Thủ Phủ Hacker Mũ Trắng Buôn Ma Thuột

Chương trình Đào tạo Hacker Mũ Trắng Việt Nam tại Thành phố Buôn Ma Thuột kết hợp du lịch. Khi đi là newbie - Khi về là HACKER MŨ TRẮNG !

Hacking Và Penetration Test Với Metasploit

Chương trình huấn luyện sử dụng Metasploit Framework để Tấn Công Thử Nghiệm hay Hacking của Security365.

Tài Liệu Computer Forensic Của C50

Tài liệu học tập về Truy Tìm Chứng Cứ Số (CHFI) do Security365 biên soạn phục vụ cho công tác đào tạo tại C50.

Sinh Viên Với Hacking Và Bảo Mật Thông Tin

Cuộc thi sinh viên cới Hacking. Với các thử thách tấn công trang web dành cho sinh viên trên nền Hackademic Challenge.

Tấn Công Và Phòng Thủ Với BackTrack / Kali Linux

Khóa học tấn công và phòng thủ với bộ công cụ chuyên nghiệp của các Hacker là BackTrack và Kali LINUX dựa trên nội dung Offensive Security

Sayfalar

[Wireshark v1.10.0 RC1] The world’s foremost network protocol analyzer

Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Changelog v1.10.0 RC1

Wireshark 1.10.0rc1 has been released. Installers for Windows, OS X, and source code are now available. This is the first release candidate for Wireshark 1.10.0.


New and Updated Features
The following features are new (or have been significantly updated) since version 1.8:
  • Wireshark on 32- and 64-bit Windows supports automatic updates.
  • The packet bytes view is faster.
  • You can now display a list of resolved host names in “hosts” format within Wireshark.
  • The wireless toolbar has been updated.
  • Wireshark on Linux does a better job of detecting interface addition and removal.
  • It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work.
  • The Windows installers ship with WinPcap 4.1.3, which supports Windows 8.
  • USB type and product name support has been improved.
  • All Bluetooth profiles and protocols are now supported.
  • Wireshark now calculates HTTP response times and presents the result in a new field in the HTTP response. Links from the request’s frame to the response’s frame and vice-versa are also added.
  • The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
  • Capinfos now prints human-readable statistics with SI suffixes by default.
  • It is now possible to open a referenced packet (such as the matched request or response packet) in a new window.
  • Tshark can now display only the hex/ascii packet data without requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x.
  • Wireshark can be compiled using GTK+ 3.
  • The Wireshark application icon, capture toolbar icons, and other icons have been updated.
  • Tshark’s filtering and multi-pass analysis have been reworked for consistency and in order to support dependent frame calculations during reassembly. See the man page descriptions for -2, -R, and -Y.
  • Tshark’s -G fields2 and -G fields3 options have been eliminated. The -G fields option now includes the 2 extra fields that -G fields3 previously provided, and the blurb information has been relegated to the last column since in many cases it is blank anyway.

[Salted Hash Kracker v1.0] Tool to recover the Password from Salted Hash text


Salted Hash Kracker is the free all-in-one tool to recover the Password from Salted Hash text.

These days most websites and applications use salt based hash generation to prevent it from being cracked easily using precomputed hash tables such as Rainbow Crack. In such cases, 'Salted Hash Kracker' will help you to recover the lost password from salted hash text.

It also allow you to specify the salt position either in the beginning of password(salt+password) or at the end of the password (password+salt). In case you want to perform normal hash cracking without the salt then just leave the 'Salt field' blank.

Currently it supports password recovery from following popular Hash types
  • MD5
  • SHA1
  • SHA256
  • SHA384
  • SHA512

It uses dictionary based cracking method which makes the cracking operation simple and easier. You can find good collection of password dictionaries (also called wordlist) here & here

It is fully portable and works on all Windows platforms starting from Windows XP to Windows 8.

[IPv6 Toolkit v1.3.4] A security assessment and troubleshooting tool for the IPv6 protocols


A security assessment and troubleshooting tool for the IPv6 protocols.

The SI6 Networks’ IPv6 toolkit is a set of IPv6 security/trouble-shooting tools, that can send arbitrary IPv6-based packets.


Changelog v1.3.4

  • IPv6-host tracking support in the scan6 tool.
  • A new tool, address6, to analyze IPv6 addresses.
  • Minor bug fixes.
  • The toolkit runs on (at least) the latest versions of Linux, FreeBSD,
  • NetBSD, OpenBSD, and MacOS.

Supported platforms
  • The following platforms are supported: FreeBSD, NetBSD, OpenBSD, Linux, and Mac OS.


List of Tools and Manual Pages

  • flow6: A tool to perform a security asseessment of the IPv6 Flow Label.
  • frag6: A tool to perform IPv6 fragmentation-based attacks and to perform a security assessment of a number of fragmentation-related aspects.
  • icmp6: A tool to perform attacks based on ICMPv6 error messages.
  • jumbo6: A tool to assess potential flaws in the handling of IPv6 Jumbograms.
  • na6: A tool to send arbitrary Neighbor Advertisement messages.
  • ni6: A tool to send arbitrary ICMPv6 Node Information messages, and assess possible flaws in the processing of such packets.
  • ns6: A tool to send arbitrary Neighbor Solicitation messages.
  • ra6: A tool to send arbitrary Router Advertisement messages.
  • rd6: A tool to send arbitrary ICMPv6 Redirect messages.
  • rs6: A tool to send arbitrary Router Solicitation messages.
  • scan6: An IPv6 address scanning tool.
  • tcp6: A tool to send arbitrary TCP segments and perform a variety of TCP-based attacks.

