Interactive Disassembler - IDA

IDA (or the Interactive DisAssembler) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems. It also can be used as a debugger for Windows PE, Mac OS X Mach-O, and Linux ELF executables. A decompiler plug-in for programs compiled with a C/C++ compiler is available at extra cost. The latest full version of IDA Pro is commercial; while an earlier and less capable version is available for download free of charge (version 5.0 as of March 2015)

Download IDA

Read More

Popular SQLi and Pentesting Scanner - V3n0M-Scanner

V3n0M runs on Python3 [Live Project - Readding old features back in and improved for Python3]

v3n0m is a free and open source scanner. Evolved from baltazar's scanner, it has adapted several new features that improve fuctionality and usability. It is mostly experimental software.

This program is for finding and executing various vulnerabilities. It scavenges the web using dorks and organizes the URLs it finds.

PyPi:

You can now install the software via pip install V3n0m
Always verify the PGP signature of the package:

gpg: Signature made Fri 18 Jul 2014 02:59:48 AM UTC
gpg:                using RSA key 0x8F2B5CBD711F1326
gpg: Good signature from "Grand Architect <unload@cryptolab.net>"

Use at your own risk.

Very useful for executing:

• Metasploit Modules Scans
• SQL Injection Vuln Scanner[SQLi]
• Extremely Large D0rk Target Lists
• FTP Crawler
• DNS BruteForcer

What You Hold:

A modified smartd0rk3r

• Brand new, just outta the box!
• Largest and most powerful d0rker online, 18k+d0rks searched over ~ Engines at once.
• Free and Open /src/
• CrossPlatform Python based toolkit
• Version 4.0.1 Released on 7th Jan 2016
• Licensed under GPLv2
• Tested on: Linux 4.3.1 Ubuntu/Debian, CentOS 6 (with some errors), Win7 (with some errors)

Usage:

root@bt:~# python3 v3n0m.py

Now you may follow the simple prompts.

[0x100] Choose your target (domain) :
        Example : .com
        AND
        it is necessary to add you can also use a specific website (www.example.com)

[0x200] Choose the number of random dorks (0 for all.. may take awhile!) :
        Example : 0 = This will choose all of the XSS, File Inclusion, RCE and SQLi dorks

[0x300] Choose the number of threads :
        Example : 50

[0x400] Enter the number of pages to search through :
        Example : 50

    The program will print out your desired settings and start searching.
    It then creates files for the collected and valid URLs for later.
    It takes a while to scan because it utilizes either TOR, which you can specify
    if you wish to do so, or regular HTTP requests over a long period of time.

    After a while, it will feed you the percentage of the scan until completion.
    At this point, it will have saved the valid URLs in the files it created earlier.
    The program utilizes over 10k dorks now, be careful how you use them!
    Enjoy. :]
                                                            ~/ Dev Team

Contact Information:

[ NovaCygni ] - 
[ Architect ] - 

Original Header:

- This was written for educational purpose and pentest only. Use it at your own risk.
- Author will be not responsible for any damage!
- !!! Special greetz for my friend sinner_01 !!!
- Toolname        : darkd0rk3r.py
- Coder           : baltazar a.k.a b4ltazar <b4ltazar@gmail.com>
- Version         : 1.0
- greetz for all members of ex darkc0de.com, ljuska.org

New To This Addition:

---To be Done --Partially implemented -Done
- Upgrade to Python3 from Python2
--- Redo LFI/RFI attack method
--- Automate scanning sites with findable admin pages and add to seperate list
--- Redo Metasploit Scans
--- Add default attack option for DB types, automate injection and upload shell or enable RDP.
-- Perfect SQLi Vuln detection and add options for saving/searching specific DB types
-- Starting upgrade for Search engines
--- Implement SQLi D0rk Seed Generation option
--- Implement Metasploit Exploits scan / Nmap style option + Dork option

Download V3N0M-Scanner

Read More

Tool To Compares A Targets Patch Levels Against The Microsoft Vulnerability Database - Windows-Exploit-Suggester

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

It requires the 'systeminfo' command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.

It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet.

When looking at the command output, it is important to note that it assumes all vulnerabilities and then selectively removes them based upon the hotfix data. This can result in many false-positives, and it is key to know what software is actually running on the target host. For example, if there are known IIS exploits it will flag them even if IIS is not running on the target host.

The output shows either public exploits (E), or Metasploit modules (M) as indicated by the character value.

It was heavily inspired by Linux_Exploit_Suggester by Pentura.

