Domain Name Permutation Engine For Detecting Typo Squatting, Phishing And Corporate Espionage - Dnstwist

See what sort of trouble users can get in trying to type your domain name. Find similar-looking domains that adversaries can use to attack you. Can detect typosquatters, phishing attacks, fraud and corporate espionage. Useful as an additional source of targeted threat intelligence.

The idea is quite straightforward: dnstwist takes in your domain name as a seed, generates a list of potential phishing domains and then checks to see if they are registered. Additionally it can test if the mail server from MX record can be used to intercept misdirected corporate e-mails and it can generate fuzzy hashes of the web pages to see if they are live phishing sites.


Key features 

There are several pretty good reasons to give it a try: 

ºWide range of efficient domain fuzzing algorithms
ºMultithreaded job distribution
ºResolves domain names to IPv4 and IPv6
ºQueries for NS and MX records
ºEvaluates web page similarity with fuzzy hashes to find live phishing sites
ºTests if MX host (mail server) can be used to intercept misdirected e-mails (espionage)
ºGenerates additional domain variants using dictionary files
ºGeoIP location information
ºGrabs HTTP and SMTP service banners
ºWHOIS lookups for creation and modification date
ºPrints output in CSV and JSON format

Requirements 

If you want dnstwist to develop full power, please make sure the following Python modules are present on your system. If missing, dnstwist will still work, but without many cool features. You'll get a notification in absence of required module. 

ºA DNS toolkit for Python
ºPython GeoIP
ºPython WHOIS
ºRequests: HTTP for Humans
ºssdeep Python wrapper

Installation 

Linux 

Ubuntu Linux is the primary development platform. If running Ubuntu 15.04 or newer, you can install dependencies like this: 

$ sudo apt-get install python-dnspython python-geoip python-whois \  python-requests python-ssdeep  

Alternately, you can use Python tooling. This can be done within a virtual environment to avoid conflicts with other installations. However, you will still need a couple of libraries installed at the system level. 

$ sudo apt-get install libgeoip-dev libffi-dev  $ BUILD_LIB=1 pip install -r requirements.txt  

Now it is fully equipped and ready for action. 
OSX 
If you're on a Mac, you can install dnstwist via Homebrew like so: 

$ brew install dnstwist  

This is going to install dnstwist.py as dnstwist only, along with all requirements mentioned above. The usage is the same, you can just omit the file extension, and the binary will be added to PATH . 
Docker 
If you use Docker, you can build a local copy: 

$ docker build -t dnstwist .  

Then run that local image: 

$ docker run dnstwist example.com  

If you don't want to build locally here is a list of community maintained images:

jrottenberg/dnstwist

How to use 

To start, it's a good idea to enter only the domain name as an argument. The tool will run it through its fuzzing algorithms and generate a list of potential phishing domains with the following DNS records: A, AAAA, NS and MX. 

$ dnstwist.py example.com  

Manually checking each domain name in terms of serving a phishing site might be time consuming. To address this, dnstwist makes use of so called fuzzy hashes (context triggered piecewise hashes). Fuzzy hashing is a concept which involves the ability to compare two inputs (in this case HTML code) and determine a fundamental level of similarity. This unique feature of dnstwist can be enabled with --ssdeep argument. For each generated domain, dnstwist will fetch content from responding HTTP server (following possible redirects) and compare its fuzzy hash with the one for the original (initial) domain. The level of similarity will be expressed as a percentage. Please keep in mind it's rather unlikely to get 100% match for a dynamically generated web page, but each notification should be inspected carefully regardless of the percentage level. 

$ dnstwist.py --ssdeep example.com  

In some cases phishing sites are served from a specific URL. If you provide a full or partial URL address as an argument, dnstwist will parse it and apply for each generated domain name variant. This ability is obviously useful only in conjunction with fuzzy hashing feature.

$ dnstwist.py --ssdeep https://example.com/owa/  $ dnstwist.py --ssdeep example.com/crm/login  

Very often attackers set up e-mail honey pots on phishing domains and wait for mistyped e-mails to arrive. In this scenario, attackers would configure their server to vacuum up all e-mail addressed to that domain, regardless of the user it was sent towards. Another dnstwist feature allows to perform a simple test on each mail server (advertised through DNS MX record) in order to check which one can be used for such hostile intent. Suspicious servers will be marked with SPYING-MX string. 
Please be aware of possible false positives. Some mail servers only pretend to accept incorrectly addressed e-mails but then discard those messages. This technique is used to prevent a directory harvest attack. 