Related Documents (PDF)

More Information:
http://www.si6networks.com/tools/ipv6toolkit/

[Sanewall 1.0.0] Making sense of firewalling


Sanewall is a firewall builder for Linux which uses an elegant language abstracted to just the right level. This makes it powerful as well as easy to use, audit, and understand. It allows you to create very readable configurations even for complex stateful firewalls.

Sanewall can be used for almost any firewall need, including:
  • control of any number of internal/external/virtual interfaces
  • control of any combination of routed traffic
  • setting up DMZ routers and servers
  • all kinds of NAT
  • providing strong protection (flooding, spoofing, etc.)
  • transparent caches
  • source MAC verification
  • blacklists, whitelists

The current experimental snapshotssupport IPv6. Sanewall abstracts the differences between IPv4 and IPv6, allowing you to define a common set of rules for both whilst permitting specific rules for each as you need.

Sanewall is a fork of FireHOL. The configuration language is identical, just see this FAQ for some variable name changes. For now the FireHOL website is still the best source of introductory information.
Sanewall is released under the GPLv2+open source licence.

[Arachni v0.4.2] web application security scanner (Boosted with new UI)

Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.


It is smart, it trains itself by learning from the HTTP responses it receives during the audit process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives.

It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform

Features

  • Cookie-jar/cookie-string support.
  • Custom header support.
  • SSL support.
  • User Agent spoofing.
  • Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
  • Proxy authentication.
  • Site authentication (Automated form-based, Cookie-Jar, Basic-Digest, NTLM and others).
  • Automatic log-out detection and re-login during the audit (when the initial login was performed via the AutoLogin plugin).
  • Custom 404 page detection.
  • UI abstraction:
  • Pause/resume functionality.
  • High performance asynchronous HTTP requests.
      With adjustable concurrency.


Major improvements with 0.4.2


Users

Regular users can enjoy:
  • The ability to easily perform and manage scans via the brand new, Rails-based, simple, intuitive and beautiful web user interface — I’m overselling it a bit out of excitement.
  • Much reduced RAM usage.
  • More fluid and smoother progress %.
  • Issue remarks – Providing extra context to logged issues and assisting you in determining the nature, variation and special circumstances that may apply.
  • More resilient stance towards non-responsive servers.
  • Much improved profiling and detection of custom 404 responses.
  • Improved payloads for Windows machines for path traversal and OS command injection.
  • The ability to exclude pages from the scan based on content.


Developers

Oh you devs out there controlling Arachni via RPC are gonna love these:
  • Default serialization changed to Marshal, which translates to much faster and less bandwidth consuming RPC calls.
    • YAML serialization is still supported and it is an automatic fallback, YAML requests will still illicit a YAML response. Careful though, the engine has been changed to Psych, which has been the Ruby default for a while now.
  • A bunch of convenience methods have been added to Arachni::RPC::Server::Instance, allowing you to perform and control scans much easier than before.
  • More data returned for logged Issues during runtime.


Service providers

Well, you get to enjoy all of the above but at a higher, more abstract level:
  • Significantly reduced RAM consumption.
  • Significantly reduced bandwidth and CPU usage for RPC calls.
  • Improved progress information for statistics, issues and progress %.

[MSF-Installer] Script to Automate Metasploit Framework Installation


Script to help with installing and configuring Metasploit Framework, Armitage and the Plugins I have written on OSX and Linux

To use the script on OSX Java, Xcode and Command Development Tools from Xcode must be installed before running the script. In the case of OSX I also added the option of installing GNU GCC in the case you want to compile the old Ruby 1.8.7 that requieres it. When you download the script you must make it executable, when ran with no arguments or with -h it will how the usage help message:

$ chmod +x msf_install.sh 
$ ./msf_install.sh -h
Scritp for Installing Metasploit Framework
By Carlos_Perez[at]darkoperator.com
Ver 0.1.0

-i :Install Metasploit Framework.
-p :password for MEtasploit databse msf user. If not provided a roandom one is generated for you.
-g :Install GNU GCC (Not necessary uless you wish to compile and install ruby 1.8.7 in OSX
-h :This help message
To start the installation you just run the script with the -i option and the installation will start. In the case of OSX it will:
  • Check that dependencies are meet.
  • Check if Homebrew is installed and of not it will install it.
  • Install Ruby 1.9.3
  • Install base ruby gems.
  • Install and configure Postgres for use with Metasploit
  • Install GCC if selected.
  • Download and install Metasploit Framework.
  • Installs all necessaries Ruby Gems using bundler.
  • Configure the database connection and sets the proper environment variables.
  • Download and install the latest version of Armitage.
  • Download and install the Pentest plugin and DNSRecon Import plugin.

in the case of Ubuntu 12.10 and 13.04 it will:
  • Install all necessary packages
  • Install base ruby gems.
  • Configure Postgres for use with Metasploit
  • Download and install Metasploit Framework.
  • Installs all necessaries Ruby Gems using bundler.
  • Configure the database connection and sets the proper environment variables.
  • Download and install the latest version of Armitage.
  • Download and install the Pentest plugin and DNSRecon Import plugin.

