[Hook Analyser 3.0] A Freeware Malware Analysis and Cyber Threat Intelligence Software

In terms of improvements, a new module has been added - Cyber Threat Intelligence. Threat Intel module is being created to gather and analyse information related to Cyber Threats and vulnerabilities.

The module can be run using HookAnalyser.exe (via Option 6 ), or can be run directly.

The module present information on a web browser (with dashboard alike representation) with the following sections -

1. Threat Vectors - by (%) Country
2. Threat Vectors - by Geography 
3. Vulnerability / Threat Feed.

Project documentation - Click Here

Here is the screenshot of the Cyber Threat Intelligence dashboard -

Download Hook Analyser 3.0

Read More

[TestingWhiz] Test Automation Tool

TestingWhiz™ is an easy, intuitive and affordable solution based on a robust FAST® automation engine. It uses effortless and intelligent recording techniques like keyword-driven testing, data driven testing, Excel inputs, object recorder and Java scripting to offer powerful test automation solutions like automated regression testing, cross browser testing, image comparison and language translation.

TestingWhiz easily automates the testing of your web applications on multiple browsers. Record the test case just once and play it back in any browser. TestingWhiz saves your time in doing manual testing for new browser versions. Supported browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari and Opera.

System Requirements
Operating System : Windows XP/ Windows Vista/ Windows 7/ Windows 8
Processor : Intel Pentium 4 or later
RAM : 1 GB (2 GB Recommended)
Free Disk Space : 300 MB
Java Version : JRE 6 or later

Browser Support
Internet Explorer: Version 7, 8, 9 and l0
Mozilla Firefox: Version 3.6 to version 20
Google Chrome: Version 19 to version 29
Apple Safari: Version 5.x
Opera: Version 12.x

Download TestingWhiz

Read More

[ModSecurity v2.7] Open Source Web Application Firewall

ModSecurity is an embeddable web application firewall, which means it can be deployed as part of your existing web server infrastructure (Apache, IIS7 and Nginx).

This deployment method has certain advantages:

1. No changes to existing network. It only takes a few minutes to add ModSecurity to your existing web servers. And because it was designed to be completely passive by default, you are free to deploy it incrementally and only use the features you need. It is equally easy to remove or deactivate it should decide you don't want it any more.
2. No single point of failure. Unlike with network-based deployments, you will not be introducing a new point of failure to your system.
3. Implicit load balancing and scaling. Because it works embedded in web servers, ModSecurity will automatically take advantage of the additional load balancing and scalability features. You will not need to think of load balancing and scaling unless your existing system needs them.
4. Minimal overhead. Because it works from inside the web server process there is no overhead for network communication and minimal overhead in parsing and data exchange.
5. No problem with encrypted or compressed content. Many IDS systems have difficulties analysing SSL traffic. This is not a problem for ModSecurity because it is positioned to work when the traffic is decrypted and decompressed.

ModSecurity is known to work well on a wide range of operating systems. Our customers are successfully running it on Linux, Windows, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, and HP-UX.

Download ModSecurity v2.7

Read More

[CrowdRE] Reverse Engineering Tool

A new project called CrowdRE aims to make it easy for the reverse engineering of complex applications working in collaboration with other users. Normally, the process reversing software from a complicated binary can consume much time, CrowdRE will help accelerate this process through teamwork.

CrowdRE, which is currently considered in an "alpha" stage of development, is available as an plugin for IDA Pro 6.3.120531. With the plug-in, developers can reverse engineer on one or more functions of a binary and upload the results to a server in the cloud that keeps track of everything in a central database. This allows customers to benefit from a job than other developers already have completed and share the progress that make the rest of the community. The database allows any search and each function can have different concurrent "commits".

Download CrowdRE

Read More

[OWASP CSRFTester] Facilitates Ability to Test Applications for CSRF

OWASP CSRFTester is a tool for testing CSRF vulnerability in websites. Just when developers are starting to run in circles over Cross Site Scripting, the 'sleeping giant' awakes for yet another web-catastrophe. Cross-Site Request Forgery (CSRF) is an attack whereby the victim is tricked into loading information from or submitting information to a web application for which they are currently authenticated. The problem is that the web application has no means of verifying the integrity of the request. The OWASP CSRFTester Project attempts to give developers the ability to test their applications for CSRF flaws. 

Download OWASP CSRFTester

Read More

[Faraday] Penetration Test IDE

Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Features:

* +40 Plugins (Metasploit, Amap, Arachini, Dnsenum, Medusa, Nmap, Nessus, w3af, Zap and More!)

* Collaborative support 

* Information Highlighting 

* Knowledge Filtering 

* Information Dashboard 

* Conflict Detection 

* Support for multiple Workspaces 

* IntelliSense Support 

* Easy Plugin Development 

* XMLRPC, XML and Regex Parsers

Download Faraday

Read More

[APKinspector] Powerful GUI tool to analyze the Android applications

The goal of this project is to aide analysts and reverse engineers to visualize compiled Android packages and their corresponding DEX code. APKInspector provides both analysis functions and graphic features for the users to gain deep insight into the malicious apps:

• CFG

• Call Graph

• Static Instrumentation

• Permission Analysis

• Dalvik codes

• Smali codes

• Java codes

• APK Information

What’s new?

