Thủ Phủ Hacker Mũ Trắng Buôn Ma Thuột

Chương trình Đào tạo Hacker Mũ Trắng Việt Nam tại Thành phố Buôn Ma Thuột kết hợp du lịch. Khi đi là newbie - Khi về là HACKER MŨ TRẮNG !

Hacking Và Penetration Test Với Metasploit

Chương trình huấn luyện sử dụng Metasploit Framework để Tấn Công Thử Nghiệm hay Hacking của Security365.

Tài Liệu Computer Forensic Của C50

Tài liệu học tập về Truy Tìm Chứng Cứ Số (CHFI) do Security365 biên soạn phục vụ cho công tác đào tạo tại C50.

Sinh Viên Với Hacking Và Bảo Mật Thông Tin

Cuộc thi sinh viên cới Hacking. Với các thử thách tấn công trang web dành cho sinh viên trên nền Hackademic Challenge.

Tấn Công Và Phòng Thủ Với BackTrack / Kali Linux

Khóa học tấn công và phòng thủ với bộ công cụ chuyên nghiệp của các Hacker là BackTrack và Kali LINUX dựa trên nội dung Offensive Security

Sayfalar

[CookieCatcher] Session Hijacking Tool


CookieCatcher is an open source application which was created to assist in the exploitation of XSS (Cross Site Scripting) vulnerabilities within web applications to steal user session IDs (aka Session Hijacking). The use of this application is purely educational and should not be used without proper permission from the target application.

Features:
- Prebuilt payloads to steal cookie data
- Just copy and paste payload into a XSS vulnerability
- Will send email notification when new cookies are stolen
- Will attempt to refresh cookies every 3 minutes to avoid inactivity timeouts
- Provides full HTTP requests to hijack sessions through a proxy (BuRP, etc)
- Will attempt to load a preview when viewing the cookie data
- PAYLOADS
- Basic AJAX Attack
- HTTPONLY evasion for Apache CVE-20120053
- More to come

Video Demo: http://www.youtube.com/watch?v=2GH6RRozOpY


[Resolver v1.0.9] The reverse/bruteforce DNS lookup

Resolver is a windows based tool which designed to preform a reverse DNS Lookup for a given IP address or for a range of IP’s in order to find its PTR. Updated to Version 1.0.3 added dns records brute force.



Resolver features:
  • Resolve a Single IP
  • Resolve an IP Range
  • Resolve IP’s provided in a text file
  • Export Results to a text file
  • Copy results to Clipboard
  • DNS Records brute force

[Process Magic v2.0] Command-line Tool to Hide Windows Application or Launch New Process in Hidden Mode


Process Magic is the command-line tool to Hide any Windows application or launch new application in Hidden or Invisible mode.


In addition to hiding any Windows process, it also allows you to Unhide any previously Hidden application.
Note that it hides the application by hiding its main window. So it will be seen in Task Manager or any process listing tools.

It will be ideal when you want to hide your application from other users to prevent it from being killed or just run a process in the background silently.

Being command-line tool makes it easy to use in your automation scripts and also suitable to operate on other systems remotely.

[Wi-fEye] Automated Network Testing Tool


Wi-fEye is an automated wirelress penetration testing tool written in python , its designed to simplify common attacks that can be performed on wifi networks so that they can be executed quickly and easily.

Wifi has three main menus :

  1. Cracking menu: contains attacks that could allow us to crack wifi passwords weather is WEP , WPA or WPA2:
    • Enable monitor mode
    • View avalale Wireless Networks
    • Launch Airodump-ng on a specific AP
    • WEP cracking: here you can perform a number of attacks to crack WEP passwords :
      • Interactive packet replay.
      • Fake Authentication Attack.
      • Korek Chopchop Attack.
      • Fragmentation Attack.
      • Hirte Attack (cfrag attack).
      • Wesside-ng.
  2. WPA Cracking: here you can perform a number of attacks to crack WPA passwords , this menu is devided into two sections:
    • launch a brute force attack against a WPS-enabled network to crack WPA/WPA2 without a dictionary.
    • Obtain handshake: This will automatically attempt to obtain the handshake
    • Cracking: After obtaining the handshake or if you have the handshake ready then you can attempt to crack it in this section , you can choose to use you wordlist straight away with aircrack-ng or you can add to a table and then crack the password.
  3. MITM: this menu will allow you to do the following Automatically:
    • Enable IP forwarding.
    • ARP Spoof.
    • Launch ettercap (Text mode).
    • Sniff SSL/HTTPS traffic.
    • Sniff URLs and send them to browser.
    • Sniff images.
    • DNS Spoof.
    • HTTP Session Hijacking (using Hamster).
  4. Others: this menu will allow you to o the following automatically:
    • Change MAC Address.
    • Create a fake access point.
    • Hijack software updates (using Evilgrade).

Platforms supported:

Wi-fEye is written in Python and should run on any UNIX based platform with a Python interpreter, as long as all needed modules and programs have been installed. So far it has been successfully tested on:
  • Linux
  • FreeBSD

[Linux Exploit Suggester] Grab the Linux Operating Systems release version, and return a suggestive list of possible exploits

Linux Exploit Suggester; based on operating system release number.

This program run without arguments will perform a 'uname -r' to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Nothing fancy, so a patched/back-ported patch may fool this script.

Additionally possible to provide '-k' flag to manually enter the Kernel Version/Operating System Release Version.

This script has been extremely useful on site and in exams. Now Open-sourced under GPLv2.