$ dnstwist.py --mxcheck example.com  

Not always domain names generated by the fuzzing algorithms are sufficient. To generate even more domain name variants please feed dnstwist with a dictionary file. Some dictionary samples with a list of the most common words used in targeted phishing campaigns are included. Feel free to adapt it to your needs. 

$ dnstwist.py --dictionary dictionaries/english.dict example.com  

Apart from the default nice and colorful text terminal output, the tool provides two well known and easy to parse output formats: CSV and JSON. Use it for data interchange. 

$ dnstwist.py --csv example.com > out.csv  $ dnstwist.py --json example.com > out.json  

Usually generated list of domains has more than a hundred of rows - especially for longer domain names. In such cases, it may be practical to display only registered (resolvable) ones using --registered argument. 

$ dnstwist.py --registered example.com  

The tool is shipped with built-in GeoIP database. Use --geoip argument to display geographical location (country name) for each IPv4 address. 

$ dnstwist.py --geoip example.com  

Of course all of the features offered by dnstwist together with brief descriptions are always available at your fingertips: 


$ dnstwist.py --help  

Download Dnstwist 

Read More

Zizzania - Automated DeAuth Attack

zizzania sniffs wireless traffic listening for WPA handshakes and dumping only those frames suitable to be decrypted (one beacon + EAPOL frames + data). In order to speed up the process, zizzania sends IEEE 802.11 DeAuth frames to the stations whose handshake is needed, properly handling retransmissions and reassociations and trying to limit the number of DeAuth frames sent to each station.

Usage 

zizzania (-r <file> | -i <device> [-c <channel>]
          ([-n] | [-d <count>] [-a <count>] [-t <seconds>]))
         [-b <address>...] [-x <address>...] [-2 | -3]
         [-w <file> [-g]] [-v]

-i <device>   Use <device> for both capture and injection
-c <channel>  Set <device> to RFMON mode on <channel>
-n            Passively wait for WPA handshakes
-d <count>    Send groups of <count> deauthentication frames
-a <count>    Perform <count> deauthentications before giving up
-t <seconds>  Time to wait between two deauthentication attempts
-r <file>     Read packets from <file> (- for stdin)
-b <address>  Limit the operations to the given BSSID
-x <address>  Exclude the given station from the operations
-2            Settle for the first two handshake messages
-3            Settle for the first three handshake messages
-w <file>     Write packets to <file> (- for stdout)
-g            Also dump multicast and broadcast traffic
-v            Print verbose messages to stderr (toggle with SIGUSR1)


Examples 

ºPut the network interface in RFMON mode on channel 6 and save the traffic gathered from the stations associated to a specific access point: 


zizzania -i wlan0 -c 6 -b AA:BB:CC:DD:EE:FF -w out.pcap  

ºPassively analyze the traffic generated by any station on the current channel assuming that the network interface is already RFMON mode: 

zizzania -i wlan0 -n  

ºStrip unnecessary frames from a pcap file (excluding altogether the traffic generated by one particular station) considering an handshake complete after just the first two messages (which should be enough for unicast traffic decryption): 

zizzania -r in.pcap -x 00:11:22:33:44:55 -w out.pcap  

Use airdecap-ng to decrypt a pcap file created by zizzania: 

airdecap-ng -b AA:BB:CC:DD:EE:FF -e SSID -p passphrase out.pcap  

Dependencies 

ºSCons
ºlibpcap
ºuthash

Debian-based 

sudo apt-get install scons libpcap-dev uthash-dev  

Mac OS X ( Homebrew ) 

brew install scons libpcap clib  clib install troydhanson/uthash  # from this directory  

Or as an alternative to clib just throw uthash.h in any valid headers search path. 

Build 

make  

The install process is not mandatory, zizzania can be run from the src directory. Just in case: 

make install  make uninstall  

Mac OS X support 


In order to sniff packets live and to perform the deauthentication phase zizzania requires that the network interface/driver supports RFMON mode and injection. This is known to be troublesome with Mac OS X and hence it is not directly supported by zizzania. 

Download Zizzania

Read More

SQL Injection Fuzzer - sqlifuzzer

sqlifuzzer is a wrapper for curl written in bash. It’s also a tool that can be used to remotely identify SQL (and XPath) injection vulnerabilities. It does this by sending a range of injection payloads and examining the responses for signs of ‘injectability’. If a parameter appears to be vulnerable, sqlifuzzer sends exploit payloads to extract data.