UI Improvement:

• Automatically installation
• Fine-grained Graph View to Source View
• Call Graph
• Navigation
• Better display of Control Flow Graph

New Analysis Features:

• Reverse the Code with Ded for Java Analysis
• Static Instrumentation
• Combine Permission Analysis  

Download APKinspector

Read More

[SSLSmart] Smart SSL Cipher Enumeration

SSLSmart is a highly flexible and interactive tool aimed at improving efficiency and reducing false positives during SSL testing. A number of tools allow users to test for supported SSL ciphers suites, but most only provide testers with a fixed set of cipher suites. Further testing is performed by initiating an SSL socket connection with one cipher suite at a time, an inefficient approach that leads to false positives and often does not provide a clear picture of the true vulnerability of the server. SSLSmart is designed to combat these shortcomings.

SSLSmart has been tested to work on the following platforms and versions of Ruby:

Windows: Ruby 1.8.6 with wxruby6 (2.0.0) and builder7 (2.1.2).

Linux: Ruby 1.8.7/1.9.1 with wxruby (2.0.0) and builder (2.1.2).

Download SSLSmart

Read More

[SSL Audit] Remotely scans web servers for SSL support

SSL Audit remotely scans web servers for SSL support, unlike other tools it is not limited to ciphers supported by SSL engines such as OpenSSL or NSS but can detect all known cipher suites. It features an innovative Fingerprinting engine that was never seen before.

Fingerprint mode (Experimental)

Included is an experimental fingerprint engine that tries to determine the SSL Engine used server side. It does so by sending normal and malformed SSL packets that can be interpreted in different ways. 

SSL Audit is able to fingerprint :

· IIS7.5 (Schannel) 

· IIS7.0 (Schannel) 

· IIS 6.0 (Schannel) 

· Apache (Openssl) 

· Apache (NSS) 

· Certicom 

· RSA BSAFE 

Known issues:· FP on SSLv2 (needs seperated HTTPS request to verify) · No way to export results

Documentation

Download SSL Audit

Read More

[SSLDigger v1.02] Tool to assess the strength of SSL

SSLDigger v1.02 is a tool to assess the strength of SSL servers by testing the ciphers supported. Some of these ciphers are known to be insecure.

Features:

• full Browser Support using Microsoft Internet Explorer Browser Control
• support for operating the tool in batch modefor operating on multiple sites simultaneously
• the tool supports reporting in three different formats:XXL,CSV,HTML
• limited support for Server Gated Cryptography.

System Requirements

Windows .NET Framework (can be installed using Windows Update)

Download SSLDigger v1.02

Read More

[BTCrack v1.1] The worlds first Bluetooth Pass phrase (PIN) Bruteforce Tool

BTCrack is the worlds first Bluetooth Pass phrase (PIN) bruteforce tool, BTCrack will bruteforce the Passkey and the Link key from captured pairing* exchanges.

BTcrack was demoed and realeased at Hack.lu 2007 and 23C3 in Berlin, the video of the presentation is available on Google Video .

To capture the pairing data it is necessary to have a Professional Bluetooth Analyzer : FTE (BPA 100, BPA 105, others), Merlin OR flash a CSR based consumer USB dongle with special firmware.

Speed Comparison :

· P4 2Ghz - Dual Core 200.000 keys/sec

· FPGA E12 @ 50Mhz 7.600.000 keys/sec

· FPGA E12 @ 75Mhz 10.000.000 keys/sec

· FPGA E14 30.000.000 keys/sec

Changes :· 1.0 First release · 1.1 Intermediate Release    E12 + E14 FPGA Support ( http://www.picocomputing.com)   Splash Screen    Process Priority    Speed increase (+15%)

Download BTCrack v1.1

Read More

[Harden SSL/TLS] Hardening the SSL/TLS settings

“Harden SSL/TLS” allows hardening the SSL/TLS settings of Windows 2000,2003,2008,2008R2, XP,Vista,7. It allows locally and remotely set SSL policies allowing or denying certain ciphers/hashes or complete ciphersuites. 

This tool specific allows setting policies with regards to what ciphers and protocols are available to applications that use SCHANNEL crypto interface. A lot of windows applications do use this interface, for instance Google Chrome as well as Apple Safari are a few of these. By changing the settings you can indirectly control what ciphers these applications are allowed to use.