Blog Post:"Introducing Windows Exploit Suggester", https://blog.gdssecurity.com/labs/2014/7/11/introducing-windows-exploit-suggester.html

USAGE

update the database

$ ./windows-exploit-suggester.py --update
[*] initiating...
[*] successfully requested base url
[*] scraped ms download url
[+] writing to file 2014-06-06-mssb.xlsx
[*] done

install dependencies
(install python-xlrd, $ pip install xlrd --upgrade)
feed it "systeminfo" input, and point it to the microsoft database

$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt 
[*] initiating...
[*] database file detected as xls or xlsx based on extension
[*] reading from the systeminfo input file
[*] querying database file for potential vulnerabilities
[*] comparing the 15 hotfix(es) against the 173 potential bulletins(s)
[*] there are now 168 remaining vulns
[+] windows version identified as 'Windows 7 SP1 32-bit'
[*] 
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[*] done

possible exploits for an operating system can be used without hotfix data

$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --ostext 'windows server 2008 r2' 
[*] initiating...
[*] database file detected as xls or xlsx based on extension
[*] getting OS information from command line text
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 196 potential bulletins(s)
[*] there are now 196 remaining vulns
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical

LIMITATIONS

Currently, if the 'systeminfo' command reveals 'File 1' as the output for the hotfixes, it will not be able to determine which are installed on the target. If this occurs, the list of hotfixes will need to be retrieved from the target host and passed in using the --hotfixes flag

It currently does not seperate 'editions' of the Windows OS such as 'Tablet' or 'Media Center' for example, or different architectures, such as Itanium-based only

False positives also occur where it assumes EVERYTHING is installed on the target Windows operating system. If you receive the 'File 1' output, try executing 'wmic qfe list full' and feed that as input with the --hotfixes flag, along with the 'systeminfo'

Download Windows-Exploit-Suggester

Read More

PowerShell Runspace Post Exploitation Toolkit - p0wnedShell

p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier. What we tried was to build an “all in one” Post Exploitation tool which we could use to bypass all mitigations solutions (or at least some off), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defense strategies.

How to Compile it:

To compile p0wnedShell you need to import this project within Microsoft Visual Studio or if you don't have access to a Visual Studio installation, you can compile it as follows:

To Compile as x86 binary:

cd \Windows\Microsoft.NET\Framework\v4.0.30319

csc.exe /unsafe /reference:"C:\p0wnedShell\System.Management.Automation.dll" /reference:System.IO.Compression.dll /win32icon:C:\p0wnedShell\p0wnedShell.ico /out:C:\p0wnedShell\p0wnedShellx86.exe /platform:x86 "C:\p0wnedShell\*.cs"

To Compile as x64 binary:

cd \Windows\Microsoft.NET\Framework64\v4.0.30319

csc.exe /unsafe /reference:"C:\p0wnedShell\System.Management.Automation.dll" /reference:System.IO.Compression.dll /win32icon:C:\p0wnedShell\p0wnedShell.ico /out:C:\p0wnedShell\p0wnedShellx64.exe /platform:x64 "C:\p0wnedShell\*.cs"

p0wnedShell uses the System.Management.Automation namespace, so make sure you have the System.Management.Automation.dll within your source path when compiling outside of Visual Studio.

How to use it:

Just run the executables or...
To run as x86 binary and bypass Applocker (Credits for this great bypass go to Casey Smith aka subTee):

cd \Windows\Microsoft.NET\Framework\v4.0.30319 (Or newer .NET version folder)

InstallUtil.exe /logfile= /LogToConsole=false /U C:\p0wnedShell\p0wnedShellx86.exe

To run as x64 binary and bypass Applocker:

cd \Windows\Microsoft.NET\Framework64\v4.0.30319 (Or newer .NET version folder)

InstallUtil.exe /logfile= /LogToConsole=false /U C:\p0wnedShell\p0wnedShellx64.exe

What's inside the runspace:

The following PowerShell tools/functions are included:

• PowerSploit Invoke-Shellcode
• PowerSploit Invoke-ReflectivePEInjection
• PowerSploit Invoke-Mimikatz
• PowerSploit Invoke-TokenManipulation
• Veil's PowerTools PowerUp
• Veil's PowerTools PowerView
• HarmJ0y's Invoke-Psexec
• Besimorhino's PowerCat
• Nishang Invoke-PsUACme
• Nishang Invoke-Encode
• Nishang Get-PassHashes
• Nishang Invoke-CredentialsPhish
• Nishang Port-Scan
• Nishang Copy-VSS

Powershell functions within the Runspace are loaded in memory from Base64 encode strings .

