CuckooAutoInstall - Auto Installer Script for Cuckoo Sandbox

What is Cuckoo Sandbox?
In three words, Cuckoo Sandbox is a malware analysis system.

What does that mean?
It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

CuckooAutoInstall was created to avoid wasting time installing Cuckoo Sandbox in Debian Stable.

Usage

• Execute the script: sh cuckooautoinstall.sh
• Add a password for the user 'cuckoo' created by the script. Use: passwd cuckoo command.
• Create the virtual machines http://docs.cuckoosandbox.org/en/latest/installation/guest/ or import virtual machines using VBoxManage import virtual_machine.ova
• Add to the virtual machines with HostOnly option using vboxnet0: vboxmanage modifyvm “virtual_machine" --hostonlyadapter1 vboxnet0 (use this command to list the VMs: VBoxManage list vms)
• Configure cuckoo: cuckoo/conf/cuckoo.conf, cuckoo/conf/auxiliary.conf & cuckoo/conf/virtualbox.conf
• Execute cuckoo (check the image output): cd cuckoo && python cuckoo.py
• Execute also webpy (default port 8080): cd cuckoo/utils && python web.py
• Execute also django using port 6969: cd cuckoo/web && python manage.py runserver 0.0.0.0:6969

Script features 
It installs by default Cuckoo sandbox with the ALL optional stuff: yara, ssdeep, django ...
It installs the last versions of: ssdeep, yara, pydeep-master & jansson.
It tries to solve common problems during the installation: ldconfigs, autoreconfs...
It installs by default virtualbox and creates the hostonlyif.
It creates the iptables rules and the ip forward to enable internet in the cuckoo virtual machines:

sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1

It enables run tcpdump from nonroot user:

sudo apt-get -y install libcap2-bin
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

It creates the 'cuckoo' user in the system and it is also added this user to vboxusers group.
It enables mongodb in conf/reporting.conf
It fix the "TEMPLATE_DIRS setting must be a tuple" error when running python manage.py from the DJANGO version >= 1.6. Replacing in web/web/settings.py:

    TEMPLATE_DIRS = (
    "templates"
    )
For:
    TEMPLATE_DIRS = (
    ("templates"),
    )

Download CuckooAutoInstall

Read More

LinEnum - Local Linux Enumeration & Privilege Escalation Checks

LinEnum will automate many of the checks that I’ve documented in the Local Linux Enumeration & Privilege Escalation Cheatsheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more.

An additional ‘extra’ feature is that the script will also use a provided keyword to search through *.conf and *.log files. Any matches will be displayed along with the full file path and line number on which the keyword was identified.

After the scan has completed (please be aware that it make take some time) you’ll be presented with (possibly quite extensive) output, to which any key findings will be highlighted in yellow with everything else documented under the relevant headings.

Below is a high-level summary of the checks/tasks performed by LinEnum:

• Kernel and distribution release details
• System Information:
  • Hostname
  • Networking details:
    • Current IP
    • Default route details
    • DNS server information
• User Information:
  • Current user details
  • Last logged on users
  • Llist all users including uid/gid information
  • List root accounts
  • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
  • Attempt to read restricted files i.e. /etc/shadow
  • List current users history files (i.e .bash_history, .nano_history etc.)
• Privileged access:
  • Determine if /etc/sudoers is accessible
  • Determine if the current user has Sudo access without a password
  • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
  • Is root’s home directory accessible
  • List permissions for /home/
• Environmental:
  • Display current $PATH
• Jobs/Tasks:
  • List all cron jobs
  • Locate all world-writable cron jobs
  • Locate cron jobs owned by other users of the system
• Services:
  • List network connections (TCP & UDP)
  • List running processes
  • Lookup and list process binaries and associated permissions
  • List inetd.conf/xined.conf contents and associated binary file permissions
  • List init.d binary permissions
• Version Information (of the following):
  • Sudo
  • MYSQL
  • Postgres
  • Apache
• Default/Weak Credentials:
  • Checks for default/weak Postgres accounts
  • Checks for default root/root access to local MYSQL services
• Searches:
  • Locate all SUID/GUID files
  • Locate all world-writable SUID/GUID files
  • Locate all SUID/GUID files owned by root
  • Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
  • List all world-writable files
  • Find/list all accessible *.plan files and display contents
  • Find/list all accesible *.rhosts files and display contents
  • Show NFS server details
  • Locate *.conf and *.log files containing keyword supplied at script runtime
  • List all *.conf files located in /etc
  • Locate mail

Some of the above commands are privileged/and or the related task may be nonexistent and will therefore most likely fail. The user shouldn’t be alerted to failed results, just the output from successful commands should be displayed.