[Mercury v2.2.0] The Android Assessment Framework

Mercury is a security assessment framework for the Android platform. It allows you to dynamically interact with the Inter-Process Communication (IPC) endpoints exported by an application installed on a device.
Mercury provides similar functionality to a number of static analysis tools, such as aapt, but offers far more flexibility by allowing you to interact with these endpoints from the context of an unprivileged application running on the same device.

The Android sandbox is designed to restrict the access of an unprivileged application to other applications and the underlying device, without requesting appropriate permissions. Once you’ve had a look with Mercury, you will be surprised at how much access you actually have.
Mercury was also a part of the latest Blackhat Arsenal 2013 Session in Amsterdam, where the awesome team has demoed neat features and few tricks pentesters can leverage to bypass restrictions and exploit vulnerabilities on Android Smartphones.

Mercury allows you to:
  1. Interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services
  2. Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
  3. Find information on installed packages with optional search filters to allow for better control
  4. Built-in commands that can check application attack vectors on installed applications
  5. Tools to upload and download files between the Android device and computer without using ADB (this means it can be done over the internet as well!)
  6. Create new modules to exploit your latest finding on Android, and playing with those that others have found
Here is the latest changelog information as embedded with Mercury package

- Connections between Consoles and Agents can be encrypted with SSL.
- The Agent can require a password to be provided to establish a session.
- New Mercury modules can be downloaded and installed from the Internet, and
the local file system.
- Significant performance improvements to the Agent.

In addition, the following Github Issues have been closed:
Agent:

# 2 High CPU usage when polling for messages in Session.java.
# 1 High CPU usage on active connection in Server/Client.java.

Console:

# 50 Error when printing ContentProvider Path Permissions.
# 49 app.provider.delete does not work.
# 48 Python 2.x xrange/range optimization.
# 47 Some apps can crash scanner.provider.* modules.
# 44 Running app.package.manifest without specifying a package results in a
Null Pointer Exception.
# 43 Bug in app.provider.query.
# 34 Five, new 3rd Party ‘pilfer’ Modules.


The new console is compatible with the old agent, and vice-versa. However, this
configuration does not support SSL or password-on-connect.

[File Time Changer] Command-line Tool to quickly change the Date/Time stamp of the file


File Time Changer is the Free Command-line tool to quickly change the Date/Time stamp of the file.

It also allows you to view the current date/time of the file before modifying it.

You can view or modify all the 3 types of timestamp for the file,
  • Creation Time
  • Last Access Time
  • Last Modified Time
Being a command-line tool makes it easy to automate through scripts.

It works well on both 32-bit & 64-bit platforms starting from Windows XP to Windows 8.

License: Freeware
Platform : Windows XP, Vista, Windows 7, Windows 8

[Kali Linux v1.0.3] Penetration Testing Distribution

Kali Linux is the new generation of the industry-leading BackTrack Linux penetration testing and security auditing Linux distribution.



Kali is a complete re-build of BackTrack Linux, adhering completely to Debian development standards. All-new infrastructure has been put in place, all tools were reviewed and packaged, and we use Git for our VCS.

  • More than 300 penetration testing tools: After reviewing every tool that was included in BackTrack, we eliminated a great number of tools that either did not work or had other tools available that provided similar functionality.
  • Free and always will be: Kali Linux, like its predecessor, is completely free and always will be. You will never, ever have to pay for Kali Linux.
  • Open source Git tree: We are huge proponents of open source software and our development tree is available for all to see and all sources are available for those who wish to tweak and rebuild packages.
  • FHS compliant: Kali has been developed to adhere to the Filesystem Hierarchy Standard, allowing all Linux users to easily locate binaries, support files, libraries, etc.
  • Vast wireless device support: We have built Kali Linux to support as many wireless devices as we possibly can, allowing it to run properly on a wide variety of hardware and making it compatible with numerous USB and other wireless devices.
  • Custom kernel patched for injection: As penetration testers, the development team often needs to do wireless assessments so our kernel has the latest injection patches included.
  • Secure development environment: The Kali Linux team is made up of a small group of trusted individuals who can only commit packages and interact with the repositories while using multiple secure protocols.
  • GPG signed packages and repos: All Kali packages are signed by each individual developer when they are built and committed and the repositories subsequently sign the packages as well.
  • Multi-language: Although pentesting tools tend to be written in English, we have ensured that Kali has true multilingual support, allowing more users to operate in their native language and locate the tools they need for the job.
  • Completely customizable: We completely understand that not everyone will agree with our design decisions so we have made it as easy as possible for our more adventurous users to customize Kali Linux to their liking, all the way down to the kernel.
  • ARMEL and ARMHF support: Since ARM-based systems are becoming more and more prevalent and inexpensive, we knew that Kali’s ARM support would need to be as robust as we could manage, resulting in working installations for both ARMEL and ARMHF systems. Kali Linux has ARM repositories integrated with the mainline distribution so tools for ARM will be updated in conjunction with the rest of the distribution. Kali is currently available for the following ARM devices:

Kali is specifically tailored to penetration testing and therefore, all documentation on this site assumes prior knowledge of the Linux operating system.