The following Binaries/tools are included:

• Benjamin DELPY's Mimikatz
• Benjamin DELPY's MS14-068 kekeo Exploit
• Didier Stevens modification of ReactOS Command Prompt
• hfiref0x MS15-051 Local SYSTEM Exploit

Binaries are loaded in memory using ReflectivePEInjection (Byte arrays are compressed using Gzip and saved within p0wnedShell as Base64 encoded strings ).

Shout-outs:

p0wnedshell is heavily based on tools and knowledge from people like harmj0y, the guys from Powersploit, Sean Metcalf, SubTee, Nikhil Mittal, Besimorhino, Benjamin Delpy e.g. So shout-outs go to them and of course to our friends in Redmond for giving us access to a very powerfull hacking language.

Download p0wnedShell

Read More

Open Source Web Server Scanner - NIkto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.


Open Source Web Server Scanner

Nikto is not designed as an overly stealthy tool. It will test a web server in the quickest time possible, and is fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.


Features

Here are some of the major features of Nikto.

ºSSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s
Perl/NetSSL)
ºFull HTTP proxy support
ºChecks for outdated server componentsOpen Source Web Server Scanner: NIkto Open ºSource Web Server Scanner Open Source Web Server Scanner
ºSave reports in plain text, XML, HTML, NBE or CSV
ºTemplate engine to easily customize reports
ºScan multiple ports on a server, or multiple servers via input file (including nmap output)
ºLibWhisker‘s IDS encoding techniques
ºEasily updated via command line
ºIdentifies installed software via headers, favicons and files
ºHost authentication with Basic and NTLM
ºSubdomain guessing
ºApache and cgiwrap username enumeration
ºMutation techniques to “fish” for content on web servers
ºScan tuning to include or exclude entire classes of vulnerability
checks
ºGuess credentials for authorization realms (including many default id/pw combos)
ºAuthorization guessing handles any directory, not just the root
directory
ºEnhanced false positive reduction via multiple methods: headers,
page content, and content hashing
ºReports “unusual” headers seen
ºInteractive status, pause and changes to verbosity settings
ºSave full request/response for positive tests
ºReplay saved positive requests
ºMaximum execution time per target
ºAuto-pause at a specified time
ºChecks for common “parking” sites
ºLogging to Metasploit
ºThorough documentation

Download NIkto

Read More

Domain Name Permutation Engine For Detecting Typo Squatting, Phishing And Corporate Espionage - Dnstwist

See what sort of trouble users can get in trying to type your domain name. Find similar-looking domains that adversaries can use to attack you. Can detect typosquatters, phishing attacks, fraud and corporate espionage. Useful as an additional source of targeted threat intelligence.

The idea is quite straightforward: dnstwist takes in your domain name as a seed, generates a list of potential phishing domains and then checks to see if they are registered. Additionally it can test if the mail server from MX record can be used to intercept misdirected corporate e-mails and it can generate fuzzy hashes of the web pages to see if they are live phishing sites.


Key features 

There are several pretty good reasons to give it a try: 

ºWide range of efficient domain fuzzing algorithms
ºMultithreaded job distribution
ºResolves domain names to IPv4 and IPv6
ºQueries for NS and MX records
ºEvaluates web page similarity with fuzzy hashes to find live phishing sites
ºTests if MX host (mail server) can be used to intercept misdirected e-mails (espionage)
ºGenerates additional domain variants using dictionary files
ºGeoIP location information
ºGrabs HTTP and SMTP service banners
ºWHOIS lookups for creation and modification date
ºPrints output in CSV and JSON format

Requirements 

If you want dnstwist to develop full power, please make sure the following Python modules are present on your system. If missing, dnstwist will still work, but without many cool features. You'll get a notification in absence of required module. 

ºA DNS toolkit for Python
ºPython GeoIP
ºPython WHOIS
ºRequests: HTTP for Humans
ºssdeep Python wrapper

Installation 

Linux 

Ubuntu Linux is the primary development platform. If running Ubuntu 15.04 or newer, you can install dependencies like this: 

$ sudo apt-get install python-dnspython python-geoip python-whois \  python-requests python-ssdeep  

Alternately, you can use Python tooling. This can be done within a virtual environment to avoid conflicts with other installations. However, you will still need a couple of libraries installed at the system level. 

