ripemd160 | -k sha512 | -k whirlpool] [-e aes | -e serpent | -e twofish] [-a blocks] [-b] [-H] [-r number]


Alphabet attack:

truecrack -t truecrypt_file -c alphabet [-s minlength] -m maxlength [-k ripemd160 | -k sha512 | -k whirlpool] [-e aes | -e serpent | -e twofish] [-a blocks] [-b] [-H] [-r number]


Usage

-h --help Display this information.
-t --truecrypt <truecrypt_file> Truecrypt volume file.
-k --key <ripemd160 | sha512 | whirlpool> Key derivation function (default ripemd160).
-e --encryption <aes | serpent | twofish> Encryption algorithm (default aes).
-a --aggressive <blocks> Number of parallel computations (board dependent).
-w --wordlist <wordlist_file> File of words, for Dictionary attack.
-c --charset <alphabet> Alphabet generator, for Alphabet attack.
-m --maxlength <maxlength> Maximum length of passwords, for Alphabet attack.
-s --startlength <minlength> Starting length of passwords, for Alphabet attack (default 1).
-r --restore <number> Restore the computation.
-b --backup Backup header instead of volume header.
-H --hidden Hidden Truecrypt volume.
-v --verbose Show verbose messages.


How To Install

cd truecrack
./configure
make
sudo make install


How To Configure ?

./configure
--enable-debug : enable nVidia CUDA debug mode [default=no]
--enable-cpu : disable cuda nvidia GPU and use CPU [default=no]
--with-cuda=PATH : prefix where cuda is installed [default=auto]

Download TrueCrack

Read More

Automatic Database Dump - sqlcake

Automatic Database Dump: sqlcake
What is sqlcake?

ºsqlcake is an automatic SQL injection exploitation kit written in Ruby. It’s designed for system administration and penetration testing.
ºsqlcake offers a few useful functions to gather database information easily by SQL injection usage.
ºsqlcake also allows you to bypass magic quotes, dump tables and columns and gives you the possibility to run an interactive MySQL shell.
ºsqlcake supports union stacked queries for real fast processing and blind injections with logarithmic techniques for saving time.

Download sqlcake

Read More

Open Source Intelligence - Maltego

What is Maltego?

With the continued growth of your organization, the people and hardware deployed to ensure that it remains in working order is essential, yet the threat picture of your “environment” is not always clear or complete. In fact, most often it’s not what we know that is harmful – it’s what we don’t know that causes the most damage. This being stated, how do you develop a clear profile of what the current deployment of your infrastructure resembles? What are the cutting edge tool platforms designed to offer the granularity essential to understand the complexity of your network, both physical and resource based?

Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.

Maltego offers the user with unprecedented information. Information is leverage. Information is power. Information is Maltego.

Open Source Intelligence:

Maltego is a program that can be used to determine the relationships and real world links between:

ºPeople
ºGroups of people (social networks)
ºCompanies
ºOrganizations
ºWeb sites
ºInternet infrastructure such as:
  ºDomains
  ºDNS names
  ºNetblocks
  ºIP addresses
ºPhrases
ºAffiliations
ºDocuments and files

What can Maltego do for me?

ºMaltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.
ºMaltego aids you in your thinking process by visually demonstrating interconnected links between searched items.
ºMaltego provide you with a much more powerful search, giving you smarter results.
ºIf access to “hidden” information determines your success, Maltego can help you discover it.

These entities are linked using open source intelligence. Maltego is easy and quick to install – it uses Java, so it runs on Windows, Mac and Linux. Tool provides you with a graphical interface that makes seeing these relationships instant and accurate – making it possible to see hidden connections. Using the graphical user interface (GUI) you can see relationships easily – even if they are three or four degrees of separation away.


Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

Download  Maltego

Read More

Mobile Terminal Application for Intermittent Connectivity - Mosh

Remote terminal application that allows roaming, supports intermittent connectivity, and provides intelligent local echo and line editing of user keystrokes. This is a replacement for SSH. It’s more robust and responsive, especially over Wi-Fi, cellular, and long-distance inks. Mosh is free software, available for GNU/Linux, FreeBSD, and Mac OS X.