Sample Output
$ perl ./Linux_Exploit_Suggester.pl -k 3.0.0

Kernel local: 3.0.0

Possible Exploits:
[+] semtex
CVE-2013-2094
Source: www.exploit-db.com/download/25444/‎
[+] memodipper
CVE-2012-0056
Source: http://www.exploit-db.com/exploits/18411/
[+] perf_swevent
CVE-2013-2094
Source: http://www.exploit-db.com/download/26131
$ perl ./Linux_Exploit_Suggester.pl -k 2.6.28

Kernel local: 2.6.28

Possible Exploits:
[+] sock_sendpage2
Alt: proto_ops CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9436
[+] half_nelson3
Alt: econet CVE-2010-4073
Source: http://www.exploit-db.com/exploits/17787/
[+] reiserfs
CVE-2010-1146
Source: http://www.exploit-db.com/exploits/12130/
[+] pktcdvd
CVE-2010-3437
Source: http://www.exploit-db.com/exploits/15150/
[+] american-sign-language
CVE-2010-4347
Source: http://www.securityfocus.com/bid/45408/
[+] half_nelson
Alt: econet CVE-2010-3848
Source: http://www.exploit-db.com/exploits/6851
[+] udev
Alt: udev <1.4.1 CVE-2009-1185
Source: http://www.exploit-db.com/exploits/8478
[+] do_pages_move
Alt: sieve CVE-2010-0415
Source: Spenders Enlightenment
[+] pipe.c_32bit
CVE-2009-3547
Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
[+] exit_notify
Source: http://www.exploit-db.com/exploits/8369
[+] can_bcm
CVE-2010-2959
Source: http://www.exploit-db.com/exploits/14814/
[+] ptrace_kmod2
Alt: ia32syscall,robert_you_suck CVE-2010-3301
Source: http://www.exploit-db.com/exploits/15023/
[+] half_nelson1
Alt: econet CVE-2010-3848
Source: http://www.exploit-db.com/exploits/17787/
[+] half_nelson2
Alt: econet CVE-2010-3850
Source: http://www.exploit-db.com/exploits/17787/
[+] sock_sendpage
Alt: wunderbar_emporium CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9435
[+] video4linux
CVE-2010-3081
Source: http://www.exploit-db.com/exploits/15024/

[Hidden File Finder v2.5] Tool to Find and Unhide/Remove all the Hidden Files


Hidden File Finder is the free software to quickly scan and discover all the Hidden files on your Windows system.

It performs swift multi threaded scan of all the folders parallely and quickly uncovers all the hidden files. It automatically detects the Hidden Executable Files (EXE, DLL, COM etc) and shows them in red color for easier identification. Similarly 'Hidden Files' are shown in black color and 'Hiddden Folders' are shown in blue color.

One of its main feature is the Unhide Operation. You can select one or all of the discovered Hidden files and Unhide them with just a click. Successful 'Unhide operations' are shown in green background color while failed ones are shown in yellow background.

New version v2.0 features Settings dialog to fine tune the scanning operation. Also added right click context menu to quickly perform tasks such as Unhide, Delete, Open, Scan Online using Google Search/VirusTotal etc.

It is very easy for any user with its cool GUI interface. Particularly, more useful for Penetration testers and Forensic investigators.

[oclHashcat-plus v0.15] Advanced Password Recovery



This version is the result of over 6 months of work, having modified 618,473 total lines of source code.

Before we go into the details of the changes, here's a quick summary of the major changes:
  • Added support for cracking passwords longer than 15 characters
  • Added support for mask-files, which enables password policy-specific candidate generation using PACK
  • Added support for multiple dictionaries in attack modes other than straight mode
  • Rewrote workload dispatcher from scratch
  • Rewrote restore support from scratch
  • Rewrote kernel scheduler to reduce screen lags
  • Better handling of smaller workloads/dictionaries
  • Language-specific charset presets for use with masks

New supported algorithms:
  • TrueCrypt 5.0+
  • 1Password
  • Lastpass
  • OpenLDAP {SSHA512}
  • AIX {SMD5} and {SSHA*}
  • SHA256(Unix) aka sha256crypt
  • MacOSX v10.8
  • Microsoft SQL Server 2012
  • Microsoft EPi Server v4+
  • Samsung Android Password/PIN
  • GRUB2
  • RipeMD160, Whirlpool, sha256-unicode, sha512-unicode, ...

New supported GPUs:

NVidia:
  • All sm_35-based GPUs
  • GTX Titan
  • GTX 7xx
  • Tesla K20

AMD:
  • All Caicos, Oland, Bonaire, Kalindi and Hainan -based GPU/APU
  • hd77xx
  • hd8xxx

And last but not least, lots of bugs have been fixed. For a full list, see the changelog below.


[Network Password Decryptor v6.0] Windows Network Password Recovery Tool


Network Password Decryptor is the free tool to instantly recover network authentication passwords.

In addition to the network authentication passwords it can also recover passwords stored by other windows apps such as Outlook, Windows Live Messenger, Remote Destktop etc.

These network passwords are stored in encrypted format and even administrator cannot view these passwords. Also some type of passwords cannot be decrypted even by administrators as they require special privileges. Network Password Decryptor automatically detect and decrypt all these stored network passwords.

11 Firefox Add-ons to Hack and PenTest

1. Tamper Data
Tamper data is an great tool to to view and modify HTTP/HTTPS headers and post parameters. We can alter each request going from our machine to destination host with this. Thus it helps in security testing web application by modifying POST parameters. It can be used in performing XSS and SQL Injection attacks by modifying header data.
Add Tamper data to Firefox:

2. Firebug
Firebug is a nice add-on that integrates a web development tool inside the browser. With this tool, you can edit and debug HTML, CSS and JavaScript live in any webpage to see the effect of changes. It helps in analyzing JS files to find XSS vulnerabilities. It’s an really helpful add-on in finding DOM based XSS for security testing professionals.
Add firebug to your browser :


3. Hackbar
Hackbar is a simple penetration tool for Firefox. It helps in testing simple SQL injection and XSS holes. You cannot execute standard exploits but you can easily use it to test whether vulnerability exists or not. You can also manually submit form data with GET or POST requests. It also has encryption and encoding tools. Most of the times, this tool helps in testing XSS vulnerability with encoded XSS payloads. It also supports keyboard shortcuts to perform various tasks.I am sure, most of the persons in the security field already know about this tool. This tool is mostly used in finding POST XSS vulnerabilities because it can send POST data manually to any page you like. With the ability of manually sending POST form data, you can easily bypass client side validations of the page. If your payload is being encoded at client side, you can use an encoding tool to encode your payload and then perform the attack. If the application is vulnerable to the XSS, I am sure you will find the vulnerability with the help of the Hackbar add-on on Firefox browser.
Add Hackbar to Firefox:

4. Cookies Manager +
Cookie Manager is one of the greatest tool ever made. Using this tool you can actually play with cookies. You can alter almost all cookie using this tool. You can use Cookies manager to view, edit and create new cookies. It also shows extra information about cookies, allows edit multiple cookies at once and backup/restore them.
Add Cookies Manager to Firefox:

5. NoScript
No Script add-ons greatness is beyond imagination. With this tool you can monitor each an every script running on website, you can block any of scripts and see what actually that scripts does on website. But this add-on is for experts, newbies will face problems using this. Note: If you are testing XSS, HTTPS header modifications, Injection attacks on any website you need to disable this plugin because it will not allow you to do so. 
Add NoScript to Firefox:

6. Grease Monkey
Grease Monkey is an counter part of No Script, its actually behaves opposite of Noscript. We use Noscript to block the scripts and use GreaseMonkey to run the scripts. It allows you to customize the way a web page displays or behaves, by using small bits of JavaScript. 
Add Grease Monkey to Firefox :

7. User Agent Switcher
User Agent Switcher add-on; adds a one click user agent switch to the browser. It adds a menu and tool bar button in the browser. Whenever you want to switch the user agent, use the browser button. User Agent add on helps in spoofing the browser while performing some attack.
Add user agent Switcher to Firefox:

8. CryptoFox
CryptoFox is an encryption or decryption tool for Mozilla Firefox. It supports most of the available encryption algorithm. So, you can easily encrypt or decrypt data with supported encryption algorithm. This add-on comes with dictionary attack support, to crack MD5 cracking passwords. Although, it hasn’t have good reviews, it works satisfactorily.
Add CryptoFox to Firefox:

9. SQL Inject Me
SQL Inject Me is another nice Firefox add-on used to find SQL injection vulnerabilities in web applications. This tool does not exploit the vulnerability but display that it exists. SQL injection is one of the most harmful web application vulnerabilities, it can allow attackers to view, modify, edit, add or delete records in a database.The tool sends escape strings through form fields, and tries to search database error messages. If it finds a database error message, it marks the page as vulnerable. Hackers can use this tool for SQL injection testing.
Add SQL Inject Me to Firefox:

10.  XSS ME
Cross Site Scripting is the most found web application vulnerability. For detecting XSS vulnerabilities in web applications, this add-on can be a useful tool. XSS-Me is used to find reflected XSS vulnerabilities from a browser. It scans all forms of the page, and then performs an attack on the selected pages with pre-defined XSS payloads. After the scan is complete, it lists all the pages that renders a payload on the page, and may be vulnerable to XSS attack. Now, you can manually test the web page to find whether the vulnerability exists or not.
Add XSS ME to Firefox:

11.  Passive Recon
Last but not the least. Passive recon is a good information gathering tool. 
PassiveRecon provides information security professionals with the ability to perform "packetless" discovery of target resources utilizing publicly available information. It gathers information like DnsStuff tool available on backtrack.
Add Passive Recon to Firefox:

[GoLismero v2.0] The Web Knife

GoLismero is an open source framework for security testing. It's currently geared towards web security, but it can easily be expanded to other kinds of scans.

The most interesting features of the framework are:

  • Real platform independence. Tested on Windows, Linux, *BSD and OS X.
  • No native library dependencies. All of the framework has been written in pure Python.
  • Good performance when compared with other frameworks written in Python and other scripting languages.
  • Very easy to use.
  • Plugin development is extremely simple.
  • The framework also collects and unifies the results of well known tools: sqlmap, xsser, openvas, dnsrecon, theharvester...
  • Integration with standards: CWE, CVE and OWASP. 

[Yersinia v0.7.3] The network protocols assessment tool


Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

Currently, there are some network protocols implemented, but others are coming (tell us which one is your preferred). Attacks for the following network protocols are implemented (but of course you are free for implementing new ones):

  • Spanning Tree Protocol (STP)
  • Cisco Discovery Protocol (CDP)
  • Dynamic Trunking Protocol (DTP)
  • Dynamic Host Configuration Protocol (DHCP)
  • Hot Standby Router Protocol (HSRP)
  • IEEE 802.1Q
  • IEEE 802.1X
  • Inter-Switch Link Protocol (ISL)
  • VLAN Trunking Protocol (VTP)


Changelog

  • Fixed our pretty big issue with network interfacces under Linux. :)
  • Fixed pcap_compile error.
  • Refactoring a little bit of interfaces.c

[Router Password Decryptor] Tool to Recover Login/PPPoE/WEP/WPA/WPA2 Passwords from Router/Modem Config file


Router Password Decryptor is the FREE tool to instantly recover internet login/PPPoE authentication passwords, Wireless WEP keys, WPA/WPA2 Passphrases from your Router/Modem configuration file.

Currently it supports password recovery from following type of Routers/Modems:
  • Cisco
  • Juniper
  • DLink
  • BSNL
In addition to this, it also has unique 'Smart Mode' feature (experimental) to recover passwords from any type of Router/Modem configuration file. It detects various password fields from such config file (XML only) and then automatically try to decrypt those passwords.

It also has quick link to Base64 Decoder which is useful in case you have found Base64 encoded password (ending with =) in the config file and automatic recovery is not working.

It is very easy to use tool with its cool GUI interface. Administrators & Penetration Testers will find it more useful to recover login passwords as well as wireless keys from the router configuration files.

[Nmap v6.40] Free Security Scanner For Network Exploration & Security Audits

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for network inventory, managing service upgrade schedules, monitoring host or service uptime, and many other tasks. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping)