$ sudo apt-get install libgeoip-dev libffi-dev  $ BUILD_LIB=1 pip install -r requirements.txt  

Now it is fully equipped and ready for action. 
OSX 
If you're on a Mac, you can install dnstwist via Homebrew like so: 

$ brew install dnstwist  

This is going to install dnstwist.py as dnstwist only, along with all requirements mentioned above. The usage is the same, you can just omit the file extension, and the binary will be added to PATH . 
Docker 
If you use Docker, you can build a local copy: 

$ docker build -t dnstwist .  

Then run that local image: 

$ docker run dnstwist example.com  

If you don't want to build locally here is a list of community maintained images:

jrottenberg/dnstwist

How to use 

To start, it's a good idea to enter only the domain name as an argument. The tool will run it through its fuzzing algorithms and generate a list of potential phishing domains with the following DNS records: A, AAAA, NS and MX. 

$ dnstwist.py example.com  

Manually checking each domain name in terms of serving a phishing site might be time consuming. To address this, dnstwist makes use of so called fuzzy hashes (context triggered piecewise hashes). Fuzzy hashing is a concept which involves the ability to compare two inputs (in this case HTML code) and determine a fundamental level of similarity. This unique feature of dnstwist can be enabled with --ssdeep argument. For each generated domain, dnstwist will fetch content from responding HTTP server (following possible redirects) and compare its fuzzy hash with the one for the original (initial) domain. The level of similarity will be expressed as a percentage. Please keep in mind it's rather unlikely to get 100% match for a dynamically generated web page, but each notification should be inspected carefully regardless of the percentage level. 

$ dnstwist.py --ssdeep example.com  

In some cases phishing sites are served from a specific URL. If you provide a full or partial URL address as an argument, dnstwist will parse it and apply for each generated domain name variant. This ability is obviously useful only in conjunction with fuzzy hashing feature.

$ dnstwist.py --ssdeep https://example.com/owa/  $ dnstwist.py --ssdeep example.com/crm/login  

Very often attackers set up e-mail honey pots on phishing domains and wait for mistyped e-mails to arrive. In this scenario, attackers would configure their server to vacuum up all e-mail addressed to that domain, regardless of the user it was sent towards. Another dnstwist feature allows to perform a simple test on each mail server (advertised through DNS MX record) in order to check which one can be used for such hostile intent. Suspicious servers will be marked with SPYING-MX string. 
Please be aware of possible false positives. Some mail servers only pretend to accept incorrectly addressed e-mails but then discard those messages. This technique is used to prevent a directory harvest attack. 

$ dnstwist.py --mxcheck example.com  

Not always domain names generated by the fuzzing algorithms are sufficient. To generate even more domain name variants please feed dnstwist with a dictionary file. Some dictionary samples with a list of the most common words used in targeted phishing campaigns are included. Feel free to adapt it to your needs. 

$ dnstwist.py --dictionary dictionaries/english.dict example.com  

Apart from the default nice and colorful text terminal output, the tool provides two well known and easy to parse output formats: CSV and JSON. Use it for data interchange. 

$ dnstwist.py --csv example.com > out.csv  $ dnstwist.py --json example.com > out.json  

Usually generated list of domains has more than a hundred of rows - especially for longer domain names. In such cases, it may be practical to display only registered (resolvable) ones using --registered argument. 

$ dnstwist.py --registered example.com  

The tool is shipped with built-in GeoIP database. Use --geoip argument to display geographical location (country name) for each IPv4 address. 

$ dnstwist.py --geoip example.com  

Of course all of the features offered by dnstwist together with brief descriptions are always available at your fingertips: 


$ dnstwist.py --help  

Download Dnstwist 

Read More

Zizzania - Automated DeAuth Attack

zizzania sniffs wireless traffic listening for WPA handshakes and dumping only those frames suitable to be decrypted (one beacon + EAPOL frames + data). In order to speed up the process, zizzania sends IEEE 802.11 DeAuth frames to the stations whose handshake is needed, properly handling retransmissions and reassociations and trying to limit the number of DeAuth frames sent to each station.