Download LinEnum

Read More

Crunch - Password Cracking Wordlist Generator

Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. crunch can generate all possible combinations and permutations.
Features

• crunch generates wordlists in both combination and permutation ways
• it can breakup output by number of lines or file size
• now has resume support
• pattern now supports number and symbols
• pattern now supports upper and lower case characters separately
• adds a status report when generating multiple files
• new -l option for literal support of @,%^
• new -d option to limit duplicate characters see man file for details
• now has unicode support

Basic Usage

./crunch [min length] [max length] [character set] [options]

./crunch 3 3 ABC\!\@\%
Crunch will now generate the following amount of data: 864 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 216
AAA
AAB
AAC
AA!
AA@
AA%
ABA
...

Download Crunch

Read More

Detekt - scans your Windows computer for traces of known surveillance spyware

Detekt is a free tool that scans your Windows computer for traces of FinFisher and Hacking Team RCS, commercial surveillance spyware that has been identified to be also used to target and monitor human rights defenders and journalists around the world.

In recent years we have witnessed a huge growth in the adoption and trade in communication surveillance technologies. Such spyware provides the ability to read personal emails, listen-in skype conversations or even remotely turn on a computers camera and microphone without its owner knowing about it.

Some of this software is widely available on the Internet, while some more sophisticated alternatives are made and sold by private companies based in industrialized countries to state law enforcement and intelligence agencies in countries across the world.

There is little to no regulation currently in place to safeguard against these technologies being sold or used by repressive governments or others who are likely to use them for serious human rights violations and abuses.

Download Detekt

Read More

Lynis 1.6.4 - Security auditing tool for Unix/Linux systems

Lynis is an open source security auditing tool. Primary goal is to help users with auditing and hardening of Unix and Linux based systems. The software is very flexible and runs on almost every Unix based system (including Mac). Even the installation of the software itself is optional!

How it works

Lynis will perform hundreds of individual tests to determine the security state of the system. Many of these tests are also part of common security guidelines and standards. Examples include searching for installed software and determine possible configuration flaws. Lynis goes further and does also test individual software components, checks related configuration files and measures performance. After these tests, a scan report will be displayed with all discovered findings.

Typical use cases for Lynis:

• Security auditing
• Vulnerability scanning
• System hardening

Requirements:

Privileged or non-privileged

Changelog:
New:
- Boot loader detection for AIX [BOOT-5102]
- Detection of getcap and lsvg binary
- Added filesystem_ext to report
- Detect rootsh
Changes:
- Hide errors when RPM database is faulty and show suggestion instead [PKGS-7308]
- Allow OpenBSD to gather information on listening network ports [NETW-3012]
- Don't trigger warning for Shellshock when doing segfault test [SHLL-6290]
- Do not run Apache test on OpenBSD and strip control chars [HTTP-6624]
- Extended AIDE test with configuration validation test [FIND-4314]
- Improved Shellshock test regarding non-Linux support [SHLL-6290]
- Added support for gathering volume groups on AIX [FILE-6311]
- Properly parse PAM lines and add them to report [AUTH-9264]
- Support for boot loader detection on OpenBSD [BOOT-5159]
- Added uptime detection for OpenBSD systems [BOOT-5202]
- Support for volume groups on AIX [FILE-6312]
- Redirect errors when searching for readlink binary

Download Lynis 1.6.4

Read More

DAMM - Differential Analysis of Malware in Memory

An open source memory analysis tool built on top of Volatility. It is meant as a proving ground for interesting new techniques to be made available to the community. These techniques are an attempt to speed up the investigation process through data reduction and codifying some expert knowledge.

