SQL Injection Fuzzer - sqlifuzzer

sqlifuzzer is a wrapper for curl written in bash. It’s also a tool that can be used to remotely identify SQL (and XPath) injection vulnerabilities. It does this by sending a range of injection payloads and examining the responses for signs of ‘injectability’. If a parameter appears to be vulnerable, sqlifuzzer sends exploit payloads to extract data.

Like almost all web app scanners, sqlifuzzer includes OR 1=1 payloads; this means that there is a significant risk of data destruction, Denial of Service, and/or other undesirable implications for any host (or intermediary device) scanned using sqlifuzzer. sqlifuzzer is beta; don’t use it in an environment that matters to you or anyone else. Do not use sqlifuzzer to scan hosts without the owner’s permission.

SQL Injection Fuzzer Features:

ºPayloads/tests for numeric, string, error and time-based SQL injection
ºSupport for MSSQL, MYSQL and Oracle DBMS’s
ºA range of filter evasion options:
case variation, nesting, double URL encoding, comments for spaces, ‘like’ for ‘equals’ operator, intermediary characters, null and CRLF prefixes, HTTP method swapping (GETs become POSTs / POSTs become GETs)
ºORDER BY and UNION SELECT tests on vulnerable parameters to:
ºenumerate select query column numbers
ºidentify data-type string columns in select queries
ºextract database schema and configuration information
ºConditional tests to extract DBMS info when data extraction via UNION SELECT fails (i.e. no string type columns)
ºTime delay based tests to extract DBMS info when data extraction via conditional methods fails (i.e. fully blind scenarios)
ºBoolean response-based XPath injection testing and data extraction
ºSupport for automated detection and testing of parameters in POST URIs and multipart forms
ºScan ‘state’ maintenance:
ºHalt a scan at any time – scan progress is saved and you can easily resume a scan from the URL where you stopped
ºSpecify a specific request number to resume a scan from
ºOptional exclusion of a customizable list of parameters from scanning scope
ºTracking of parameters scanned and avoidance of re-scanning scanned parameters
ºHTML format output with:
ºlinks/buttons to send Proof of Concept SQL injection requests
ºlinks to response difference files and to extracted data


 What do I need to use sqlifuzzer?

sqlifuzzer is built and tested on BackTrack. On all other platforms Your Mileage May Vary; you will need a an OS that can support bash (*nix, cygwin (not tested), etc), curl must be installed and in your path, and ‘replace’ (which is missing from Ubuntu) must also be installed in in your path. Until I implement web spider functionality, sqlifuzzer is dependent upon burp proxy to create log files (not burp state files) which sqlifuzzer uses to build its internal list of fuzz requests. The free version of burp can be used to create these log files. Within Burp go to options > misc and check the proxy requests tick box; browse the target site, populate your log, then pass it to sqlifuzzer.

How does sqlifuzzer work?

sqlifuzzer receives a burp log (which you must create for it) that specifies a bunch of HTTP requests. Requests in the burp log look like this:

======================================================
3:09:54 PM  http://192.168.182.136:80
======================================================
POST /orangehrm/menu.php?TEST=1111 HTTP/1.1
Host: 192.168.182.136
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://192.168.182.136/orangehrm/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Cookie: PHPSESSID=bf7u0ad95cbubpcvdjda2bqro3; Loggedin=True; EliteNinja=False

module=Home&action=UnifiedSearch&search_form=false&tabnumber=1
======================================================

sqlifuzzer converts these into it’s own format; a list of all the requests like this:


GET /orangehrm/menu.php?TEST=1111
POST /orangehrm/menu.php?TEST=1111??module=Home&action=UnifiedSearch&search_form=false&tabnumber=1
GET /orangehrm/index.php?module=Contacts&action=index&return_module=Contacts&return_action=DetailView&&print=true
GET /orangehrm/index.php?module=Home&menu_no=0&menu_no_top=home&submenutop=home1


Next, sqlifuzzer looks at what payload types have been specified, and concatenates the relevant files to create a payload list. The list of requests and the payload list are then passed into the main scanning loop. The loop sends a ‘clean’ reference request (by calling out to curl), then, for the first line in the request list, the loop selects the first parameter and replaces this with the first payload and sends the fuzzed request (again via curl). The two responses are then compared; specifically, the response length and the duration of the responses are compared, the response HTTP status codes are examined, and the responses are searched for some common error strings. If anything ‘juicy’ is found, URL and payload information is logged to an output file and printed to the screen. The loop iterates through all payloads before moving on to the next parameter, and so on for each request.