Changelog

Bugfix rollup. New accessibility features. Added live Desktop installer.

[WAF-FLE] Web application firewall: fast log and event console

WAF-FLE is a OpenSource Console for ModSecurity, it allow the modsec admin to view and search events sent by mlogc (modsecurity event log handler).

Features:
  • Central event console
  • Support Modsecurity in “traditional” and “Anomaly Scoring”
  • Able to receive events sent from mlogc (in real time or in batch using mlogc-batch-load.pl)
  • No sensor number limit
  • Dashboard with recent events information
  • Drill down of events with filter
  • Every (almost) data is “clickable” to drill down the filter
  • Inverted filter (to filter for “all but this item”)
  • Filter for network (in CIDR format, x.x.x.x/22)
  • Raw event download
  • Use Mysql as database
  • Open Source released under GPL v2


[Resolver 1.0.9] Reverse DNS Lookup for a range of IP’s


Resolver is a windows based tool which designed to preform a reverse DNS Lookup for a given IP address or for a range of IP’s in order to find its PTR. 

Updated to Version 1.0.3 added dns records brute force. Version 1.0.4 added stop button.



Features


  • Resolve a single IP address
  • Resolve a C class IP range
  • Resolve from a list of IP's
  • Export results to a text file
  • Copy Results to Clipboard
  • DNS Records Brute force



[Nessus 5.2] Nessus Vulnerability Scanner


New release of the Nessus vulnerability scanner! This is a major release (moving from 5.0.3 to 5.2.0) and includes several new features and enhancements, including:
  • IPv6 is now supported on all platforms (including Windows)
  • Nessus server support for Windows 8 and Windows 2012
  • Add attachments within scan result reports
  • Mac OS X preference pane
  • Digitally-signed Nessus RPM packages for supporting distributions
  • Smaller memory footprint and reduced disk space usage
  • Faster, more responsive web interface (uses less bandwidth)
  • No longer need to visit the Tenable website for an activation code!

Several key features are described in detail below, including examples of the new MAC OS X preference pane and the new attachments feature:


Add Attachments to Scan Results


Information collected during the scan can now be included in the results as an attachment. The first iteration of attachments will be screenshots, but any attachment type can be included.


Remote Desktop Protocol (RDP)


If Nessus discovers Remote Desktop Protocol on a target, a screenshot is taken. This can reveal information such as the operating system version and the currently-logged-on user.


VNC


If Nessus discovers a target is running VNC without a password to restrict access, a screenshot is included in the results. The above example shows the system using a web browser to visit the www.tenable.com website.


Websites


For Internet-connected web servers, Nessus will take a screenshot of the website as if you visited the website using a web browser. This feature is useful to identify the applications you are testing, including making sure you are testing the correct virtual host.


Mac OS X Preference Pane


The addition of a Nessus server preference pane in OS X allows the user to stop and start the Nessus server process and configure whether or not Nessus is started at boot time.

Getting Nessus 5.2


New users may download and evaluate Nessus free of charge by visiting the Nessus home page. Current customers can download 5.2 from the Tenable Support Portal. Detailed instructions and notes on upgrading are located in the Nessus 5.2 Installation and Configuration Guide.

Nessus ProfessionalFeed and Perimeter Service customers: Please contact Tenable Support (support -at- tenable.com) with any questions regarding the upgrade to Nessus 5.2.0. Users may also visit the Tenable Discussion Portal for more information.

[Fern Wifi Cracker] Wireless security auditing and attack software to crack and recover WEP/WPA/WPS keys


Fern Wifi Cracker is a Wireless security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks

Operating System Supported

The Software runs on any Linux machine with the programs prerequisites, But the program has been tested on the following Linux based operating systems:

Prerequisites

The Program requires the following to run properly:
The following dependencies can be installed using the Debian package installer command on Debian based systems using "apt-get install program" or otherwise downloaded and installed manually


Features


Fern Wifi Cracker currently supports the following features:
  • WEP Cracking with Fragmentation,Chop-Chop, Caffe-Latte, Hirte, ARP Request Replay or WPS attack
  • WPA/WPA2 Cracking with Dictionary or WPS based attacks
  • Automatic saving of key in database on successful crack
  • Automatic Access Point Attack System
  • Session Hijacking (Passive and Ethernet Modes)
  • Access Point MAC Address Geo Location Tracking
  • Internal MITM Engine
  • Bruteforce Attacks (HTTP,HTTPS,TELNET,FTP)
  • Update Support


[Hidden CMD Detector] Discover Hidden Command prompts


Hidden CMD Detector is the free tool to discover Hidden Command prompts and detect any Hacker presence on your system.