Features

• ~30 Volatility plugins combined into ~20 DAMM plugins (e.g., pslist, psxview and other elements are combined into a 'processes' plugin)
• Can run multiple plugins in one invocation
• The option to store plugin results in SQLite databases for preservation or for "cached" analysis
• A filtering/type system that allows easily filtering on attributes like pids to see all information related to some process and exact or partial matching for strings, etc.
• The ability to show the differences between two databases of results for the same or similar machines and manipulate from the cmdline how the differencing operates
• The ability to warn on certain types of suspicious behavior
• Output for terminal, tsv or grepable

Usage

NOTE: Most DAMM output looks better piped through 'less -S' (upper 'S') as in: 
#python damm.py <some DAMM functionality> | less -S (for default output format)

python damm.py -h
usage: damm.py [-h] [-d DIR] [-p PLUGIN [PLUGIN ...]] [-f FILE] [-k KDBG]
               [--db DB] [--profile PROFILE] [--debug] [--info] [--tsv]
               [--grepable] [--filter FILTER] [--filtertype FILTERTYPE]
               [--diff BASELINE] [-u FIELD [FIELD ...]] [--warnings] [-q]

DAMM v1.0 Beta

optional arguments:
  -h, --help            show this help message and exit
  -d DIR                Path to additional plugin directory
  -p PLUGIN [PLUGIN ...]
                        Plugin(s) to run. For a list of options use --info
  -f FILE               Memory image file to run plugin on
  -k KDBG               KDBG address for the images (in hex)
  --db DB               SQLite db file, for efficient input/output
  --profile PROFILE     Volatility profile for the images (e.g. WinXPSP2x86)
  --debug               Print debugging statements
  --info                Print available volatility profiles, plugins
  --tsv                 Print screen formatted output.
  --grepable            Print in grepable text format
  --filter FILTER       Filter results on name:value pair, e.g., pid:42
  --filtertype FILTERTYPE
                        Filter match type; either "exact" or "partial",
                        defaults to partial
  --diff BASELINE       Diff the imageFile|db with this db file as a baseline
  -u FIELD [FIELD ...]  Use the specified fields to determine uniqueness of
                        memobjs when diffing
  --warnings            Look for suspicious objects.
  -q                    Query the supplied db (via --db).

Supported plugins

See #python damm.py --info

apihooks callbacks connections devicetree dlls evtlogs handles idt injections messagehooks mftentries modules mutants privileges processes services sids timers

Download DAMM

Read More

Sparty - MS Sharepoint and Frontpage Auditing Tool

Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.

Functionalities and capabilities !

1. Sharepoint and Frontpage Version Detection!

2. Dumping Password from Exposed Configuration Files!

3. Exposed Sharepoint/Frontpage Services Scan!

4. Exposed Directory Check!

5. Installed File and Access Rights Check!

6. RPC Service Querying!

7. File Enumeration!

8. File Uploading Check!

Requirements

1. This version uses following libraries:

        import urllib2

        import re

        import os, sys

        import optparse

        import httplib

2. Python 2.6 is required.

Usage: sparty.py [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit

  Frontpage::
    -f FRONTPAGE, --frontpage=FRONTPAGE
                         -- to check access permissions
                        on frontpage standard files in vti or bin directory!

  Sharepoint::
    -s SHAREPOINT, --sharepoint=SHAREPOINT
                         -- to check
                        access permissions on sharepoint standard files in
                        forms or layouts or catalog directory!

  Mandatory::
    -u URL, --url=URL   target url to scan with proper structure

  Information Gathering and Exploit::
    -v FINGERPRINT, --http_fingerprint=FINGERPRINT
                         --
                        fingerprint sharepoint or frontpage based on HTTP
                        headers!
    -d DUMP, --dump=DUMP
                         -- dump credentials from
                        default sharepoint and frontpage files (configuration
                        errors and exposed entries)!
    -l DIRECTORY, --list=DIRECTORY
                         -- check directory listing
                        and permissions!
    -e EXPLOIT, --exploit=EXPLOIT
                        EXPLOIT =  -- exploit vulnerable installations by
                        checking RPC querying and file uploading
    -i SERVICES, --services=SERVICES
                        SERVICES =  -- checking exposed
                        services !
                     services !