Why was sqlifuzzer created?


Ever wanted to hit every dynamic parameter of a web app with a single quote? That’s how sqlifuzzer started out. At first, it just compared the response lengths. Then I added the ability to iterate over a list of payloads. Then came POST requests, URL encoding, time delay diffing, searching for common error messages, logging, sessions, the ability to define parameters NOT to scan, method swapping, null byte prefixes, POST URIs, DBMS fingerprinting, data extraction, conditional testing, filter evasion options, boolean response-based XPath injection detection and data extraction and support for multipart forms.

Download sqlifuzzer

Read More

Open Source Web Server Scanner - NIkto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.


Open Source Web Server Scanner

Nikto is not designed as an overly stealthy tool. It will test a web server in the quickest time possible, and is fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Open Source Web Server Scanner: NIkto documentation Open Source Web Server Scanner Open Source Web Server Scanner



Features

Here are some of the major features of Nikto.

ºSSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s
Perl/NetSSL)
ºFull HTTP proxy support
ºChecks for outdated server componentsOpen Source Web Server Scanner: NIkto Open ºSource Web Server Scanner Open Source Web Server Scanner
ºSave reports in plain text, XML, HTML, NBE or CSV
ºTemplate engine to easily customize reports
ºScan multiple ports on a server, or multiple servers via input file (including nmap output)
ºLibWhisker‘s IDS encoding techniques
ºEasily updated via command line
ºIdentifies installed software via headers, favicons and files
ºHost authentication with Basic and NTLM
ºSubdomain guessing
ºApache and cgiwrap username enumeration
ºMutation techniques to “fish” for content on web servers
ºScan tuning to include or exclude entire classes of vulnerability
ºchecks
ºGuess credentials for authorization realms (including many default id/pw combos)
ºAuthorization guessing handles any directory, not just the root
directory
ºEnhanced false positive reduction via multiple methods: headers,
page content, and content hashing
ºReports “unusual” headers seen
ºInteractive status, pause and changes to verbosity settings
ºSave full request/response for positive tests
ºReplay saved positive requests
ºMaximum execution time per target
ºAuto-pause at a specified time
ºChecks for common “parking” sites
ºLogging to Metasploit
ºThorough documentation

Download NIkto

Read More

Pentesting VoIP Systems - VIPER VAST 3

Pentesting VoIP Systems: VIPER VAST 3

VAST is a Linux-based security distribution specifically designed for pentesting VoIP and UC networks.

It enables security professionals and UC administrators to rapidly perform VoIP security assessments and enumerate vulnerabilities in IP Phones or IP PBX servers in a lab environment. With VAST, a security consultant has every tool necessary to carry out a successful onsite or remote penetration test or vulnerability assessment against a UC network. VAST is built on Mint Linux 13 and includes all of the open source VIPER Lab tools, in addition to some other network pentest tools.

VAST can be downloaded in .ISO format and VMWare guest image.

Download VIPER VAST 3

Read More

EncFS and TrueCrypt for Android - Cryptonite

Cryptonite brings EncFS and TrueCrypt to Android. You can browse, export and open EncFS-encrypted directories and files on your Dropbox and on your phone. On rooted phones that support FUSE (e.g. CyanogenMod) you can also mount EncFS and TrueCrypt volumes. TrueCrypt is only available as a command-line version at this time.