The first thing any Hacker does on getting access to remote system is to run a hidden Command shell. This tool can help you to automatically detect any such hidden cmd prompts and keep your system safe from hackers.

It can help you to discover following type of command prompts,
  • Normal/Hidden Command Prompts
  • Renamed or custom Command Prompts
  • Reverse Command Shells launched by hacker Tools like netcat
  • Command Prompts launched by User/System Process

This tool can be easily automated to run at certain interval. It supports 3 output modes (normal, one liner, xml) making it easy to parse the result through the automation scripts.
It will be ideal tool to run on unattended machines periodically to detect any hacker activities and alert the administrators.

[Vega v1.0] Web Application Security Scanner

Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Vega can be extended using a powerful API in the language of the web: Javascript.
Vega was developed by Subgraph in Montreal.

Features

  • Automated Crawler and Vulnerability Scanner
  • Consistent UI
  • Website Crawler
  • Intercepting Proxy
  • SSL MITM
  • Content Analysis
  • Extensibility through a Powerful Javascript Module API
  • Customizable alerts
  • Database and Shared Data Model

Some of the features in the 1.0 release include:
  • Active proxy scanner
  • Greatly improved detections
  • Greatly improved support for authenticated scanning
  • API enhancements
  • HTTP message viewer enhancements

Modules

  • Cross Site Scripting (XSS)
  • SQL Injection
  • Directory Traversal
  • URL Injection
  • Error Detection
  • File Uploads
  • Sensitive Data Discovery

[SPF v0.1.7] Smartphone Pentest Framework - Support of the SMS shell pivot

The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization. We will also show how to use the framework through a command line console, a graphical user interface, and a smartphone based app.

SPF first release includes a text based management console, a web based GUI, and a management Android app.



  • SPF Console: The console is a text based Perl program that allows Smartphone Pentest Framework users to perform all the server functionality of SPF.
  • SPF Web based GUI: The GUI is a web based front end for SPF that allows users to perform all the server functionality. It is a set of Perl based webpages.
  • SPF Android App: The SPF Android App allows users to use the mobile modem of the Android smartphone with SPF to send SMS messages, gather information, etc. Users can also perform server functionality directly from Android smartphones using this application.
  • SPF Android Agent: The SPF Android Agent is one of Smartphone Pentest Framework’s post exploitation options. It is transparent to the user and allows SPF users to perform post exploitation tasks such as privilege escalation, information gathering, and remote control on Android phones with the agent installed. Agents for iPhone and Blackberry platforms are currently in development.

Changes for 0.1.7
    Added SMS shell pivot

Note: There is also a new script to install SPF on the newest KALI Pentest Plateform (https://github.com/georgiaw/Smartphone-Pentest-Framework/blob/master/kaliinstall). Don’t miss it.

[Brakeman v1.9.5] The Static analysis security scanner for Ruby on Rails

Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.

Unlike many web security scanners, Brakeman looks at the source code of your application. This means you do not need to set up your whole application stack to use it.

Once Brakeman scans the application code, it produces a report of all security issues it has found.

Advantages


No Configuration Necessary

Brakeman requires zero setup or configuration once it is installed. Just run it.


Run It Anytime

Because all Brakeman needs is source code, Brakeman can be run at any stage of development: you can generate a new application with rails new and immediately check it with Brakeman.


Better Coverage

Since Brakeman does not rely on spidering sites to determine all their pages, it can provide more complete coverage of an application. This includes pages which may not be ‘live’ yet. In theory, Brakeman can find security vulnerabilities before they become exploitable.


Best Practices

Brakeman is specifically built for Ruby on Rails applications, so it can easily check configuration settings for best practices.


Flexible Testing

Each check performed by Brakeman is independent, so testing can be limited to a subset of all the checks Brakeman comes with.


Speed

While Brakeman may not be exceptionally speedy, it is much faster than “black box” website scanners. Even large applications should not take more than a few minutes to scan.


Limitations


False Positives

Only the developers of an application can understand if certain values are dangerous or not. By default, Brakeman is extremely suspicious. This can lead to many “false positives.”


Unusual Configurations

Brakeman assumes a “typical” Rails setup. There may be parts of an application which are missed because they do not fall within the normal Rails application layout.


Only Knows Code

Dynamic vulnerability scanners which run against a live website are able to test the entire application stack, including the webserver and database. Naturally, Brakeman will not be able to report if a webserver or other software has security issues.


Isn’t Omniscient

Brakeman cannot understand everything which is happening in the code. Sometimes it just makes reasonable assumptions. It may miss things. It may misinterpret things. But it tries its best. Remember, if you run across something strange, feel free to file an issue for it.
Changes since 1.9.4:

  • Add check for unsafe symbol creation (Aaron Weiner)
  • Do not warn on mass assignment with slice/only (#203)
  • Do not warn on session secret if in .gitignore (#241)
  • Fix session secret check for Rails 4
  • Fix scoping for blocks and block arguments
  • Fix error when modifying blocks in templates
  • Fix crash on before_filter outside controller
  • Fix Sexp hash cache invalidation
  • Respect quiet option in configuration file (#300)
  • Convert assignment to simple if expressions to or
  • More fixes for assignments inside branches
  • Refactoring of CheckLinkTo and Report (Bart ten Brinke)
  • Pin ruby2ruby dependency to version 2.0.3 (see here)

[Open SCAP v0.9.5] Support of SCE - Script Check Engine

SCAP is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The SCAP suite contains multiple complex data exchange formats that are to be used to transmit important vulnerability, configuration, and other security data. Historically, there have been few tools that provide a way to query this data in the needed format. This lack of tools makes the barrier to entry very high and discourages adoption of these protocols by the community. It’s our goal to create a framework of libraries and tools to improve the accessibility of SCAP and enhance the usability of the information it represents.