  Authentication [devalias.net]:
    -a AUTHENTICATION, --auth-type=AUTHENTICATION
                        AUTHENTICATION =  -- Authenticate with NTLM
                        user/pass !

  General::
    -x EXAMPLES, --examples=EXAMPLES
                        running usage examples !

Download Sparty

Read More

WhoisCL - Get WHOIS records from command-line

WhoisCL is a simple command-line utility that allows you to easily get information about a registered domain. It automatically connect to the right WHOIS server, according to the top-level domain name, and retrieve the WHOIS record of the domain.

It supports both generic domains and country code domains.

System Requirements

• Windows operating system: Windows 98/ME/2000/XP/2003/2008/7/8.
• Internet connection.
• On a firewall, you should allow outgoing connections to port 43. 

Usage

WhoisCL [-r] [-n] [-socks4] [-socks5] Domain

[-r]	If you specify this option, the top remark lines of the WHOIS record are automatically removed.
[-n]	If you specify this option, WhoisCL will get the correct WHOIS server from xx.whois-servers.net, instead of using the internal WHOIS servers list.
[-socks4]	Specifies SOCKS4 proxy to use, in IPAddress:Port format
[-socks5]	Specifies SOCKS5 proxy to use, in IPAddress:Port format
Domain	Domain name.

Examples:
WhoisCL microsoft.com
WhoisCL -r google.com
WhoisCL -n w3c.org
WhoisCL -socks4 192.168.0.55:1080 nirsoft.net
WhoisCL -socks5 192.168.10.55:9980 facebook.com

Download WhoisCL

Read More

MeterSSH - Meterpreter over SSH

As penetration testers, it’s crucial to identify what types of attacks are detected and what’s not. After running into a recent penetration test with a next generation firewall, most analysis has shifted away from the endpoints and more towards network analysis. While there needs to be a mixture of both, MeterSSH demonstrates how easy it is to circumvent a lot of these signature based “next generation” product lines.

MeterSSH is an easy way to inject native shellcode into memory and pipe anything over SSH to the attacker machine through an SSH tunnel and all self contained into one single Python file. Python can easily be converted to an executable using pyinstaller or py2exe.

MeterSSH is easy – simply edit the meterssh.py file and add your SSH server IP, port, username, and password and run the script. It will spawn meterpreter through memory injection (in this case a windows/meterpreter/bind_tcp) and bind to port 8021. Paramiko (python SSH module) is used to tunnel meterpreter over 8021 and back to the attacker and all communications tucked within that SSH tunnel.

Features

1. Meterpreter over SSH
2. Ability to configure different IP's, addresses, etc. without the need to ever change the shellcode.
3. Monitor for the SSH connection and automatically spawn the shell

Download MeterSSH

Read More

Parrot Security OS - Friendly OS designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting, Privacy/Anonimity and Cryptography

Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting, privacy/anonimity and cryptography. Based on Debian and developed by Frozenbox network.

Who can use it

Parrot is designed for everyone, from the Pro pentester to the newbie, because it provides the most professional tools combined in a easy to use, fast and lightweight pentesting environment, and it can be used also for an everyday use.