Changelog v6.40
o [Ncat] Added --lua-exec. This feature is basically the equivalent of 'ncat
--sh-exec "lua <scriptname>"' and allows you to run Lua scripts with Ncat,
redirecting all stdin and stdout operations to the socket connection. See
http://nmap.org/book/ncat-man-command-options.html [Jacek Wielemborek]

o Integrated all of your IPv4 OS fingerprint submissions since January
(1,300 of them). Added 91 fingerprints, bringing the new total to 4,118.
Additions include Linux 3.7, iOS 6.1, OpenBSD 5.3, AIX 7.1, and more.
Many existing fingerprints were improved. Highlights:
http://seclists.org/nmap-dev/2013/q2/519. [David Fifield]

o Integrated all of your service/version detection fingerprints submitted
since January (737 of them)! Our signature count jumped by 273 to 8,979.
We still detect 897 protocols, from extremely popular ones like http, ssh,
smtp and imap to the more obscure airdroid, gopher-proxy, and
enemyterritory. Highlights: http://seclists.org/nmap-dev/2013/q3/80. [David Fifield]

o Integrated your latest IPv6 OS submissions and corrections. We're still
low on IPv6 fingerprints, so please scan any IPv6 systems you own or
administer and submit them to http://nmap.org/submit/. Both new
fingerprints (if Nmap doesn't find a good match) and corrections (if Nmap
guesses wrong) are useful. [David Fifield]

o [Nsock] Added initial proxy support to Nsock. Nmap version detection
and NSE can now establish TCP connections through chains of one or
more CONNECT or SOCKS4 proxies. Use the Nmap --proxies option with a
chain of one or more proxies as the argument (example:
http://localhost:8080,socks4://someproxy.example.com). Note that
only version detection and NSE are supported so far (no port
scanning or host discovery), and there are other limitations
described in the man page. [Henri Doreau]

o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 446.
They are all listed at http://nmap.org/nsedoc/, and the summaries are
below (authors are listed in brackets):

+ hostmap-ip2hosts finds hostnames that resolve to the target's IP address
by querying the online database at http://www.ip2hosts.com (uses Bing
search results) [Paulino Calderon]

+ http-adobe-coldfusion-apsa1301 attempts to exploit an authentication
bypass vulnerability in Adobe Coldfusion servers (APSA13-01:
http://www.adobe.com/support/security/advisories/apsa13-01.html) to
retrieve a valid administrator's session cookie. [Paulino Calderon]

+ http-coldfusion-subzero attempts to retrieve version, absolute path of
administration panel and the file 'password.properties' from vulnerable
installations of ColdFusion 9 and 10. [Paulino Calderon]

+ http-comments-displayer extracts and outputs HTML and JavaScript
comments from HTTP responses. [George Chatzisofroniou]

+ http-fileupload-exploiter exploits insecure file upload forms in web
applications using various techniques like changing the Content-type
header or creating valid image files containing the payload in the
comment. [George Chatzisofroniou]

+ http-phpmyadmin-dir-traversal exploits a directory traversal
vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to
retrieve remote files on the web server. [Alexey Meshcheryakov]

+ http-stored-xss posts specially crafted strings to every form it
encounters and then searches through the website for those strings to
determine whether the payloads were successful. [George Chatzisofroniou]

+ http-vuln-cve2013-0156 detects Ruby on Rails servers vulnerable to
object injection, remote command executions and denial of service
attacks. (CVE-2013-0156) [Paulino Calderon]

+ ike-version obtains information (such as vendor and device type where
available) from an IKE service by sending four packets to the host.
This scripts tests with both Main and Aggressive Mode and sends multiple
transforms per request. [Jesper Kueckelhahn]

+ murmur-version detects the Murmur service (server for the Mumble voice
communication client) versions 1.2.X. [Marin Maržić]

+ mysql-enum performs valid-user enumeration against MySQL server using a
bug discovered and published by Kingcope
(http://seclists.org/fulldisclosure/2012/Dec/9). [Aleksandar Nikolic]

+ teamspeak2-version detects the TeamSpeak 2 voice communication server
and attempts to determine version and configuration information. [Marin
Maržić]

+ ventrilo-info detects the Ventrilo voice communication server service
versions 2.1.2 and above and tries to determine version and
configuration information. [Marin Maržić]

o Updated the Nmap license agreement to close some loopholes and stop some
abusers. It's particularly targeted at companies which distribute
malware-laden Nmap installers as we caught Download.com doing last
year--http://insecure.org/news/download-com-fiasco.html. The updated
license is in the all the normal places, including

https://svn.nmap.org/nmap/COPYING.
o [NSE] Oops, there was a vulnerability in one of our 437 NSE scripts. If
you ran the (fortunately non-default) http-domino-enum-passwords script
with the (fortunately also non-default) domino-enum-passwords.idpath
parameter against a malicious server, it could cause an arbitrarily named
file to to be written to the client system. Thanks to Trustwave researcher
Piotr Duszynski for discovering and reporting the problem. We've fixed
that script, and also updated several other scripts to use a new
stdnse.filename_escape function for extra safety. This breaks our record
of never having a vulnerability in the 16 years that Nmap has existed, but
that's still a fairly good run! [David, Fyodor]

o Unicast CIDR-style IPv6 range scanning is now supported, so you can
specify targets such as en.wikipedia.org/120. Obviously it will take ages
if you specify a huge space. For example, a /64 contains
18,446,744,073,709,551,616 addresses. [David Fifield]

o It's now possible to mix IPv4 range notation with CIDR netmasks in target
specifications. For example, 192.168-170.4-100,200.5/16 is effectively the
same as 192.168.168-170.0-255.0-255. [David Fifield]

o Timeout script-args are now standardized to use the timespec that Nmap's
command-line arguments take (5s, 5000ms, 1h, etc.). Some scripts that
previously took an integer number of milliseconds will now treat that as a
number of seconds if not explicitly denoted as ms. [Daniel Miller]

o Nmap may now partially rearrange its target list for more efficient
host groups. Previously, a single target with a different interface,
or with an IP address the same as a that of a target already in the
group, would cause the group to be broken off at whatever size it
was. Now, we buffer a small number of such targets, and keep looking
through the input for more targets to fill out the current group.
[David Fifield]

o [Ncat] The -i option (idle timeout) now works in listen mode as well as
connect mode. [Tomas Hozza]

o [Ncat] Ncat now support chained certificates with the --ssl-cert
option. [Greg Bailey]

o [Nping] Nping now checks for a matching ICMP ID on echo replies, to avoid
receiving crosstalk from other ping programs running at the same
time. [David Fifield]

o [NSE] The ipOps.isPrivate library now considers the deprecated site-local
prefix fec0::/10 to be private. [Marek Majkowski]

o Nmap's routing table is now sorted first by netmask, then by metric.
Previously it was the other way around, which could cause a very general
route with a low metric to be preferred over a specific route with a
higher metric.