Like almost all web app scanners, sqlifuzzer includes OR 1=1 payloads; this means that there is a significant risk of data destruction, Denial of Service, and/or other undesirable implications for any host (or intermediary device) scanned using sqlifuzzer. sqlifuzzer is beta; don’t use it in an environment that matters to you or anyone else. Do not use sqlifuzzer to scan hosts without the owner’s permission.

SQL Injection Fuzzer Features:

ºPayloads/tests for numeric, string, error and time-based SQL injection
ºSupport for MSSQL, MYSQL and Oracle DBMS’s
ºA range of filter evasion options:
case variation, nesting, double URL encoding, comments for spaces, ‘like’ for ‘equals’ operator, intermediary characters, null and CRLF prefixes, HTTP method swapping (GETs become POSTs / POSTs become GETs)
ºORDER BY and UNION SELECT tests on vulnerable parameters to:
ºenumerate select query column numbers
ºidentify data-type string columns in select queries
ºextract database schema and configuration information
ºConditional tests to extract DBMS info when data extraction via UNION SELECT fails (i.e. no string type columns)
ºTime delay based tests to extract DBMS info when data extraction via conditional methods fails (i.e. fully blind scenarios)
ºBoolean response-based XPath injection testing and data extraction
ºSupport for automated detection and testing of parameters in POST URIs and multipart forms
ºScan ‘state’ maintenance:
ºHalt a scan at any time – scan progress is saved and you can easily resume a scan from the URL where you stopped
ºSpecify a specific request number to resume a scan from
ºOptional exclusion of a customizable list of parameters from scanning scope
ºTracking of parameters scanned and avoidance of re-scanning scanned parameters
ºHTML format output with:
ºlinks/buttons to send Proof of Concept SQL injection requests
ºlinks to response difference files and to extracted data


 What do I need to use sqlifuzzer?

sqlifuzzer is built and tested on BackTrack. On all other platforms Your Mileage May Vary; you will need a an OS that can support bash (*nix, cygwin (not tested), etc), curl must be installed and in your path, and ‘replace’ (which is missing from Ubuntu) must also be installed in in your path. Until I implement web spider functionality, sqlifuzzer is dependent upon burp proxy to create log files (not burp state files) which sqlifuzzer uses to build its internal list of fuzz requests. The free version of burp can be used to create these log files. Within Burp go to options > misc and check the proxy requests tick box; browse the target site, populate your log, then pass it to sqlifuzzer.

How does sqlifuzzer work?

sqlifuzzer receives a burp log (which you must create for it) that specifies a bunch of HTTP requests. Requests in the burp log look like this:

======================================================
3:09:54 PM  http://192.168.182.136:80
======================================================
POST /orangehrm/menu.php?TEST=1111 HTTP/1.1
Host: 192.168.182.136
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://192.168.182.136/orangehrm/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Cookie: PHPSESSID=bf7u0ad95cbubpcvdjda2bqro3; Loggedin=True; EliteNinja=False

module=Home&action=UnifiedSearch&search_form=false&tabnumber=1
======================================================

sqlifuzzer converts these into it’s own format; a list of all the requests like this:


GET /orangehrm/menu.php?TEST=1111
POST /orangehrm/menu.php?TEST=1111??module=Home&action=UnifiedSearch&search_form=false&tabnumber=1
GET /orangehrm/index.php?module=Contacts&action=index&return_module=Contacts&return_action=DetailView&&print=true
GET /orangehrm/index.php?module=Home&menu_no=0&menu_no_top=home&submenutop=home1


Next, sqlifuzzer looks at what payload types have been specified, and concatenates the relevant files to create a payload list. The list of requests and the payload list are then passed into the main scanning loop. The loop sends a ‘clean’ reference request (by calling out to curl), then, for the first line in the request list, the loop selects the first parameter and replaces this with the first payload and sends the fuzzed request (again via curl). The two responses are then compared; specifically, the response length and the duration of the responses are compared, the response HTTP status codes are examined, and the responses are searched for some common error strings. If anything ‘juicy’ is found, URL and payload information is logged to an output file and printed to the screen. The loop iterates through all payloads before moving on to the next parameter, and so on for each request.

Why was sqlifuzzer created?


Ever wanted to hit every dynamic parameter of a web app with a single quote? That’s how sqlifuzzer started out. At first, it just compared the response lengths. Then I added the ability to iterate over a list of payloads. Then came POST requests, URL encoding, time delay diffing, searching for common error messages, logging, sessions, the ability to define parameters NOT to scan, method swapping, null byte prefixes, POST URIs, DBMS fingerprinting, data extraction, conditional testing, filter evasion options, boolean response-based XPath injection detection and data extraction and support for multipart forms.

