Debugging Tools for Windows - WinDbg

WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft.[1] Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode. Like the better-known Visual Studio Debugger it has a graphical user interface (GUI), but is more powerful and has little else in common.

WinDbg can be used for debugging kernel-mode memory dumps, created after what is commonly called the Blue Screen of Death which occurs when a bug check is issued.[2] It can also be used to debug user-mode crash dumps. This is known as post-mortem debugging.[3]

WinDbg can automatically load debugging symbol files (e.g., PDB files) from a server by matching various criteria (e.g., timestamp, CRC, single or multiprocessor version) via SymSrv (SymSrv.dll),[4] instead of the more time-consuming task of creating a symbol tree for a debugging target environment. If a private symbol server is configured, the symbols can be correlated with the source code for the binary. This eases the burden of debugging problems that have various versions of binaries installed on the debugging target by eliminating the need for finding and installing specific symbols version on the debug host. Microsoft has a public symbol server that has most of the public symbols for Windows 2000 and later versions of Windows (including service packs).[5]

Recent versions of WinDbg have been and are being distributed as part of the free Debugging Tools for Windows suite, which shares a common debugging back-end between WinDbg and command line debugger front-ends like KD, CDB, and NTSD. Most commands can be used as is with all the included debugger front-ends.

Download WinDbg 

Read More

PE Tools v1.5

New in this version:

ºAdded Generic OEP Finder
ºDumpFixer added to Section Editor
ºNew signatures added (Tnx: .Cryorb/dyn!o/DeMoNiX/Aster!x/FEUERRADER)
ºPE Sniffer code is optimized
ºAbility to increment SizeOfHeaders added
ºNew plugin added - Recover UPX by Quantum
ºAdded ToolBar
ºAll options are saved in INI file now
ºControl elements are changed a little in Sections Editor and Directory Editor
ºExamples of plugins in MASM32/Delphi are added to SDK
ºSignature creation utility (SignMan) is now distributed along with the main package
ºPE Tools won't allow to edit IMAGE_DOS_HEADER if offset on ºIMAGE_OPTIONAL_HEADER is less than size of IMAGE_DOS_HEADER
ºNew version of update module (UUpdateSystem.dll)
ºMMF functions are re-written
ºBug in File Location Calculator removed (Tnx: cyberbob)
ºBug in Kill Section (from file) removed
ºSmall bug in process dumper is removed
ºBug in Task Viewer removed
ºBug in Break & Enter removed
ºBug with options saving is removed
ºPE Tools now works fine on Win95 (Tnx: Lepton)
ºSections processing algorithm is significantly changed


Description:

This is a fully-functional utility for working with PE/PE +(64bit) files. Including: Editor PE of files, Task Viewer, Win32 PE files optimizer, detector of compiler/packer and many other things.

The basic functions of the program:

ºTask Viewer
ºProcess dump
ºDump Full
ºDump Partial
ºDump Region
ºAbility to dump .NET CLR processes
ºAutomatic removal of protection " Anti Dump Protection "
ºChange of a priority of process
ºKill process
ºLoading of process into PE Editor and PE Sniffer
ºGeneric OEP Finder
ºPE Sniffer
ºSearch of the compiler/packer used
ºAbility to update signature base
ºAbility to scan directories
ºPE Rebuilder
ºOptimization of a PE file
ºChange of PE address base of a file
ºPE Editor
ºEditing of DOS heading
ºSupport of new PE+(64bit) format
ºCRC correction
ºViewing and editing tables of import/export

Download PE Tools

Read More

System monitoring and debugging suite - Windows Sysinternals

Windows Sysinternals is a comprehensive suite of tools that can be used to debug, analyze, and monitor applications running on windows and even Windows operating system itself. An example of one of the more powerful tools in the suite is the Process Explorer which reports all of the files, directories, and programs that an application accesses during its execution.