o Routes are now sorted to prefer those with a lower metric. Retrieval of
metrics is supported only on Linux and Windows. [David Fifield]

o Fixed a byte-ordering problem on little-endian architectures when doing
idle scan with a zombie that uses broken ID increments. [David Fifield]

o Stop parsing TCP options after reaching EOL in libnetutil. Bug reported by
Gustavo Moreira. [Henri Doreau]

o [NSE] The dns-ip6-arpa-scan script now optionally accepts "/" syntax for a
network mask. Based on a patch by Indula Nayanamith.

o [Ncat] Reduced the default --max-conns limit from 100 to 60 on Windows, to
stay within platform limitations. Suggested by Andrey Olkhin.

o Fixed IPv6 routing table alignment on NetBSD.
o Fixed our NSEDoc system so the author field uses UTF-8 and we can spell
people's name properly, even if they use crazy non-ASCII characters like
Marin Maržić. [David Fifield]

o UDP protocol payloads were added for detecting the Murmer service (a
server for the Mumble voice communication client) and TeamSpeak 2 VoIP
software.

o [NSE] Added http-phpmyadmin-dir-traversal by Alexey Meshcheryakov.
o Updated libdnet to not SIOCIFNETMASK before SIOCIFADDR on OpenBSD. This
was reported to break on -current as of May 2013. [Giovanni Bechis]

o Fixed address matching for SCTP (-PY) ping. [Marin Maržić]
o Removed some non-ANSI-C strftime format strings ("%F") and
locale-dependent formats ("%c") from NSE scripts and libraries.
C99-specified %F was noticed by Alex Weber. [Daniel Miller]

o [Zenmap] Improved internationalization support:
+ Added Polish translation by Jacek Wielemborek.
+ Updated the Italian translation. [Giacomo]

o [Zenmap] Fixed internationalization files. Running in a language other
than the default English would result in the error "ValueError: too many
values to unpack". [David Fifield]

o [NSE] Updated the included Liblua from version 5.2.1 to 5.2.2. [Patrick
Donnelly]

o [Nsock] Added a minimal regression test suite for Nsock. [Henri Doreau]
o [NSE] Updated the redis-brute and redis-info scripts to work against the
latest versions of redis server. [Henri Doreau]

o [Ncat] Fixed errors in connecting to IPv6 proxies. [Joachim Henke]
o [NSE] Updated hostmap-bfk to work with the latest version of their website
(bfk.de). [Paulino Calderon]

o [NSE] Added XML structured output support to:
+ xmpp-info, irc-info, sslv2, address-info [Daniel Miller]
+ hostmap-bfk, hostmap-robtex, hostmap-ip2hosts. [Paulino Calderon]
+ http-git.nse. [Alex Weber]

o Added new service probes for:
+ Erlang distribution nodes [Michael Schierl]
+ Minecraft servers. [Eric Davisson]
+ Hazelcast data grid. [Pavel Kankovsky]

o [NSE] Rewrote telnet-brute for better compatibility with a variety of
telnet servers. [nnposter]

o Fixed a regression that changed the number of delimiters in machine
output. [Daniel Miller]

o Fixed a regression in broadcast-dropbox-listener which prevented it from
producing output. [Daniel Miller]

o Handle ICMP type 11 (Time Exceeded) responses to port scan probes. Ports
will be reported as "filtered", to be consistent with existing Connect
scan results, and will have a reason of time-exceeded. DiabloHorn
reported this issue via IRC. [Daniel Miller]

o Add new decoders (BROWSER, DHCP6 and LLMNR) to broadcast-listener and
changed output of some of the decoders slightly. [Patrik Karlsson]

o The list of name servers on Windows now ignores those from inactive
interfaces. [David Fifield]

o Namespace the pipes used to communicate with subprocesses by PID, to avoid
multiple instances of Ncat from interfering with each other. Patch by
Andrey Olkhin.

o [NSE] Changed ip-geolocation-geoplugin to use the web service's new output
format. Reported by Robin Wood.

o Limited the number of open sockets in ultra_scan to FD_SETSIZE. Very fast
connect scans could write past the end of an fd_set and cause a variety of
crashes:
nmap: scan_engine.cc:978: bool ConnectScanInfo::clearSD(int):
Assertion `numSDs > 0' failed.
select failed in do_one_select_round(): Bad file descriptor (9)
[David Fifield]

o Fixed a bug that prevented Nmap from finding any interfaces when one of
them had the type ARP_HDR_APPLETALK; this was the case for AppleTalk
interfaces. However, This support is not complete since AppleTalk
interfaces use different size hardware addresses than Ethernet. Nmap IP
level scans should work without any problem, please refer to the
'--send-ip' switch and to the following thread:
http://seclists.org/nmap-dev/2013/q1/214. This bug was reported by Steven
Gregory Johnson. [Daniel Miller]

o [Nping] Nping on Windows now skips localhost targets for privileged pings
on (with an error message) because those generally don't work. [David
Fifield]

o [Ncat] Ncat now keeps running in connect mode after receiving EOF from the
remote socket, unless --recv-only is in effect. [Tomas Hozza]

o Packet trace of ICMP packets now include the ICMP ID and sequence number
by default. [David Fifield]

o [NSE] Fixed various NSEDoc bugs found by David Matousek.
o [Zenmap] Zenmap now understands the NMAP_PRIVILEGED and NMAP_UNPRIVILEGED
environment variables. [Tyler Wagner]

o Added an ncat_assert macro. This is similar to assert(), but remains even
if NDEBUG is defined. Replaced all Ncat asserts with this. We also moved
operation with side effects outside of asserts as yet another layer of
bug-prevention [David Fifield].

o Added nmap-fo.xsl, contributed by Tilik Ammon. This converts Nmap XML into
XSL-FO, which can be converted into PDF using tools suck as Apache FOP.

o Increased the number of slack file descriptors not used during connect
scan. Previously, the calculation did not consider the descriptors used by
various open log files. Connect scans using a lot of sockets could fail
with the message "Socket creation in sendConnectScanProbe: Too many open
files". [David Fifield]

o Changed the --webxml XSL stylesheet to point to the new location of
nmap.xsl in the new repository (https://svn.nmap.org/nmap/docs/nmap.xsl).
It still may not work in web browsers due to same origin policy (see
http://seclists.org/nmap-dev/2013/q1/58). [David Fifield, Simon John]

o [NSE] The vulnerability library can now preserve vulnerability information
across multiple ports of the same host. The bug was reported by
iphelix. [Djalal Harouni]

o Removed the undocumented -q option, which renamed the nmap process to
something like "pine".