OpenSCAP components:
  • Library – It provides interface to SCAP document processing and evaluation. Library is written in C and it provides bindings for python and perl.
  • SCAP Scanner – It utilize the library and provides local scanning capabilities
  • XSLT Transformations – The project provides tranformations that allow user to transform various SCAP content from XML to more human-readable HTMl form.
  • SCAP Content – We also provide example SCAP content that can be used mainly for experimental testing purposes.

OpenSCAP supports following OVAL tests:

Unix schemaLinux schemaIndependent schema
  • dnscache
  • file
  • fileextendedattribute
  • gconf
  • interface
  • password
  • process
  • process58
  • routingtable
  • runlevel
  • shadow
  • sysctl
  • uname
  • xinted
  • dpkginfo
  • iflisteners
  • inetlisteningservers
  • partition
  • rpminfo
  • rpmverify
  • selinuxboolean
  • selinuxsecuritycontext
  • family
  • filehash
  • filehash58
  • environmentvariable
  • environmentvariable58
  • ldap57
  • textfilecontent
  • textfilecontent54
  • xmlfilecontent

Furthermore, OpenSCAP also implements technology that is not included in SCAP standards – the alternative check engine SCE. Allows you to use familiar scripting language of your choice instead of OVAL for checks.

Current Release: 0.9.5 (Mar 19, 2013)

  • oscap xccdf remediate (new oscap module which introduces offline remediation; the remediation based on existing xccdf:TestResult file)
  • added support for SCE into DataStream (SCE scripts can now be embedded into the DataStream file similarly as OVAL can)
  • improved bash completion and documentation
  • bug fixes

[EMET v4.0 Beta] Enhanced Mitigation Experience Toolkit

The enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system.

Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc.

Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to manage these technologies on their system and provides several unique benefits:

1. No source code needed: Until now, several of the available mitigations (such as Data Execution Prevention) have required for an application to be manually opted in and recompiled. EMET changes this by allowing a user to opt in applications without recompilation. This is especially handy for deploying mitigations on software that was written before the mitigations were available and when source code is not available.

2. Highly configurable: EMET provides a higher degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, a user can simply turn that mitigation off for that process.

3. Helps harden legacy applications: It’s not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder to hackers to exploit vulnerabilities in the legacy software.
4. Ease of use: The policy for system wide mitigations can be seen and configured with EMET’s graphical user interface. There is no need to locate up and decipher registry keys or run platform dependent utilities. With EMET you can adjust setting with a single consistent interface regardless of the underlying platform.

5. Ease of deploy: EMET comes with built-in support for enterprise deployment and configuration technologies. This enables administrators to use Group Policy or System Center Configuration Manager to deploy, configure and monitor EMET installations across the enterprise environment.

6. Ongoing improvement: EMET is a living tool designed to be updated as new mitigation technologies become available. This provides a chance for users to try out and benefit from cutting edge mitigations. The release cycle for EMET is also not tied to any product. EMET updates can be made dynamically as soon as new mitigations are ready

The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent users from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques

New enhancements with v4 (from Microsoft Blog)


The feature set for this new version of the tool was inspired by our desire for EMET to be an effective mitigation layer for a wider variety of potential software exploit scenarios, to provide stronger protections against scenarios where EMET protection already exists, and to have a way to respond to 0day exploits as soon as possible. Here are the highlights of the EMET 4.0 feature set:

  • EMET 4.0 detects attacks leveraging suspicious SSL/TLS certificates
  • EMET 4.0 strengthens existing mitigations and blocks known bypasses
  • EMET 4.0 addresses known application compatibility issues with EMET 3.0
  • EMET 4.0 enables an Early Warning Program for enterprise customers and for Microsoft
  • EMET 4.0 allows customers to test mitigations with “Audit Mode”

SSL/TLS Certificate Trust features
EMET 4.0 allows users to configure a set of certificate pinning rules to validate digitally signed certificates (SSL/TLS certificates) while browsing with Internet Explorer. This option allows users to configure a set of rules able to match specific domains (through their SSL/TLS certificates) with the corresponding known Root Certificate Authority (RootCA) that issued the certificate. When EMET detects the variation of the issuing RootCA for a specific SSL certificate configured for a domain, it will report this anomaly as an indicator of a potential man-in-the-middle attack.

Advanced users can also add exceptions for each pinning rule. This will allow EMET to accept SSL/TLS certificates even if the pinning rule doesn’t match. Exceptions are related to some properties of the RootCA certificate, such as key size, hashing algorithm, and issuer country.