Features:

System Specs

• Debian-based system
• Custom hardened linux 3.16 kernel
• Rolling release upgrade line
• MATE desktop environment
• Lightdm Dislpay Manager
• Custom themes, icons and wallpapers

System Requirements

• CPU: x86 compatible processor with at least 800Mhz – non-pae processors require a custom kernel (available via repositories)
• ARCH: i386 (x86-32bit) and amd64 (x86-64bit) supported – armel and armhf coming soon
• RAM: At least 256Mb (i386) / 320Mb (amd64) – 512Mb suggested
• GPU: No graphic acceleration required – propertary drivers installable via repositories
• HDD: 8Gb required – 3.8Gb used
• BOOT: Legacy bios (preferred) or UEFI (experimental)

Pentesting

• Fresh & lightweight pentesting environment
• Easy to use automation tools for beginners
• Must-have professional tools for Pro Pentesters
• Custom tools developed by our team
• External tools developed by our community
• Only a selected set of tools is preinstalled out of the box
• Thousands of other tools are available in our repositories

Cloud

• Parrot Server Edition
• Parrot Cloud Controller
• Custom installation script for Debian VPS
• Cloud Pentesting concept for file hosting and remote distributed computing

Digital Forensic

• “Stealth” option at boot for no partitions or swap mounting
• Most famous Digital Forensic tools and frameworks out of the box

Cryptography

• Custom Anti Forensic tools
• Custom interfaces for GPG
• Custom interfaces for cryptsetup
• NUKE slots for cryptsetup LUKS disks
• Encrypted system installation

Anonymity

• AnonSurf
• Whole-system anonymization
• DNS requests anonymization
• “Change Identity” function for AnonSurf
• BleachBit system cleaner
• NoScript plugin
• UserAgentOverrider plugin

Programming

• FALCON Programming Language (1.0)
• System editor tuned for programming
• Lots of preinstalled compilers/interpreters/debuggers
• Reverse Engineering Tools
• Programming Template Files
• Preinstalled most-used libs

Cryptocurrency

• Cryptocurrency-friendly environment
• Custom compiled wallets available in our software center
• MultiBit
• Bitcoin-qt
• Litecoin-qt
• Feathercoin-qt
• BitLira-qt
• Dogecoin-qt
• Zetacoin-qt
• Other wallets will be available as soon as possible

Download Parrot Security OS

Read More

Pompem - Exploit Finder Script & Web Version

Pompem is an open source tool, which is designed to automate the search for exploits in major databases. Developed in Python, has a system of advanced search, thus facilitating the work of pentesters and ethical hackers. In its current version, performs searches in databases: Exploit-db, 1337day, Packetstorm Security...

This is Pompem Web Version (PHP sintax): WebPompem

Download Pompem

Read More

Radare - The Reverse Engineering Framework

r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files

This is the rewrite of radare (1.x branch) to provide a framework with a set of libraries and programs to work with binary data.

Radare project started as a forensics tool, an scriptable commandline hexadecimal editor able to open disk files, but later support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, ..

radare2 is portable.

Architectures:

6502, 8051, arm, arc, avr, bf, tms320 (c54x, c55x, c55+), gameboy csr, dcpu16, dalvik, i8080, mips, m68k, mips, msil, snes, nios II, sh, sparc, rar, powerpc, i386, x86-64, H8/300, malbolge, T8200

File Formats:

bios, dex, elf, elf64, filesystem, java, fatmach0, mach0, mach0-64, MZ, PE, PE+, TE, COFF, plan9, bios, dyldcache, Gameboy and Nintendo DS ROMs

Operating Systems:

Android, GNU/Linux, [Net|Free|Open]BSD, iOS, OSX, QNX, w32, w64, Solaris, Haiku, FirefoxOS

Bindings:

Vala/Genie, Python (2, 3), NodeJS, LUA, Go, Perl, Guile, php5, newlisp, Ruby, Java, OCAM

Features:

• Multi-architecture and multi-platform
  • GNU/Linux, Android, *BSD, OSX, iPhoneOS, Windows{32,64} and Solaris
  • i8080, 8051, x86{16,32,64}, avr, arc{4,compact}, arm{thumb,neon,aarch64}, c55x+, dalvik, ebc, gb, java, sparc, mips, nios2, powerpc, whitespace, brainfuck, malbolge, z80, psosvm, m68k, msil, sh, snes, gb, dcpu16, csr, arc
  • pe{32,64}, te, [fat]mach0{32,64}, elf{32,64}, bios/uefi, dex and java classes
• Highly scriptable
  • Vala, Go, Python, Guile, Ruby, Perl, Lua, Java, JavaScript, sh, ..
  • batch mode and native plugins with full internal API access
  • native scripting based in mnemonic commands and macros
• Hexadecimal editor
  • 64bit offset support with virtual addressing and section maps
  • Assemble and disassemble from/to many architectures
  • colorizes opcodes, bytes and debug register changes
  • print data in various formats (int, float, disasm, timestamp, ..)
  • search multiple patterns or keywords with binary mask support
  • checksumming and data analysis of byte blocks
• IO is wrapped
  • support Files, disks, processes and streams
  • virtual addressing with sections and multiple file mapping
  • handles gdb:// and rap:// remote protocols
• Filesystems support
  • allows to mount ext2, vfat, ntfs, and many others
  • support partition types (gpt, msdos, ..)
• Debugger support
  • gdb remote and brainfuck debugger support
  • software and hardware breakpoints
  • tracing and logging facilities
• Diffing between two functions or binaries
  • graphviz friendly code analysis graphs
  • colorize nodes and edges
• Code analysis at opcode, basicblock, function levels
• embedded simple virtual machine to emulate code
• keep track of code and data references
• function calls and syscall decompilation
• function description, comments and library signatures

Download Radare

Read More

Webfwlog 1.01 - Web-Based Firewall Log Analysis and Reporting

Webfwlog is a flexible web-based firewall log analyzer and reporting tool. It supports standard system logs for linux, FreeBSD, OpenBSD, NetBSD, Solaris, Irix, OS X, etc. as well as Windows XP®. Supported log file formats are netfilter, ipfilter, ipfw, ipchains and Windows XP®. Webfwlog also supports logs saved in a database using the ULOG or NFLOG targets of the linux netfilter project, or any other database logs mapped with a view to the ulogd schema. Versions 1 and 2 of ulogd database schemas are supported.

Webfwlog fully supports IPv6 for database logs, and netfilter and ipfilter system logs.

With Webfwlog you can design reports to use on your logged data in whatever configuration you desire. Included are example reports as a starting point. You can sort a report with a single click, "drill-down" on the reports all the way to the packet level, and save your reports for later use. You can also create a link directly to any saved report.

PREREQUISITES

- A web server with PHP >= 4.1

- Log files in standard netfilter, ipfilter, ipfw, ipchains or Windows XP® format

      or database logs populated with the ULOG or NFLOG target of netfilter,

      or other database logs mapped with a view to ulogd version 1 or 2 schemas

- A MySQL or PostgreSQL database server:

      - MySQL >= 3.23.52 or any production release of 4.x or 5.x

            - MySQL >= 5 required for IPv6

      - PostgreSQL >= 7.1

            - PostgreSQL >= 7.4 required for IPv6

- Your favorite web browser.

Windows XP® support provided via Cygwin.

Download Webfwlog 1.01

Read More

Web Application Protection - Tool to detect and correct vulnerabilities in PHP web applications

WAP 2.0 is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) and with a low rate of false positives. WAP detects and corrects the following vulnerabilities:

• SQL Injection (SQLI)
• Cross-site scripting (XSS)
• Remote File Inclusion (RFI)
• Local File Inclusion (LFI)
• Directory Traversal or Path Traversal (DT/PT)
• Source Code Disclosure (SCD)
• OS Command Injection (OSCI)
• PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reaches some sensitive sink (PHP functions that can be exploited by malicious input). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected with the insertion of the fixes (small pieces of code) in the source code. WAP is written in Java language and is constituted by three modules:

• Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.


• False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive. Then, the Logistic Regression algorithm receives them and classifies the instance as being a false positive or not (real vulnerability).


• Code Corrector: Each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created.     

Download WAP

Read More

ZMap 1.2.1 - The Internet Scanner

ZMap is an open-source network scanner that enables researchers to easily perform Internet-wide network studies. With a single machine and a well provisioned network uplink, ZMap is capable of performing a complete scan of the IPv4 address space in under 45 minutes, approaching the theoretical limit of gigabit Ethernet.

ZMap can be used to study protocol adoption over time, monitor service availability, and help us better understand large systems distributed across the Internet.