Download Windows Sysinternals 

Read More

The GNU Project Debugger - GDB

The GNU Debugger, usually called just GDB and named gdb as an executable file, is the standard debugger for the GNU operating system. However, its use is not strictly limited to the GNU operating system; it is a portable debugger that runs on many Unix-like systems and works for many programming languages, including Ada, C, C++, Objective-C, Free Pascal, Fortran, Java[1] and partially others

Download GDB 

Read More

Immunity debugger

A debugger or debugging tool is a computer program that is used to test and debug other programs (the "target" program). The code to be examined might alternatively be running on an instruction set simulator (ISS), a technique that allows great power in its ability to halt when specific conditions are encountered. but which will typically be somewhat slower than executing the code directly on the appropriate (or the same) processor. Some debuggers offer two modes of operation—full or partial simulation—to limit this impact.

A "trap" occurs when the program cannot normally continue because of a programming bug or invalid data. For example, the program might have tried to use an instruction not available on the current version of the CPU or attempted to access unavailable or protected memory. When the program "traps" or reaches a preset condition, the debugger typically shows the location in the original code if it is a source-level debugger or symbolic debugger, commonly now seen in integrated development environments. If it is a low-level debugger or a machine-language debugger it shows the line in the disassembly (unless it also has online access to the original source code and can display the appropriate section of code from the assembly or compilation).

Download Immunity debugger 

Read More

Debugger - Ollydbg

OllyDbg (named after its author, Oleh Yuschuk) is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. It has a friendly interface, and its functionality can be extended by third-party plugins. Version 1.10 is the final 1.x release. Version 2.0 was released in June 2010, and OllyDbg has been rewritten from the ground up in this release. The software is free of cost, but the shareware license requires users to register with the author.[1] Although the current version of OllyDbg cannot disassemble binaries compiled for 64-bit processors, a 64-bit version of the debugger has been promised

Reverse engineering

OllyDbg is often used for reverse engineering of programs.[3] It is often used by crackers to crack software made by other developers. For cracking and reverse engineering, it is often the primary tool because of its ease of use and availability; any 32-bit executable can be used by the debugger and edited in bitcode/assembly in realtime.[4] It is also useful for programmers to ensure that their program is running as intended, and for malware analysis purposes.

Download Ollydbg

Read More

Interactive Disassembler - IDA

IDA (or the Interactive DisAssembler) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems. It also can be used as a debugger for Windows PE, Mac OS X Mach-O, and Linux ELF executables. A decompiler plug-in for programs compiled with a C/C++ compiler is available at extra cost. The latest full version of IDA Pro is commercial; while an earlier and less capable version is available for download free of charge (version 5.0 as of March 2015)

Download IDA

Read More

Popular SQLi and Pentesting Scanner - V3n0M-Scanner

V3n0M runs on Python3 [Live Project - Readding old features back in and improved for Python3]

v3n0m is a free and open source scanner. Evolved from baltazar's scanner, it has adapted several new features that improve fuctionality and usability. It is mostly experimental software.

This program is for finding and executing various vulnerabilities. It scavenges the web using dorks and organizes the URLs it finds.

PyPi:

You can now install the software via pip install V3n0m
Always verify the PGP signature of the package:

gpg: Signature made Fri 18 Jul 2014 02:59:48 AM UTC
gpg:                using RSA key 0x8F2B5CBD711F1326
gpg: Good signature from "Grand Architect <unload@cryptolab.net>"

Use at your own risk.

Very useful for executing:

• Metasploit Modules Scans
• SQL Injection Vuln Scanner[SQLi]
• Extremely Large D0rk Target Lists
• FTP Crawler
• DNS BruteForcer

What You Hold:

A modified smartd0rk3r

• Brand new, just outta the box!
• Largest and most powerful d0rker online, 18k+d0rks searched over ~ Engines at once.
• Free and Open /src/
• CrossPlatform Python based toolkit
• Version 4.0.1 Released on 7th Jan 2016
• Licensed under GPLv2
• Tested on: Linux 4.3.1 Ubuntu/Debian, CentOS 6 (with some errors), Win7 (with some errors)

Usage:

root@bt:~# python3 v3n0m.py

Now you may follow the simple prompts.