Strengthened mitigations, blocking bypasses
We learned a great deal during the “Technical Preview” phase of EMET 3.5. We saw researchers poking and presenting clever tricks to bypass EMET’s anti-ROP mitigations. EMET 4.0 blocks these bypasses. For example, instead of hooking and protecting only functions at the kernel32!VirtualAlloc layer of the call stack, EMET 4.0 will additional hook lower level functions such as kernelbase!VirtualAlloc and ntdll!NtAllocateVirtualMemory. These “Deep Hooks” can be configured in EMET’s Advanced Configuration. We have seen exploits attempt to evade EMET hooks by executing a copy of the hooked function prologue and then jumping to the function past the prologue. With EMET 4.0’s “Anti detours” option enabled, common shellcode using this technique will be blocked. Finally, EMET 4.0 also includes a mechanism to block calls to banned API’s. For example, a recent presentation at CanSecWest 2013 presented a method of bypassing ASLR and DEP via ntdll!LdrHotPatchRoutine. EMET 4.0’s “Banned API” feature blocks this technique.

Application compatibility fixes
Users of previous versions of EMET had encountered isolated compatibility issues when enabling mitigations on both Microsoft and third party software. EMET 4.0 addresses all these known app
-compat issues. That list includes issues in the following areas:
- Internet Explorer 9 and the Snipping Tool
- Internet Explorer 8’s Managed Add-ons dialog
- Office software through SharePoint
- Access 2010 with certain mitigations enabled
- Internet Explorer 10 on Windows 8
The EMET 4.0 installer also opts-in protection rules with certain mitigations disabled where we know a mitigation interacts poorly with certain software. Examples include Photoshop, Office 2013’s Lync, GTalk, wmplayer, and Chrome.

Early Warning Program for enterprise customers and for Microsoft
When an exploitation attempt is detected and blocked by EMET, a set of information related to the attack is prepared with the Microsoft Error Reporting (MER) functionality. For enterprise customers collecting error reports via tools like Microsoft Desktop Optimization Package or the Client Monitoring feature of System Center Operations Manager, these error reports can be triaged locally and used as an early warning program indicating possible attacks again the corporate network. For organizations that typically send all error reports to Microsoft, this information will add to the set of indicators we use to hunt attacks in the wild, and will facilitate the remediation of issues with security updates before vulnerabilities become a large scale threat. The EMET Privacy Statement (available also via the main EMET window) includes more information about the type of data that will be sent in the error report via Microsoft Error Reporting. The Early Warning Program is enabled by default for the EMET 4.0 Beta and can be disabled in the EMET UI or via the EMET command line component. We are eager to hear customer feedback about this feature to help shape the Early Warning Program for the EMET 4.0 final release.

Audit Mode
When previous versions of EMET detected exploitation attempts, it would report the attack via the EMET agent and then terminate the program to block the attack. For EMET 4.0, in response to customer feedback, we provided an option to configure EMET’s behavior when it detects an exploitation attempt. The default option remains to terminate the application. However, customers wanting to test EMET in a production environment can instead switch to “Audit Mode” to report the exploitation attempt but not terminate the process. This setting is not applicable for all mitigations but we provide this option whenever possible.

Other Improvements
EMET 4.0 includes a bunch of other improvements. The quantity of new features and volume of work put into this release is the reason we skipped the EMET 3.5 full release and jumped straight to EMET 4.0. Please refer to the EMET 4.0 Beta Users Guide for the full set of features but here are several other highlights:

- EMET Notifier becomes EMET Agent, with new duties and functionalities
- More granular reporting options (tray icon, event log, both, or none)
- New default profiles for both mitigations and Certificate Trust
- Registry configuration to customize the EMET Agent’s messaging
- Optimized RopCheck for significantly better performance
- Numerous UI tweaks to make EMET easier to use
- Enable wildcard support when adding applications to be protected
- Allow processes to be protected even if they do not have .exe extension
- Switched to .NET Framework 4.0
- EMET is an officially supported Microsoft tool with support available for customers with Premier contract

[ADEL] Android Data Extractor Lite

ADEL which is meant as an abbreviation of “Android Data Extractor Lite”. ADEL was developed for versions 2.x of Android and is able to automatically dump selected SQLite database files from Android devices and extract the contents stored within the dumped files. In this section we describe the main tasks of ADEL and what steps the tool actually performs.


However, there are conditions that must apply for ADEL to work correctly. These conditions are stated in the following sections, corresponding to the relevant tasks. A flow chart showing the structure of ADEL is depicted in the following figure:


During the development of ADEL we primarily took into account the following design guidelines:

Forensic principles: ADEL is intended to treat data in a forensically correct way. This goal is reached by the fact that activities are not conducted directly on the phone but on a copy of the databases. This procedure assures that data does not become changed, neither by the users of ADEL nor by an uncompromised operating system. In order to proof the forensic correctness of ADEL, hash values are calculated prior and after each analysis, to guarantee that dumped data did not become changed during analysis.

Extendibility: ADEL has been modularly built and contains two separate modules: the analysis and the report module. Predefined interfaces exist between these modules and both of them can be easily amended by additional functions. The modular structure allows for dumping and analyzing further databases of smartphones without great effort and facilitates updates of the system in the future.