Usage 

zizzania (-r <file> | -i <device> [-c <channel>]
          ([-n] | [-d <count>] [-a <count>] [-t <seconds>]))
         [-b <address>...] [-x <address>...] [-2 | -3]
         [-w <file> [-g]] [-v]

-i <device>   Use <device> for both capture and injection
-c <channel>  Set <device> to RFMON mode on <channel>
-n            Passively wait for WPA handshakes
-d <count>    Send groups of <count> deauthentication frames
-a <count>    Perform <count> deauthentications before giving up
-t <seconds>  Time to wait between two deauthentication attempts
-r <file>     Read packets from <file> (- for stdin)
-b <address>  Limit the operations to the given BSSID
-x <address>  Exclude the given station from the operations
-2            Settle for the first two handshake messages
-3            Settle for the first three handshake messages
-w <file>     Write packets to <file> (- for stdout)
-g            Also dump multicast and broadcast traffic
-v            Print verbose messages to stderr (toggle with SIGUSR1)


Examples 

ºPut the network interface in RFMON mode on channel 6 and save the traffic gathered from the stations associated to a specific access point: 


zizzania -i wlan0 -c 6 -b AA:BB:CC:DD:EE:FF -w out.pcap  

ºPassively analyze the traffic generated by any station on the current channel assuming that the network interface is already RFMON mode: 

zizzania -i wlan0 -n  

ºStrip unnecessary frames from a pcap file (excluding altogether the traffic generated by one particular station) considering an handshake complete after just the first two messages (which should be enough for unicast traffic decryption): 

zizzania -r in.pcap -x 00:11:22:33:44:55 -w out.pcap  

Use airdecap-ng to decrypt a pcap file created by zizzania: 

airdecap-ng -b AA:BB:CC:DD:EE:FF -e SSID -p passphrase out.pcap  

Dependencies 

ºSCons
ºlibpcap
ºuthash

Debian-based 

sudo apt-get install scons libpcap-dev uthash-dev  

Mac OS X ( Homebrew ) 

brew install scons libpcap clib  clib install troydhanson/uthash  # from this directory  

Or as an alternative to clib just throw uthash.h in any valid headers search path. 

Build 

make  

The install process is not mandatory, zizzania can be run from the src directory. Just in case: 

make install  make uninstall  

Mac OS X support 


In order to sniff packets live and to perform the deauthentication phase zizzania requires that the network interface/driver supports RFMON mode and injection. This is known to be troublesome with Mac OS X and hence it is not directly supported by zizzania. 

Download Zizzania

Read More

SQL Injection Fuzzer - sqlifuzzer

sqlifuzzer is a wrapper for curl written in bash. It’s also a tool that can be used to remotely identify SQL (and XPath) injection vulnerabilities. It does this by sending a range of injection payloads and examining the responses for signs of ‘injectability’. If a parameter appears to be vulnerable, sqlifuzzer sends exploit payloads to extract data.

Like almost all web app scanners, sqlifuzzer includes OR 1=1 payloads; this means that there is a significant risk of data destruction, Denial of Service, and/or other undesirable implications for any host (or intermediary device) scanned using sqlifuzzer. sqlifuzzer is beta; don’t use it in an environment that matters to you or anyone else. Do not use sqlifuzzer to scan hosts without the owner’s permission.

SQL Injection Fuzzer Features:

ºPayloads/tests for numeric, string, error and time-based SQL injection
ºSupport for MSSQL, MYSQL and Oracle DBMS’s
ºA range of filter evasion options:
case variation, nesting, double URL encoding, comments for spaces, ‘like’ for ‘equals’ operator, intermediary characters, null and CRLF prefixes, HTTP method swapping (GETs become POSTs / POSTs become GETs)
ºORDER BY and UNION SELECT tests on vulnerable parameters to:
ºenumerate select query column numbers
ºidentify data-type string columns in select queries
ºextract database schema and configuration information
ºConditional tests to extract DBMS info when data extraction via UNION SELECT fails (i.e. no string type columns)
ºTime delay based tests to extract DBMS info when data extraction via conditional methods fails (i.e. fully blind scenarios)
ºBoolean response-based XPath injection testing and data extraction
ºSupport for automated detection and testing of parameters in POST URIs and multipart forms
ºScan ‘state’ maintenance:
ºHalt a scan at any time – scan progress is saved and you can easily resume a scan from the URL where you stopped
ºSpecify a specific request number to resume a scan from
ºOptional exclusion of a customizable list of parameters from scanning scope
ºTracking of parameters scanned and avoidance of re-scanning scanned parameters
ºHTML format output with:
ºlinks/buttons to send Proof of Concept SQL injection requests
ºlinks to response difference files and to extracted data


 What do I need to use sqlifuzzer?

sqlifuzzer is built and tested on BackTrack. On all other platforms Your Mileage May Vary; you will need a an OS that can support bash (*nix, cygwin (not tested), etc), curl must be installed and in your path, and ‘replace’ (which is missing from Ubuntu) must also be installed in in your path. Until I implement web spider functionality, sqlifuzzer is dependent upon burp proxy to create log files (not burp state files) which sqlifuzzer uses to build its internal list of fuzz requests. The free version of burp can be used to create these log files. Within Burp go to options > misc and check the proxy requests tick box; browse the target site, populate your log, then pass it to sqlifuzzer.