o Moved the Japanese man page from man1/jp to man1/ja. JP is a country code
while JA is a language code. Reported by Christian Neukirchen.

o [Nsock] Reworked the logging infrastructure to make it more flexible and
consistent. Updated Nmap, Nping and Ncat accordingly. Nsock log level can
now be adjusted at runtime by pressing d/D in nmap. [Henri Doreau, David
Fifield]

o [NSE] Fixed scripts using unconnected UDP sockets. The bug was reported by
Dhiru Kholia at http://seclists.org/nmap-dev/2012/q4/422. [David Fifield]

o Made some changes to Ndiff to reduce parsing time when dealing with large
Nmap XML output files. [Henri Doreau]

o Clean up the source code a bit to resolve some false positive issues
identified by the Parfait static code analysis program. Oracle apparently
runs this on programs (including Nmap) that they ship with Solaris. See
http://seclists.org/nmap-dev/2012/q4/504. [David Fifield]

o [Zenmap] Fixed a crash that could be caused by opening the About dialog,
using the window manager to close it, and opening it again. This was
reported by Yashartha Chaturvedi and Jordan Schroeder. [David Fifield]

o [Ncat] Made test-addrset.sh exit with nonzero status if any tests
fail. This in turn causes "make check" to fail if any tests fail.
[Andreas Stieger]

o Fixed compilation with --without-liblua. The bug was reported by Rick
Farina, Nikos Chantziaras, and Alex Turbov. [David Fifield]

o Fixed CRC32c calculation (as used in SCTP scans) on 64-bit
platforms. [Pontus Andersson]

o [NSE] Added multicast group name output to
broadcast-igmp-discovery.nse. [Vasily Kulikov]

o [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3,
SquirrelMail, RoundCube. [Jesper Kückelhahn]


[Xenotix XSS Exploit Framework v4] Advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework


OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1500+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes highly offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.


SCANNER MODULES

  • Manual Mode Scanner
  • Auto Mode Scanner
  • DOM Scanner
  • Multiple Parameter Scanner
  • POST Request Scanner
  • Header Scanner
  • Fuzzer
  • Hidden Parameter Detector

INFORMATION GATHERING MODULES

  • Victim Fingerprinting
  • Browser Fingerprinting
  • Browser Features Detector
  • Ping Scan
  • Port Scan
  • Internal Network Scan

EXPLOITATION MODULES

  • Send Message
  • Cookie Thief
  • Phisher
  • Tabnabbing
  • Keylogger
  • HTML5 DDoSer
  • Executable Drive By
  • JavaScript Shell
  • Reverse HTTP WebShell
  • Drive-By Reverse Shell
  • Metasploit Browser Exploit
  • Firefox Reverse Shell Addon (Persistent)
  • Firefox Session Stealer Addon (Persistent)
  • Firefox Keylogger Addon (Persistent)
  • Firefox DDoSer Addon (Persistent)
  • Firefox Linux Credential File Stealer Addon (Persistent)
  • Firefox Download and Execute Addon (Persistent)

UTILITY MODULES

  • WebKit Developer Tools
  • Payload Encoder 

[ZMap v1.0.3] The Internet Scanner


ZMap is an open-source network scanner that enables researchers to easily perform Internet-wide network studies. With a single machine and a well provisioned network uplink, ZMap is capable of performing a complete scan of the IPv4 address space in under 45 minutes, approaching the theoretical limit of gigabit Ethernet.

ZMap can be used to study protocol adoption over time, monitor service availability, and help us better understand large systems distributed across the Internet.

ZMap is designed to perform comprehensive scans of the IPv4 address space or large portions of it. While ZMap is a powerful tool for researchers, please keep in mind that by running ZMap, you are potentially scanning the ENTIRE IPv4 address space at over 1.4 million packets per second. Before performing even small scans, we encourage users to contact their local network administrators and consult our list of scanning best practices.
By default, ZMap will perform a TCP SYN scan on the specified port at the maximum rate possible. A more conservative configuration that will scan 10,000 random addresses on port 80 at a maximum 10 Mbps can be run as follows:

$ zmap --bandwidth=10M --target-port=80 --max-targets=10000 --output-file=results.txt 

[fuzzdb] Attack and Discovery Pattern Database for Application Fuzz Testing

fuzzdb aggregates known attack patterns, predictable resource names, server response messages, and other resources like web shells into the most comprehensive Open Source database of malicious and malformed input test cases.

What's in fuzzdb?


Predictable Resource Locations - Because of the popularity of a small number of server types, platforms, and package formats, resources such as logfiles and administrative directories are typically located in a small number of predictable locations. FuzzDB contains a comprehensive database of these, sorted by platform type, language, and application, making brute force testing less brutish.

Attack Patterns - Categorized by platform, language, and attack type, malicious and malformed inputs known to cause information leakage and exploitation have been collected into sets of test cases. FuzzDB contains comprehensive lists of attack payloads known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, http header crlf injections, and more.

Response Analysis - Since system responses also contain predictable strings, fuzzdb contains a set of regex pattern dictionaries such as interesting error messages to aid detection software security defects, lists of common Session ID cookie names, and more.

Other useful stuff - Webshells, common password and username lists, and some handy wordlists.

Documentation - Helpful documentation and cheatsheets sourced from around the web that are relevant to the payload categories are also provided.

Why was fuzzdb created?


The sets of payloads currently built in to open source fuzzing and scanning software are poorly representative of the total body of potential attack patterns. Commercial scanners are a bit better, but not much. However, commercial tools also have a downside, in that that they tend to lock these patterns away in obfuscated binaries.

Furthermore, it's impossible for a human pentester to encounter and memorize all permutations of the meta characters and hex encoding likely to cause error conditions to arise.