EncFS and TrueCrypt for Android

Cryptonite is an Android app that brings the FUSE based cryptographic filesystem EncFS and TrueCrypt to Android, you can link it to your Dropbox account with a single tap, after that you will be able to read and write on Dropbox EncFS volumes, exporting, viewing or uploading new files. Dropbox claims to keep data already encrypted in their servers but if anyone finds out your password account they will be able to read the files, encrypting them with Cryptonite you are placing a second security layer on top and block Dropbox built-in backdoor to your data.


To access your files offline sync them to a local folder with an app providing online storage synchronization, e.g. FolderSync. EncFS has a front end interface but Truecrypt is only available as a command line version, rooted phones that support the FUSE kernel, e.g. CyanogenMod, can mount an EncFS or Truecrypt volume, there is a Truecrypt work around to avoid having to use a rooted file browser, by typing “truecrypt –fs-options=”uid=1000,gid=1000,umask=0002″ volume.tc /sdcard/tc“. EncFS will use the encryption ciphers found in the system encryption libraries, Cryptonite allows you to select the encryption method, from a “Quick” Blowfish 128bit up to a “Paranoia” AES256bit with filename block encoding, other preferences include saving temporary files on an external SD card, setting up the mount storage point, clearing the cache and the “Chuck Norris mode” for experienced users that do not want to receive any security warning from the app.

You can browse, export and open encrypted EncFS directories and files on your Dropbox and to your phone, when you open a file from a decrypted EncFS volume Cryptonite will produce a temporary copy in “/data/data/csh.cryptonite/app_open/path_to_your_file”, anyone with access to your phone could recover those files, the app includes a text viewer that works in memory and does not save any temporary copy, there are plans to add an image viewer in the future but right now there isn’t one and if you open an image a temporary copy could be made on the phone outside the encrypted container.

Download  Cryptonite

Read More

Android Security Evaluation Framework - ASEF

Have you ever looked at your Android applications and wondered if they are watching you as well? Whether it’s a bandwidth-hogging app, aggressive adware or even malware, it would be interesting to know if they are doing more than what they are supposed to and if your personal information is exposed. Is there really a way to automatically evaluate all your apps – even hundreds of them – to harvest their behavioral data, analyze their run pattern, and at the same time provide an interface to facilitate a vast majority of evolving security tests with most practical solutions?

Android Security Evaluation Framework (ASEF) performs this analysis while alerting you about other possible issues. It will make you aware of unusual activities of your apps, will expose vulnerable components and help narrow down suspicious apps for further manual research. The framework will take a set of apps (either pre-installed on a device or as individual APK files) and migrate them to the test suite where it will run it through test cycles on a pre-configured Android Virtual Device (AVD).

Android Security Evaluation Framework

During the test cycles the apps will be installed and launched on the AVD. ASEF will trigger certain behaviors by sending random or custom gestures and later uninstall the app automatically. It will capture log events, network traffic, kernel logs, memory dump, running processes and other parameters at every stage which will later be utilized by the ASEF analyzer. The analyzer will try to determine the aggressive bandwidth usage, interaction with any command and control (C&C) servers using Google’s safe browsing API, permission mappings and known security flaws. ASEF can easily be integrated with other open source tools to capture sensitive information, such as SIM cards, phone numbers and others.

ASEF is an Open Source tool for scanning Android Devices for security evaluation. Users will gain access to security aspects of android apps by using this tool with its default settings. An advanced user can fine-tune this, expand upon this idea by easily integrating more test scenarios, or even find patterns out of the data it already collects. ASEF will provide automated application testing and facilitate a plug and play kind of environment to keep up with the dynamic field of Android Security.

Download ASEF

Read More

Network Forensic Analysis - NetworkMiner

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files

Network Forensic Analysis Features

ºNetwork Forensics
ºNetwork Sniffing
ºPCAP Parser
ºDigital Forensics
ºPacket Sniffer

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble/rebuild transmitted files, directory structures and certificates from PCAP files.


The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames). NetworkMiner also comes in very handy when analyzing malware traffic, such as C&C (command-and-control) traffic from a BotNet, since uploaded and downloaded files are extracted to disk.