Mosh is a remote terminal application that supports intermittent connectivity, allows roaming, and provides speculative local echo and line editing of user keystrokes.

Mobile Terminal Application: Mosh

It aims to support the typical interactive uses of SSH, plus: Mobile Terminal Application for 

ºMosh keeps the session alive if the client goes to sleep and wakes up later, or temporarily loses its Internet connection.
ºMosh allows the client and server to “roam” and change IP addresses, while keeping the connection alive. Unlike SSH, Mosh can be used while switching between Wi-Fi networks or from Wi-Fi to cellular data to wired Ethernet.
ºThe Mosh client runs a predictive model of the server’s behavior in the background and tries to guess intelligently how each keystroke will affect the screen state. When it is confident in its predictions, it will show them to the user while waiting for confirmation from the server. Most typing and uses of the left- and right-arrow keys can be echoed immediately.As a result, Mosh is usable on high-latency links, e.g. on a cellular data connection or spotty Wi-Fi. In distinction from previous attempts at local echo modes in other protocols, Mosh works properly with full-screen applications such as emacs, vi, alpine, and irssi, and automatically recovers from occasional prediction errors within an RTT. On high-latency links, Mosh underlines its predictions while they are outstanding and removes the underline when they are confirmed by the server.


Mosh does not support X forwarding or the non-interactive uses of SSH, including port forwarding.

Other features

ºadjusts its frame rate so as not to fill up network queues on slow links, so “Control-C” always works within an RTT to halt a runaway process.
ºwarns the user when it has not heard from the server in a while.
ºsupports lossy links that lose a significant fraction of their packets.
ºhandles some Unicode edge cases better than SSH and existing terminal emulators by themselves, but requires a UTF-8 environment to run.
ºleverages SSH to set up the connection and authenticate users. Mosh does not contain any privileged (root) code.

Usage

The mosh-client binary must exist on the user’s machine, and the mosh-server binary on the remote host.

The user runs:

$ mosh [user@]host

If the mosh-client or mosh-server binaries live outside the user’s $PATH, mosh accepts the arguments --client=PATH and --server=PATH to select alternate locations. More options are documented in the mosh(1) manual page.

There are more examples and a FAQ on the Mosh web site.

How it works

The mosh program will SSH to user@host to establish the connection. SSH may prompt the user for a password or use public-key authentication to log in.

From this point, mosh runs the mosh-server process (as the user) on the server machine. The server process listens on a high UDP port and sends its port number and an AES-128 secret key back to the client over SSH. The SSH connection is then shut down and the terminal session begins over UDP.

If the client changes IP addresses, the server will begin sending to the client on the new IP address within a few seconds.


To function, Mosh requires UDP datagrams to be passed between client and server. By default, moshuses a port number between 60000 and 61000, but the user can select a particular port with the -p option.

Download Mosh

Read More

Joomla Security Scanner - Joomscan

Joomla is probably the most widely-used CMS out there due to its flexibility, user-friendliness, extensibility to name a few.So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS.

The following features are currently available.

ºExact version Probing (the scanner can tell whether a target is running version 1.5.12)
ºCommon Joomla! based web application firewall detection
ºSearching known vulnerabilities of Joomla! and its components
ºReporting to Text & HTML output
ºImmediate update capability via scanner or svn


JoomscanJoomla Security Scanner: Joomscan

Advantage over a Generic Vulnerability Scanner

ºFaster because it won’t fuzz all requests like a generic scanner
ºDetect the application version when a generic scanner knows nothing
ºDetect all possible published vulnerabilities when a generic scanner cannot
ºRequirement
ºPerl 5.6 or up

Download Joomscan

Read More

Post Exploitation Framework - Intersect

Post Exploitation Framework: Intersect

Intersect 2.5 is the second major release in the project line. This release is much different from the previous, in that it gives the user complete control over which features the Intersect script includes and lets them easily import their own features, among other new functionality.