While ZMap is a powerful tool for researchers, please keep in mind that by running ZMap, you are potentially scanning the ENTIRE IPv4 address space and some users may not appreciate your scanning. 

Command Line Arguments

Common Options

These options are the most common options when performing a simple scan. We note that some options are dependent on the probe module or output module used (e.g. target port is not used when performing an ICMP Echo Scan).

-p, --target-port=port

TCP port number to scan (e.g. 443)

-o, --output-file=name

Write results to this file. Use - for stdout

-b, --blacklist-file=path

File of subnets to exclude, in CIDR notation (e.g. 192.168.0.0/16), one-per line. It is recommended you use this to exclude RFC 1918 addresses, multicast, IANA reserved space, and other IANA special-purpose addresses. An example blacklist file is provided in conf/blacklist.example for this purpose.

Scan Options

-n, --max-targets=n

Cap the number of targets to probe. This can either be a number (e.g. -n 1000) or a percentage (e.g. -n 0.1%) of the scannable address space (after excluding blacklist)

-N, --max-results=n

Exit after receiving this many results

-t, --max-runtime=secs

Cap the length of time for sending packets

-r, --rate=pps

Set the send rate in packets/sec

-B, --bandwidth=bps

Set the send rate in bits/second (supports suffixes G, M, and K (e.g. -B 10M for 10 mbps). This overrides the --rate flag.

-c, --cooldown-time=secs

How long to continue receiving after sending has completed (default=8)

-e, --seed=n

Seed used to select address permutation. Use this if you want to scan addresses in the same order for multiple ZMap runs.

--shards=n

Split the scan up into N shards/partitions among different instances of zmap (default=1). When sharding, --seed is required

--shard=n

Set which shard to scan (default=0). Shards are indexed in the range [0, N), where N is the total number of shards. When sharding --seed is required.

-T, --sender-threads=n

Threads used to send packets (default=1)

-P, --probes=n

Number of probes to send to each IP (default=1)

-d, --dryrun

Print out each packet to stdout instead of sending it (useful for debugging)

Network Options

-s, --source-port=port|range

Source port(s) to send packets from

-S, --source-ip=ip|range

Source address(es) to send packets from. Either single IP or range (e.g. 10.0.0.1-10.0.0.9)

-G, --gateway-mac=addr

Gateway MAC address to send packets to (in case auto-detection does not work)

-i, --interface=name

Network interface to use

Probe Options

ZMap allows users to specify and write their own probe modules for use with ZMap. Probe modules are responsible for generating probe packets to send, and processing responses from hosts.

--list-probe-modules

List available probe modules (e.g. tcp_synscan)

-M, --probe-module=name

Select probe module (default=tcp_synscan)

--probe-args=args

Arguments to pass to probe module

--list-output-fields

List the fields the selected probe module can send to the output module

Output Options

ZMap allows users to specify and write their own output modules for use with ZMap. Output modules are responsible for processing the fieldsets returned by the probe module, and outputing them to the user. Users can specify output fields, and write filters over the output fields.

--list-output-modules

List available output modules (e.g. tcp_synscan)

-O, --output-module=name

Select output module (default=csv)

--output-args=args

Arguments to pass to output module

-f, --output-fields=fields

Comma-separated list of fields to output

--output-filter

Specify an output filter over the fields defined by the probe module

Additional Options

-C, --config=filename

Read a configuration file, which can specify any other options.

-q, --quiet

Do not print status updates once per second

-g, --summary

Print configuration and summary of results at the end of the scan

-v, --verbosity=n

Level of log detail (0-5, default=3)

-h, --help

Print help and exit

-V, --version

Print version and exit

Download ZMap 1.2.1

Read More

Asterisk Password Spy v3.1 - Windows Asterisk Password Recovery Tool

Asterisk Password Spy is the FREE tool to instantly reveal the hidden password behind asterisks (*****).

It's user friendly interface can help you to easily find the passwords from any Windows based application.You can simply drag the 'search icon' to any password box to find the real password hidden by those asterisks.