Download sqlifuzzer

Read More

Open Source Web Server Scanner - NIkto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.


Open Source Web Server Scanner

Nikto is not designed as an overly stealthy tool. It will test a web server in the quickest time possible, and is fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Open Source Web Server Scanner: NIkto documentation Open Source Web Server Scanner Open Source Web Server Scanner



Features

Here are some of the major features of Nikto.

ºSSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s
Perl/NetSSL)
ºFull HTTP proxy support
ºChecks for outdated server componentsOpen Source Web Server Scanner: NIkto Open ºSource Web Server Scanner Open Source Web Server Scanner
ºSave reports in plain text, XML, HTML, NBE or CSV
ºTemplate engine to easily customize reports
ºScan multiple ports on a server, or multiple servers via input file (including nmap output)
ºLibWhisker‘s IDS encoding techniques
ºEasily updated via command line
ºIdentifies installed software via headers, favicons and files
ºHost authentication with Basic and NTLM
ºSubdomain guessing
ºApache and cgiwrap username enumeration
ºMutation techniques to “fish” for content on web servers
ºScan tuning to include or exclude entire classes of vulnerability
ºchecks
ºGuess credentials for authorization realms (including many default id/pw combos)
ºAuthorization guessing handles any directory, not just the root
directory
ºEnhanced false positive reduction via multiple methods: headers,
page content, and content hashing
ºReports “unusual” headers seen
ºInteractive status, pause and changes to verbosity settings
ºSave full request/response for positive tests
ºReplay saved positive requests
ºMaximum execution time per target
ºAuto-pause at a specified time
ºChecks for common “parking” sites
ºLogging to Metasploit
ºThorough documentation

Download NIkto

Read More

Pentesting VoIP Systems - VIPER VAST 3

Pentesting VoIP Systems: VIPER VAST 3

VAST is a Linux-based security distribution specifically designed for pentesting VoIP and UC networks.

It enables security professionals and UC administrators to rapidly perform VoIP security assessments and enumerate vulnerabilities in IP Phones or IP PBX servers in a lab environment. With VAST, a security consultant has every tool necessary to carry out a successful onsite or remote penetration test or vulnerability assessment against a UC network. VAST is built on Mint Linux 13 and includes all of the open source VIPER Lab tools, in addition to some other network pentest tools.

VAST can be downloaded in .ISO format and VMWare guest image.

Download VIPER VAST 3

Read More

EncFS and TrueCrypt for Android - Cryptonite

Cryptonite brings EncFS and TrueCrypt to Android. You can browse, export and open EncFS-encrypted directories and files on your Dropbox and on your phone. On rooted phones that support FUSE (e.g. CyanogenMod) you can also mount EncFS and TrueCrypt volumes. TrueCrypt is only available as a command-line version at this time.

EncFS and TrueCrypt for Android

Cryptonite is an Android app that brings the FUSE based cryptographic filesystem EncFS and TrueCrypt to Android, you can link it to your Dropbox account with a single tap, after that you will be able to read and write on Dropbox EncFS volumes, exporting, viewing or uploading new files. Dropbox claims to keep data already encrypted in their servers but if anyone finds out your password account they will be able to read the files, encrypting them with Cryptonite you are placing a second security layer on top and block Dropbox built-in backdoor to your data.


To access your files offline sync them to a local folder with an app providing online storage synchronization, e.g. FolderSync. EncFS has a front end interface but Truecrypt is only available as a command line version, rooted phones that support the FUSE kernel, e.g. CyanogenMod, can mount an EncFS or Truecrypt volume, there is a Truecrypt work around to avoid having to use a rooted file browser, by typing “truecrypt –fs-options=”uid=1000,gid=1000,umask=0002″ volume.tc /sdcard/tc“. EncFS will use the encryption ciphers found in the system encryption libraries, Cryptonite allows you to select the encryption method, from a “Quick” Blowfish 128bit up to a “Paranoia” AES256bit with filename block encoding, other preferences include saving temporary files on an external SD card, setting up the mount storage point, clearing the cache and the “Chuck Norris mode” for experienced users that do not want to receive any security warning from the app.