NetworkMiner performs OS fingerprinting based on TCP SYN and SYN+ACK packet by using OS fingerprinting databases from p0f (by Michal Zalewski) and Ettercap (by Alberto Ornaghi and Marco Valleri). NetworkMiner can also perform OS fingerprinting based on DHCP packets (which usually are broadcast packets) by making use of the Satori (by Eric Kollmann) OS fingerprinting database from FingerBank. NetworkMiner also uses the MAC-vendor list from Nmap (by Fyodor).

NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This is a neat function that can be used to extract and save media files (such as audio or video files) which are streamed across a network. Supported protocols for file extraction are FTP, HTTP and SMB.

User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the “Credentials” tab. Please be considerate when displaying the contents of this tab to the public.

Another very useful feature is that the user can search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.


Version 0.84 (and newer) of NetworkMiner support sniffing and parsing of WLAN (IEEE 802.11) traffic. NetworkMiner does however currently only support WiFi sniffing with AirPcap adapters.

Download  NetworkMiner

Read More

Blind SQL injection - BBQSQL

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.

BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.


Similar to other SQL injection tools you provide certain request information.

Must provide the usual information:

ºURL
ºHTTP Method
ºHeaders
ºCookies
ºEncoding methods
ºRedirect behavior
ºFiles
ºHTTP Auth
ºProxies

HTTP Parameters
BBQSQL has many http parameters you can configure when setting up your attack. At a minimum you must provide the URL, where you want the injection query to run, and the method. The following options can be set:

ºfiles
ºheaders
ºcookies
ºurl
ºallow_redirects
ºproxies
ºdata
ºmethod
ºauth

Blind SQL injection: BBQSQL Install

This should be straight forward, but what ever is. Try running:

sudo pip install bbqsql


If that doesn’t work for you, you can install from source. The tool requires gevent,requests.

Download  BBQSQL

Read More

Wireless Security Auditing - Fern Wifi Cracker

Fern Wifi Cracker is a Wireless security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks

Fern Wifi Cracker Features:

ºWEP Cracking with Fragmentation,Chop-Chop, Caffe-Latte, Hirte, ARP Request Replay or ºWPS attack
ºWPA/WPA2 Cracking with Dictionary or WPS based attacks
ºAutomatic saving of key in database on successful crack
ºAutomatic Access Point Attack System
ºSession Hijacking (Passive and Ethernet Modes)
ºAccess Point MAC Address Geo Location Tracking
ºInternal MITM Engine
ºBruteforce Attacks (HTTP,HTTPS,TELNET,FTP)
ºUpdate Support>

Operating System Supported

The Software runs on any Linux machine with the programs prerequisites, But the program has been tested on the following Linux based operating systems:

ºUbuntu KDE/GNOME
ºBackTrack Linux
ºBackBox Linux

Prerequisites

The Program requires the following to run properly:
The following dependencies can be installed using the Debian package installer command on Debian based systems using “apt-get install program” or otherwise downloaded and installed manually

ºAircrack-NG
ºPython-Scapy
ºPython Qt4
ºPython
ºSubversion
ºXterm
ºReaver (for WPS Attacks)
ºMacchanger

Downlaod Fern Wifi Cracker

Read More

Local Pentest Transform Package - Sploitego

Sploitego is a local pen-test transform package that uses the Canari Framework for local transform execution in Maltego. The framework was first introduced at DEFCON 20 and has since picked up steam.

Sploitego has currently been tested on Mac OS X and Linux.


Sploitego is only supported on Python version 2.6. The setup script will automatically download and install most of the prerequisite modules, however, some modules will still need to be installed manually.

Some of the transforms require external command-line tools (e.g. nmap, amap, p0f, etc.). The following command-line tools are currently supported:

ºNmap version 5.51: Download
ºP0f version 3.05b: Download
ºAmap version 5.4: Download
ºMetasploit: Download
ºNessus: Download

Download  Sploitego

Read More