Most applications do not display real password in the login box for security reasons and instead they show the asterisks (****). But often there is need to know the actual password especially if you have forgotten password that you have entered while ago.

In such cases, AsteriskPasswordSpy will help you to easily find out the real password hidden behind asterisks.

It works on wide range of platforms starting from Windows XP to latest operating system Windows 8.

Features

• Instantly reveal the hidden password behind asterisks.
• Support most of the windows based applications
• Nice user friendly GUI interface makes it easier & faster
• Show password of any length & complexity
• Sort feature to quickly arrange and search through discovered passwords.
• Save the recovered password list to HTML/XML/CSV file.
• Support for local Installation and uninstallation of the software.

How to Use?

AsteriskPasswordSpy is easy to use with its simple GUI interface. 

Here are the brief usage details

• Launch AsteriskPasswordSpy on your system
• Now simply drag the 'search icon' to any password box to reveal the passwords.
• When you place it over the password box, it will automatically highlight it and password is added to list as shown in the screenshot below.
• Finally you can save all recovered password list to HTML/XML/CSV file by clicking on 'Export' button and then select the type of file from the drop down box of 'Save File Dialog'.

Download Asterisk Password Spy v3.1

Read More

MLDonkey - multi-protocol P2P file sharing application

MLDonkey is a multi-platform and freely distributed eDonkey client, a P2P (Peer-to-Peer) file-sharing application. It provides users with both a server (daemon) and graphical user interface (GUI).

It seems to be the first ever open source application that could access the eDonkey peer-to-peer file sharing network, as a eDonkey2000 clone. It officially supports the Linux, BSD, Solaris, Mac OS X, MorphOS, and Microsoft Windows operating systems.

Currently, the application supports several large P2P networks, including Overnet, BitTorrent, Fasttrack (Kazaa, Imesh, Grobster), Gnutella (Bearshare, Limewire, etc), Gnutella2 (Shareaza), Soulseek, Opennap, and Direct-Connect (DC++).

Several user interfaces are available for this project, including web-based, native GUIs, Telnet based and basic Wap front-ends. The most simple and effective appears to be the Telnet interface accessible through the command-line (telnet 127.0.0.1 4000) or via the Putty application.

While the Wap interface is extremely simple and provides users only with very basic functionality, such as current download and upload speed, current running downloads, as well as pause, resume, and cancel functions, the web-based interface can be easily accessed with any modern web browser through http://admin@127.0.0.1:4080.

MLdonkey comes by default with a GTK interface. However, there are many open source or commercial GUI (Graphical User Interfaces) front-ends available, including Sancho, KMLdonkey, G2Gui, CocoDonkey, xDonkey, mlMac, Nulu GUI ML, MLdonkeyWatch, phpEselGui, saman, Platero, Alemula, Zuul, JMoule, Web-GMUI, and Rmldonkey.

All the aforementioned MLdonkey interfaces can be used both remotely and locally. Furthermore, it allows users to easily enable or disable P2P networks, perform parallel searches on all enabled peer-to-peer networks, as well as to download files concurrently from multiple clients.

Summing up, MLdonkey is a very powerful and popular P2P client that runs on most operating systems, supports a wide range of peer-to-peer networks, and comes with a plethora of user interfaces.

Features:

• 100% Open Source, GPL license
• runs on Linux, Unix, Solaris, MacOSX, MorphOS and Windows
• The p2p core can run on a resource limited headless computer, with remote GUI clients accessing it over the network.
  • The core is built to run as daemon for days, weeks, ever...
• Several different GUIs available, some of them developed separately.
• Multi-user support: the same core can queue and process downloads for several different users who can't see what the others are downloading.
• Several different file-sharing networks supported:
  • ED2K (and Kademlia and Overnet)
  • BitTorrent
  • DC++
  • (FastTrack, SoulSeek, Gnutella and G2 need work)
• The core can download the same file from several different networks simultaneously.
• Scriptable command-line interface available. It's possible to control all aspects of mldonkey from the CLI.
• Written in ObjectiveCaml, with some parts written in C and some in Assembly. 

Download MLDonkey

Read More