You can browse, export and open encrypted EncFS directories and files on your Dropbox and to your phone, when you open a file from a decrypted EncFS volume Cryptonite will produce a temporary copy in “/data/data/csh.cryptonite/app_open/path_to_your_file”, anyone with access to your phone could recover those files, the app includes a text viewer that works in memory and does not save any temporary copy, there are plans to add an image viewer in the future but right now there isn’t one and if you open an image a temporary copy could be made on the phone outside the encrypted container.

Download  Cryptonite

Read More

Android Security Evaluation Framework - ASEF

Have you ever looked at your Android applications and wondered if they are watching you as well? Whether it’s a bandwidth-hogging app, aggressive adware or even malware, it would be interesting to know if they are doing more than what they are supposed to and if your personal information is exposed. Is there really a way to automatically evaluate all your apps – even hundreds of them – to harvest their behavioral data, analyze their run pattern, and at the same time provide an interface to facilitate a vast majority of evolving security tests with most practical solutions?

Android Security Evaluation Framework (ASEF) performs this analysis while alerting you about other possible issues. It will make you aware of unusual activities of your apps, will expose vulnerable components and help narrow down suspicious apps for further manual research. The framework will take a set of apps (either pre-installed on a device or as individual APK files) and migrate them to the test suite where it will run it through test cycles on a pre-configured Android Virtual Device (AVD).

Android Security Evaluation Framework

During the test cycles the apps will be installed and launched on the AVD. ASEF will trigger certain behaviors by sending random or custom gestures and later uninstall the app automatically. It will capture log events, network traffic, kernel logs, memory dump, running processes and other parameters at every stage which will later be utilized by the ASEF analyzer. The analyzer will try to determine the aggressive bandwidth usage, interaction with any command and control (C&C) servers using Google’s safe browsing API, permission mappings and known security flaws. ASEF can easily be integrated with other open source tools to capture sensitive information, such as SIM cards, phone numbers and others.

ASEF is an Open Source tool for scanning Android Devices for security evaluation. Users will gain access to security aspects of android apps by using this tool with its default settings. An advanced user can fine-tune this, expand upon this idea by easily integrating more test scenarios, or even find patterns out of the data it already collects. ASEF will provide automated application testing and facilitate a plug and play kind of environment to keep up with the dynamic field of Android Security.

Download ASEF

Read More

Network Forensic Analysis - NetworkMiner

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files

Network Forensic Analysis Features

ºNetwork Forensics
ºNetwork Sniffing
ºPCAP Parser
ºDigital Forensics
ºPacket Sniffer

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble/rebuild transmitted files, directory structures and certificates from PCAP files.


The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames). NetworkMiner also comes in very handy when analyzing malware traffic, such as C&C (command-and-control) traffic from a BotNet, since uploaded and downloaded files are extracted to disk.

NetworkMiner performs OS fingerprinting based on TCP SYN and SYN+ACK packet by using OS fingerprinting databases from p0f (by Michal Zalewski) and Ettercap (by Alberto Ornaghi and Marco Valleri). NetworkMiner can also perform OS fingerprinting based on DHCP packets (which usually are broadcast packets) by making use of the Satori (by Eric Kollmann) OS fingerprinting database from FingerBank. NetworkMiner also uses the MAC-vendor list from Nmap (by Fyodor).

NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This is a neat function that can be used to extract and save media files (such as audio or video files) which are streamed across a network. Supported protocols for file extraction are FTP, HTTP and SMB.

User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the “Credentials” tab. Please be considerate when displaying the contents of this tab to the public.

Another very useful feature is that the user can search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.


Version 0.84 (and newer) of NetworkMiner support sniffing and parsing of WLAN (IEEE 802.11) traffic. NetworkMiner does however currently only support WiFi sniffing with AirPcap adapters.

Download  NetworkMiner

Read More

Blind SQL injection - BBQSQL

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.

BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.


Similar to other SQL injection tools you provide certain request information.

Must provide the usual information:

ºURL
ºHTTP Method
ºHeaders
ºCookies
ºEncoding methods
ºRedirect behavior
ºFiles
ºHTTP Auth
ºProxies

HTTP Parameters
BBQSQL has many http parameters you can configure when setting up your attack. At a minimum you must provide the URL, where you want the injection query to run, and the method. The following options can be set:

ºfiles
ºheaders
ºcookies
ºurl
ºallow_redirects
ºproxies
ºdata
ºmethod
ºauth

Blind SQL injection: BBQSQL Install

This should be straight forward, but what ever is. Try running:

sudo pip install bbqsql


If that doesn’t work for you, you can install from source. The tool requires gevent,requests.

Download  BBQSQL

Read More