[0x100] Choose your target (domain) :
        Example : .com
        AND
        it is necessary to add you can also use a specific website (www.example.com)

[0x200] Choose the number of random dorks (0 for all.. may take awhile!) :
        Example : 0 = This will choose all of the XSS, File Inclusion, RCE and SQLi dorks

[0x300] Choose the number of threads :
        Example : 50

[0x400] Enter the number of pages to search through :
        Example : 50

    The program will print out your desired settings and start searching.
    It then creates files for the collected and valid URLs for later.
    It takes a while to scan because it utilizes either TOR, which you can specify
    if you wish to do so, or regular HTTP requests over a long period of time.

    After a while, it will feed you the percentage of the scan until completion.
    At this point, it will have saved the valid URLs in the files it created earlier.
    The program utilizes over 10k dorks now, be careful how you use them!
    Enjoy. :]
                                                            ~/ Dev Team

Contact Information:

[ NovaCygni ] - 
[ Architect ] - 

Original Header:

- This was written for educational purpose and pentest only. Use it at your own risk.
- Author will be not responsible for any damage!
- !!! Special greetz for my friend sinner_01 !!!
- Toolname        : darkd0rk3r.py
- Coder           : baltazar a.k.a b4ltazar <b4ltazar@gmail.com>
- Version         : 1.0
- greetz for all members of ex darkc0de.com, ljuska.org

New To This Addition:

---To be Done --Partially implemented -Done
- Upgrade to Python3 from Python2
--- Redo LFI/RFI attack method
--- Automate scanning sites with findable admin pages and add to seperate list
--- Redo Metasploit Scans
--- Add default attack option for DB types, automate injection and upload shell or enable RDP.
-- Perfect SQLi Vuln detection and add options for saving/searching specific DB types
-- Starting upgrade for Search engines
--- Implement SQLi D0rk Seed Generation option
--- Implement Metasploit Exploits scan / Nmap style option + Dork option

Download V3N0M-Scanner

Read More

Tool To Compares A Targets Patch Levels Against The Microsoft Vulnerability Database - Windows-Exploit-Suggester

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

It requires the 'systeminfo' command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.

It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet.

When looking at the command output, it is important to note that it assumes all vulnerabilities and then selectively removes them based upon the hotfix data. This can result in many false-positives, and it is key to know what software is actually running on the target host. For example, if there are known IIS exploits it will flag them even if IIS is not running on the target host.

The output shows either public exploits (E), or Metasploit modules (M) as indicated by the character value.

It was heavily inspired by Linux_Exploit_Suggester by Pentura.

Blog Post:"Introducing Windows Exploit Suggester", https://blog.gdssecurity.com/labs/2014/7/11/introducing-windows-exploit-suggester.html

USAGE

update the database

$ ./windows-exploit-suggester.py --update
[*] initiating...
[*] successfully requested base url
[*] scraped ms download url
[+] writing to file 2014-06-06-mssb.xlsx
[*] done

install dependencies
(install python-xlrd, $ pip install xlrd --upgrade)
feed it "systeminfo" input, and point it to the microsoft database

$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt 
[*] initiating...
[*] database file detected as xls or xlsx based on extension
[*] reading from the systeminfo input file
[*] querying database file for potential vulnerabilities
[*] comparing the 15 hotfix(es) against the 173 potential bulletins(s)
[*] there are now 168 remaining vulns
[+] windows version identified as 'Windows 7 SP1 32-bit'
[*] 
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[*] done

possible exploits for an operating system can be used without hotfix data

$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --ostext 'windows server 2008 r2' 
[*] initiating...
[*] database file detected as xls or xlsx based on extension
[*] getting OS information from command line text
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 196 potential bulletins(s)
[*] there are now 196 remaining vulns
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical

LIMITATIONS

Currently, if the 'systeminfo' command reveals 'File 1' as the output for the hotfixes, it will not be able to determine which are installed on the target. If this occurs, the list of hotfixes will need to be retrieved from the target host and passed in using the --hotfixes flag

It currently does not seperate 'editions' of the Windows OS such as 'Tablet' or 'Media Center' for example, or different architectures, such as Itanium-based only

False positives also occur where it assumes EVERYTHING is installed on the target Windows operating system. If you receive the 'File 1' output, try executing 'wmic qfe list full' and feed that as input with the --hotfixes flag, along with the 'systeminfo'

Download Windows-Exploit-Suggester

Read More