How does sqlifuzzer work?

sqlifuzzer receives a burp log (which you must create for it) that specifies a bunch of HTTP requests. Requests in the burp log look like this:

======================================================
3:09:54 PM  http://192.168.182.136:80
======================================================
POST /orangehrm/menu.php?TEST=1111 HTTP/1.1
Host: 192.168.182.136
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://192.168.182.136/orangehrm/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Cookie: PHPSESSID=bf7u0ad95cbubpcvdjda2bqro3; Loggedin=True; EliteNinja=False

module=Home&action=UnifiedSearch&search_form=false&tabnumber=1
======================================================

sqlifuzzer converts these into it’s own format; a list of all the requests like this:


GET /orangehrm/menu.php?TEST=1111
POST /orangehrm/menu.php?TEST=1111??module=Home&action=UnifiedSearch&search_form=false&tabnumber=1
GET /orangehrm/index.php?module=Contacts&action=index&return_module=Contacts&return_action=DetailView&&print=true
GET /orangehrm/index.php?module=Home&menu_no=0&menu_no_top=home&submenutop=home1


Next, sqlifuzzer looks at what payload types have been specified, and concatenates the relevant files to create a payload list. The list of requests and the payload list are then passed into the main scanning loop. The loop sends a ‘clean’ reference request (by calling out to curl), then, for the first line in the request list, the loop selects the first parameter and replaces this with the first payload and sends the fuzzed request (again via curl). The two responses are then compared; specifically, the response length and the duration of the responses are compared, the response HTTP status codes are examined, and the responses are searched for some common error strings. If anything ‘juicy’ is found, URL and payload information is logged to an output file and printed to the screen. The loop iterates through all payloads before moving on to the next parameter, and so on for each request.

Why was sqlifuzzer created?


Ever wanted to hit every dynamic parameter of a web app with a single quote? That’s how sqlifuzzer started out. At first, it just compared the response lengths. Then I added the ability to iterate over a list of payloads. Then came POST requests, URL encoding, time delay diffing, searching for common error messages, logging, sessions, the ability to define parameters NOT to scan, method swapping, null byte prefixes, POST URIs, DBMS fingerprinting, data extraction, conditional testing, filter evasion options, boolean response-based XPath injection detection and data extraction and support for multipart forms.

Download sqlifuzzer

Read More

Open Source Web Server Scanner - NIkto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.


Open Source Web Server Scanner

Nikto is not designed as an overly stealthy tool. It will test a web server in the quickest time possible, and is fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Open Source Web Server Scanner: NIkto documentation Open Source Web Server Scanner Open Source Web Server Scanner



Features

Here are some of the major features of Nikto.

ºSSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s
Perl/NetSSL)
ºFull HTTP proxy support
ºChecks for outdated server componentsOpen Source Web Server Scanner: NIkto Open ºSource Web Server Scanner Open Source Web Server Scanner
ºSave reports in plain text, XML, HTML, NBE or CSV
ºTemplate engine to easily customize reports
ºScan multiple ports on a server, or multiple servers via input file (including nmap output)
ºLibWhisker‘s IDS encoding techniques
ºEasily updated via command line
ºIdentifies installed software via headers, favicons and files
ºHost authentication with Basic and NTLM
ºSubdomain guessing
ºApache and cgiwrap username enumeration
ºMutation techniques to “fish” for content on web servers
ºScan tuning to include or exclude entire classes of vulnerability
ºchecks
ºGuess credentials for authorization realms (including many default id/pw combos)
ºAuthorization guessing handles any directory, not just the root
directory
ºEnhanced false positive reduction via multiple methods: headers,
page content, and content hashing
ºReports “unusual” headers seen
ºInteractive status, pause and changes to verbosity settings
ºSave full request/response for positive tests
ºReplay saved positive requests
ºMaximum execution time per target
ºAuto-pause at a specified time
ºChecks for common “parking” sites
ºLogging to Metasploit
ºThorough documentation

Download NIkto

Read More