This release focuses mainly on the individual modules(features) and the capability to generate your own customized Intersect scripts. By using the Create.py application, the user is guided through a menu-driven process which allows them to select which modules they would like to include, import their own custom modules and ultimately create an Intersect script that is built around the specific modules they choose.

Modules

A module is simply a specific post-exploitation function. Each individual module itself is not capable of stand-alone execution until it is imported with the Create application and built into a custom script. With Intersect 2.5, there is the arrival of many new modules and some changes to the original features that were included in version 2.0.

The modules are broken down into two categories. The first category, Standard Modules, includes all of the original Intersect 2.0 features and tasks but they are separated into individual modules to provide more control over the finalized custom script. For example, the credential gathering feature is now it’s own module called “creds” and the network information gathering feature is a separate module called “network”.

The second category is the Custom modules and includes anything that was not part of Intersect 2.0 and is also where any new, additional or custom modules that the user imports will be stored. While the user can import any module functionality they wish, the Custom modules packaged with Intersect 2.5 focus on post-exploitation automation, remote shell access and various data exfiltration functions.

Creation Process 

The Create.py application is used to generate the actual Intersect script that you will be using on the target system. There is no final Intersect script until you make one!

When you start Create, you will be presented with a series of menus that provides the following features:

ºGenerate custom Intersect scripts
  ºchoose as many or as few modules as you want
  ºdefine specific variables (i.e., shell ports and hosts, crypto keys, proxy ports, etc)
  ºview, add or remove modules from the queue
  ºview description and information on any given module
ºImport custom modules
  ºdownload and import from a url
  ºimport from a local directory
ºDownload Intersect 2.5 updates
  ºrequires Git to be installed locally
  ºuseful for bug fixes, new features, etc
ºVarious help menus and lots of other commands


You will be asked to give your newly created script a name. Enter the filename, without the Python file extension, when you are prompted. Your final script will be saved in the Scripts directory.

Download  Intersect

Read More

Exploring Android Platform - Mercury

The Heavy Metal That Poisoned  the Droid

Mercury is a framework for exploring the Android platform; to find vulnerabilities and share proof-of-concept exploits.

A number of published security assessment methodologies currently exist to support researchers reviewing the security of Android applications and devices. The majority of these methodologies include static analysis methods and require the use of custom scripts and tools to perform single tasks. The general process of assessing the security of Android applications typically involves the following steps:


 ºDownload the target application packages
 ºExtract the application manifests
 ºDecompile the application into readable source code or byte code representations
 ºAnalyse the application manifests and code
 ºWrite a custom application to test anomalies in the entry points of the applications
 ºExploring Android Platform: Mercury documentation


This general process often requires a separate approach for each step, many different tools and lots of time, especially when a large number of applications need to be assessed as part of a project. If the process can be  simplified and tools provided to automate the repetitive parts, it would enable a security researcher to assess applications and devices in a more consistent manner and ultimately perform more comprehensive assessments.  This could also be done in less time whilst providing more assurance. Mercury is a framework that solves this problem by providing interactive tools that allow for dynamic interactions  with the target applications running on a device. This dynamic interaction greatly benefits vulnerability hunters and auditors who are under time constraints. At the time of writing, there were no known frameworks for performing dynamic analysis on Android, making Mercury unique in its space.

This paper will lay the foundations for performing dynamic analysis and finding ways to automate some of the tasks that are needed when assessing the security of Android applications and devices. It will also delve into some  techniques that could be used by malicious applications with minimal permissions to steal information from devices.

Exploring Android Platform

Mercury allows you to assume the role of a low-privileged Android app, and to interact with both other apps and the system.

Use dynamic analysis on Android applications and devices for quicker security assessments
Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices
Write custom tests and exploits, using the easy extensions interface

Mercury allows you to:

1. Interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services
2. Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
3. Find information on installed packages with optional search filters to allow for better control
4. Built-in commands that can check application attack vectors on installed applications
5. Transfer files between the Android device and your computer
6. Create new modules to exploit your latest finding on Android, and playing with those that others have found


Mercury does all of this over the network: it does not require ADB.

Download Mercury

Read More