FuzzDB was created to aggregate all known attack payloads and common predictable resource names into usable fuzzer payload lists, categorized by function and platform, and make them freely available under an Open Source license. It is immediately usable by web application penetration testers and security researchers.

Released under the dual New BSD and Creative Commons by Attribution licenses, FuzzDB can be leveraged to improve the test cases built into open source and commercial testing software.

How was the data collected?


Lots of hours of research while performing penetration tests:
  • analysis of default app installs
  • analysis of system and application documentation
  • analysis of error messages
  • researching old web exploits for repeatable attack strings
  • scraping scanner patterns from http logs
  • various books, articles, blog posts, mailing list threads
  • patterns gleaned from other open source fuzzers and pentest tools

FuzzDB is like an open source web application security scanner, without the scanner.

How to Use fuzzdb

  • Use the patterns to test web services.
  • Use the patterns as malicious input payloads for testing non-HTTP network aware application with custom fuzzing tools.
  • Use the patterns as malicious input payloads for testing GUI or command line software with standard test automation tools.
  • Incorporate the patterns into Open Source software, or into your own commercial product.
  • Use the patterns in training materials and documentation. 

[The Backdoor Factory] Backdoors win32 PE files


Backdoors win32 PE files, to continue normal file execution (if the shellcode supports it), by patching the exe/dll directly.

Some executables have built in protections, as such this will not work on all PE files. It is advisable that you test target PE files before deploying them to clients or using them in exercises.

Win32 binaries now run on x64 working with ASLR for proper continued execution after shellcode has run.

Recently tested on all 32bit Sysinternal tools

Usage: ./backdoor.py -h
Usage: backdoor.py [options]
Options: -h, --help show this help message and exit
-f FILE, --file=FILE File to backdoor
-i HOST, --hostip=HOST IP of the C2 for reverse connections
-p PORT, --port=PORT The port to either connect back to for reverse shells or to listen on for bind shells
-o OUTPUT, --output-file=OUTPUT The backdoor output file
-s SHELL, --shell=SHELL Payloads that are available for use.
-n NSECTION, --section=NSECTION New section name must be less than seven characters
-c, --cave The cave flag will find code caves that can be used for stashing shellcode. This will print to all the code caves of a specific size. The -l flag can be use with this setting.
-d DIR, --directory=DIR This is the location of the files that you want to backdoor. You can make a directory of file backdooring faster by forcing the attaching of a codecave to the exe by using the -a setting.
-v, --verbose For debug information output.
-e ENCODER, --encoder=ENCODER Encoders that can help with AV evasion.
-l SHELL_LEN, --shell_length=SHELL_LEN For use with -c to help find code caves of different sizes
-a, --add_new_section Mandating that a new section be added to the exe (better success) but less av avoidance
-w, --change_access This flag changes the section that houses the codecave to RWE. Sometimes this is necessary. Enabled by default. If disabled, the backdoor may fail.
-j, --injector This command turns the backdoor factory in a hunt and shellcode inject type of mechinism. Edit the target settings in the injector module.
-u SUFFIX, --suffix=SUFFIX For use with injector, places a suffix on the original file for easy recovery
-D, --delete_original For use with injector module. This command deletes the original file. Not for use in production systems. Author not responsible for stupid uses.


Features:
-After making a copy of the target file, the file copy will be patched directly.
-Finding all codecaves in an EXE/DLL.
-Injecting modified reverse/bind shells that allow continued execution after connection to the attacker.
-Modifying the PE/COFF header to add an additional section for all win32 executables/dlls, including those with an import table.
-Using the existing shellcode options, the ability to select PORT and HOST as connection options
-The ability to backdoor a directory of executables/dlls
-List all codecaves in the exe/dll
-Select the codecave in the exe/dll to backdoor, thereby not changing the filesize.
-Includes a simple XOR shellcode encoder.

[Malcom] Malware Communication Analyzer


Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic. This comes handy when analyzing how certain malware species try to communicate with the outside world.

Malcom can help you:
  • detect central command and control (C&C) servers
  • understand peer-to-peer networks
  • observe DNS fast-flux infrastructures
  • quickly determine if a network artifact is 'known-bad'

The aim of Malcom is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.

Check the wiki for a Quickstart and some nice screenshots.

In the near future, it will also become a collaborative tool (coming soon!)

[Vulscan] Module which enhances nmap to a vulnerability scanner


Vulscan is a module which enhances nmap to a vulnerability scanner. The nmap option -sV enables version detection per service which is used to determine potential flaws according to the identified product. The data is looked up in an offline version scip VulDB.


Installation

Please install the files into the following folder of your Nmap installation:


Nmap\scripts\vulscan\*


Usage

You have to run the following minimal command to initiate a simple vulnerability scan:

nmap -sV --script=vulscan/vulscan.nse www.example.com


Vulnerability Database

There are the following pre-installed databases available at the moment:

* scipvuldb.csv | http://www.scip.ch/en/?vuldb
* cve.csv | http://cve.mitre.org
* osvdb.csv | http://www.osvdb.org
* securityfocus.csv | http://www.securityfocus.com/bid/
* securitytracker.csv | http://www.securitytracker.com
* xforce.csv | http://xforce.iss.net
* expliotdb.csv | http://www.exploit-db.com
* openvas.csv | http://www.openvas.org

Single Database Mode

You may execute vulscan with the following argument to use a single database:

--script-args vulscandb=your_own_database


It is also possible to create and reference your own databases. This requires to create a database file, which has the following structure:

<id>;<title>


Just execute vulscan like you would by refering to one of the pre-delivered databases. Feel free to share your own database and vulnerability connection with me, to add it to the official repository.