Usability: The use of ADEL is intended to be as simple as possible to allow its use by both qualified persons and non-experts. At best, the analysis of the mobile phone is conducted in an autonomous way so that the user does not receive any notice of internal processes. Moreover, the report module creates a detailed report in a readable form, including all of the decoded data. During the execution, ADEL optionally writes an extensive log file where all of the important steps that were executed are traced.

ADEL makes use of the Android Software Development Kit (Android SDK) and especially the adb deamon to dump database files to the investigator’s machine.

To extract contents contained within a SQLite database file ADEL parses the low-level data structures. After having opened the database file that is to be parsed in read-only mode, ADEL reads the database header (first 100 bytes of the file) and extracts the values for each of the header fields. Not all, but some of the values in the header fields are necessary to be able to parse the rest of the database file. An important value is the size of the pages in the database file which is required for parsing the b-tree structures (page-wise). After having read the database header fields, ADEL parses the b-tree that contains the “sqlite_master” table for which the first page of the database always is the root page. The SQL CREATE statement and the page number of the b-tree root page are extracted for each of the database tables. Additionally, the SQL CREATE statement is further analyzed to extract the name and the data type for each column of the corresponding table. Finally the complete b-tree structure is parsed for each table, beginning at the b-tree root page that was extracted from the “sqlite_master” table. Every leaf page of the b-tree is identified by following the pointers of all of the interior pages. Finally the row contents of each table are extracted from the cells found in any leaf page that belongs to the same table b-tree.

Within this section we address the report module and its functionalities. In the current development state, the following databases are forensically treated and parsed:
  • telephone and SIM-card information (e. g. IMSI and serial number)
  • telephone book and call lists,
  • calendar entries,
  • SMS messages,
  • GPS locations from different sources on the smartphone.

Data retrieved this way is written to an XML-File by the report module in order to ease further use and depiction of the data. As the analysis module, it can be easily updated regarding possible changes in future Android versions or in the underlying database schemas. Therefore, we have created different tuple – e. g. [table, row, column] – to define the data that is exchanged between both modules. If the database design changes in the future, only the tuple have to be adapted. The report module automatically creates XML-files for each of the data types listed above. In addition, a report is created which contains all data extracted from the analyzed databases. With the help of a XSL-file the report will be graphically refurbished. All files created by ADEL are stored in a subfolder of the current project.

[Cuckoo Sandbox v0.6] Software for Automating Analysis of Suspicious Files

Cuckoo Sandbox is an Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.

Cuckoo generates a handful of different raw data which include:
  • Native functions and Windows API calls traces
  • Copies of files created and deleted from the filesystem
  • Dump of the memory of the selected process
  • Screenshots of the desktop during the execution of the malware analysis
  • Network dump generated by the machine used for the analysis
In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:
  • JSON report
  • HTML report
  • MAEC report
  • MongoDB interface
  • HPFeeds interface

Cuckoo Sandbox 0.6 (2012-04-15)
===============================
(note for author’s blog)
This release represents a major step forward for the quality of the project: you won’t find an endless list of new features this time, but a handful of solid improvements that should make your experience with sandboxing much more pleasant.

Along with a few smaller additions, the focus of 0.6 revolves around the introduction of network logging. Until now the retrieval of the analysis results from the analysis machines happened through an inefficient and resource-expensive XMLRPC transaction. With Cuckoo Sandbox 0.6 we are now able to collect behavioral logs, dropped files, screenshots and memory dumps in real-time from the analysis machines through the use of what it’s been called ResultServer.

The advantages of this approach are multiple:
  • You will now see results coming in in real-time.
  • The memory errors and timeouts that used to occur with previous versions when trying to retrieve the resuts are now gone!
  • Even if the analysis machine is somehow compromised (crashed, shutdown or otherwise locked) you will still have complete results up to that point.
  • Probably some more advantages, but it’s already awesome as it is.

- Added procmemdump option to all analysis packages
- Added randomization of folders and pipes in the analysis machines
- Added checks to block injection of Cuckoo's agent and analyzer
- Added configuration file for processing modules
- Added result server to collect logs, files, screenshots and all results in real-time
- Added option for enabling/disabling generation of CSV logs
- Added REST API function to delete analysis task
- Added matching of Yara signatures against dropped files
- Added default fail-over on "exe" package if can't automatically identify the correct one
- Added password option to zip package
- Improved human auxiliary module
- Improved Sleep() bypass
- Improved dump of dropped files by tracking writing operations
- Improved creation of screenshots by calculating a diff threshold
- Fixed memory error issues
- Fixed bugs in analysis procedure logic and in deletion of original files
- Fixed bugs in MongoDB reporting module
- Fixed bugs in HTML reporting module
- Fixed bugs in VirusTotal processing module
- Fixed bug in handling GetLastError() result
- Fixed bug in network traffic capture
- Fixed bug in submission and creation of tasks in the database
- Removed hooks for NtOpenProcess, NtClose, NtAllocateVirtualMemory and VirtualFreeEx because of stability issues