[LinEnum] Scripted Local Linux Enumeration & Privilege Escalation Checks


High-level summary of the checks/tasks performed by LinEnum:
  • Kernel and distribution release details
  • System Information:
    • Hostname
    • Networking details:
    • Current IP
    • Default route details
    • DNS server information
  • User Information:
    • Current user details
    • Last logged on users
    • List all users including uid/gid information
    • List root accounts
    • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
    • Attempt to read restricted files i.e. /etc/shadow
    • List current users history files (i.e .bash_history, .nano_history etc.)
  • Privileged access:
    • Determine if /etc/sudoers is accessible
    • Determine if the current user has Sudo access without a password
    • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
    • Is root’s home directory accessible
    • List permissions for /home/
  • Environmental:
    • Display current $PATH
  • Jobs/Tasks:
    • List all cron jobs
    • Locate all world-writable cron jobs
    • Locate cron jobs owned by other users of the system
  • Services:
    • List network connections (TCP & UDP)
    • List running processes
    • Lookup and list process binaries and associated permissions
    • List inetd.conf/xined.conf contents and associated binary file permissions
    • List init.d binary permissions
  • Version Information (of the following):
    • Sudo
    • MYSQL
    • Postgres
    • Apache
  • Default/Weak Credentials:
    • Checks for default/weak Postgres accounts
    • Checks for default root/root access to local MYSQL services
  • Searches:
    • Locate all SUID/GUID files
    • Locate all world-writable SUID/GUID files
    • Locate all SUID/GUID files owned by root
    • Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
    • List all world-writable files
    • Find/list all accessible *.plan files and display contents
    • Find/list all accesible *.rhosts files and display contents
    • Show NFS server details
    • Locate *.conf and *.log files containing keyword supplied at script runtime
    • List all *.conf files located in /etc
    • Locate mail

[I2P] Anonymizing Network

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties.

Many applications are available that interface with I2P, including mail, peer-peer, IRC chat, and others.

The I2P project was formed in 2003 to support the efforts of those trying to build a more free society by offering them an uncensorable, anonymous, and secure communication system. I2P is a development effort producing a low latency, fully distributed, autonomous, scalable, anonymous, resilient, and secure network. The goal is to operate successfully in hostile environments - even when an organization with substantial financial or political resources attacks it. All aspects of the network are open source and available without cost, as this should both assure the people using it that the software does what it claims, as well as enable others to contribute and improve upon it to defeat aggressive attempts to stifle free speech.

Anonymity is not a boolean - we are not trying to make something "perfectly anonymous", but instead are working at making attacks more and more expensive to mount. I2P is a low latency mix network, and there are limits to the anonymity offered by such a system, but the applications on top of I2P, such as Syndie, I2P mail, and I2PSnark extend it to offer both additional functionality and protection.

I2P is still a work in progress. It should not be relied upon for "guaranteed" anonymity at this time, due to the relatively small size of the network and the lack of extensive academic review. It is not immune to attacks from those with unlimited resources, and may never be, due to the inherent limitations of low-latency mix networks.

I2P works by routing traffic through other peers, as shown in the following picture. All traffic is encrypted end-to-end. For more information about how I2P works, see the Introduction

[Tunna Framework] Tool designed to bypass firewall restrictions on remote webservers


Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments. The web application file must be uploaded on the remote server. It will be used to make a local connection with services running on the remote web server or any other server in the DMZ. The local application communicates with the webshell over the HTTP protocol. It also exposes a local port for the client application to connect to.

Since all external communication is done over HTTP it is possible to bypass the filtering rules and connect to any service behind the firewall using the webserver on the other end.

Tunna framework

Tunna framework comes witht he following functionality:

SECFORCE - penetration testing Ruby client - proxy bind: Ruby client proxy to perform the tunnel to the remote web application and tunnel TCP traffic.
SECFORCE - penetration testing Python client - proxy bind: Python client proxy to perform the tunnel to the remote web application and tunnel TCP traffic.
SECFORCE - penetration testing Metasploit integration module, which allows transparent execution of metasploit payloads on the server
SECFORCE - penetration testing ASP.NET remote script
SECFORCE - penetration testing Java remote script
SECFORCE - penetration testing PHP remote script


[Introspy] Monitor app in your iDevice

The Problem

In 2013, assessing the security of iOS applications still involves a lot of manual, time-consuming tasks - especially when performing a black-box assessment. Without access to source code, a comprehensive review of these application currently requires in-depth knowledge of various APIs and the ability to use relatively complex, generic tools such as Cycript, or Mobile Substrate - or just jump straight into the debugger.

To simplify this process, we are releasing Introspy - an open-source security profiler for iOS. Introspy is designed to help penetration testers understand what an application does at runtime.

How Introspy works


The tool comprises two separate components: an iOS tracer and an analyzer.

The iOS tracer can be installed on a jailbroken iOS device. It will hook security-sensitive APIs called by a given application, including functions related to cryptography, IPCs, data storage / protection, networking, and user privacy. The call details are all recorded and persisted in a SQLite database on the device.

This database can then be fed to the Introspy analyzer, which generates an HTML report displaying all recorded calls, plus a list of potential vulnerabilities affecting the application.

Tracer


Once installed, the tracer will store in a SQLite database all calls made by iOS applications to security-sensitive APIs.

[Raft v3.0.1] Response Analysis and Further Testing Tool

Not an inspection proxy

RAFT is a testing tool for the identification of vulnerabilities in web applications. RAFT is a suite of tools that utilize common shared elements to make testing and analysis easier. The tool provides visibility in to areas that other tools do not such as various client side storage.

RAFT uses markup to create templates for fuzz testing.

[The Burp SessionAuth] Extension for Detection of Possible Privilege escalation vulnerabilities

Normally a web application should identify a logged in user by data which is stored on the server side in some kind of session storage. However, in web application audits someone can often observe that internal user identifiers are transmitted in HTTP requests as parameters or cookies. Applications which trust identity information provided by the client can be vulnerable to privilege escalation attacks. Finding all occurrences of identity data transmissions can be quite straining, especially if this information is sent in different parameters, among other information or only in particular requests.

The motivation behind the Burp SessionAuth extension was to support the web application auditor in finding such cases of privilege escalation vulnerabilities. The idea is, that the auditor provides some information, internal identifiers and strings which identify different users (e.g. his/her real name) or content. The extension performs the following tasks:

  • Monitoring of all requests for occurrences of the given identifiers. Such requests are typical candidates for privilege escalation vulnerabilities. Even if a web application doesn’t seems to be vulnerable in one part, it can still be vulnerable in other ones.
  • Preparing an Intruder configuration on request of the user and implementation of a Intruder payload generator which delivers the user identifiers.
  • Actively scan a suspicious request and try to determine vulnerabilities automatically by some heuristics.

Please be aware that this piece of software is still very experimental!