Advanced mode 

· re-enable ECC P521 mode on Windows7 and 2008R2

· Set TLS Cache size and timeout

Known issues:· The BETA initialises and sets the OS defaults at startupChangelog :· Fixed Protocol initialization on Vista/Seven/2008/2008R2 (Adrian F. Dimcev) · Fixed TLS 1.1 on Vista/2008 (Reported by Adrian F. Dimcev)

Documentation

Download Harden SSL/TLS

Read More

[CommView for WiFi 7.0] Wireless Network Monitor and Analyzer

CommView for WiFi is a powerful wireless network monitor and analyzer for 802.11 a/b/g/n/ac networks. Loaded with many user-friendly features, CommView for WiFi combines performance and flexibility with an ease of use unmatched in the industry.

CommView for WiFi captures every packet on the air to display important information such as the list of access points and stations, per-node and per-channel statistics, signal strength, a list of packets and network connections, protocol distribution charts, etc. By providing this information, CommView for WiFi can help you view and examine packets, pinpoint network problems, and troubleshoot software and hardware.

CommView for WiFi includes a VoIP module for in-depth analysis, recording, and playback of SIP and H.323 voice communications.

Packets can be decrypted utilizing user-defined WEP or WPA-PSK keys and are decoded down to the lowest layer. With over 70 supported protocols, this network analyzer allows you to see every detail of a captured packet using a convenient tree-like structure to display protocol layers and packet headers. Additionally, the product provides an open interface for plugging in custom decoding modules.

A number of case studies describe real-world applications of CommView for WiFi in business, government, and education sectors. 

CommView for WiFi is a comprehensive and affordable tool for wireless LAN administrators, security professionals, network programmers, or anyone who wants to have a full picture of the WLAN traffic. This application runs on Windows XP / Vista/ 7 / 8 or Windows Server 2003 / 2008 / 2012 (both 32- and 64-bit versions) and requires a compatible wireless network adapter. You can also run CommView for WiFi on Macs.

Download CommView for WiFi

Read More

[XSS Cheat Sheet] Bypassing Modern Web Application Firewall XSS Filters

While we doing web application penetration testing for our clients, we may some time have to face the Web application Firewall that blocks every malicious request/payload.

There are some Cheat sheets available on internet that helped to bypass WAF in the past. However, those cheats won't work with the modern WAFs and latest browsers.  

So, here is need for creating new Cheat sheet.

One of the top security researcher Rafay Baloch has done an excellent job by organizing his own techniques to bypass modern WAFs and published a white paper on that.

The paper titled "Modern Web Application Firewalls Fingerprinting and Bypassing XSS Filters" covers only the techniques needed for bypassing XSS filters.

Rafay promised to write other vulnerabilities' bypassing techniques in his next paper.

Download XSS Cheat Sheet

Read More

[Hasere v0.2] Discover vHosts using Google and Bing

Hasere is a tool that can discovery the virtual hosts and related filetype using google and bing search engines. Optionally, it uses the nmap to determine the ip addresses which have 80 or 443 opened port. After that it uses the bing search engine to determine which domains were hosted or have been hosted on this ip address. Finally, it search the filetype which was confiured via filetype_path parameters for this domain. So you can discovery the hole for your web pentesting easily. Install the needed libraries:

# apt-get install python-setuptools  
# wget https://github.com/pkrumins/xgoogle/archive/master.zip
# cd xgoogle-master
# python setup.py install
# wget https://github.com/galkan/hasere/archive/master.zip
# unzip master.zip
# cd hasere-master
# ./hasere.py -h

Usage; -s : Subnet Information -t : Timeout Value -f : FileType -n : Use nmap (optional)

# cat data/filetype
php
asp

if you want to determine which ip addresses have opened port 80 or 443, use -n option.

# ./hasere.py  -s 209.92.24.80/28 -t 3 -f data/filetype -n
Ip Address:                      Host_Name:                    Google_Output:
-----------                      ----------                    --------------
209.92.24.80                     www.linux.org                 ---
209.92.24.80                     www.linux.org                 ---
209.92.24.90                     www.fobusholster.com          ---
209.92.24.90                     www.fobusholster.com          ---
209.92.24.86                     www.couturecreations.net      www.couturecreations.net/site/cart.php
209.92.24.86                     www.couturecreations.net      www.couturecreations.net/site/cart.php,        
www.couturecreations.net/site/cart.php
209.92.24.95                     www.mccaffreys.com            www.couturecreations.net/site/cart.php,  
www.couturecreations.net/site/cart.php, www.couturecreations.net/site/cart.php

NOTE: It was tested on Kali Linux.

Download Hasere v0.2

Read More

[Cryptocat] Chat Client with encrypted conversations on iPhone and Android

Cryptocat is an experimental browser-based chat client for easy to use, encrypted conversations. It aims to make encrypted, private chat easy to use and accessible. We want to break down the barrier that prevents the general public from having an accessible privacy alternative that they already know how to use. 

Cryptocat is currently available for Chrome, Firefox and Safari. It uses the OTR protocol over XMPP for encrypted two-party chat and the (upcoming) mpOTR protocol for encrypted multi-party chat.

Downlaod Cryptocat

Read More

[Harald scan] Bluetooth discovery scanning

Harald Scan is able to determine Major and Minor device class of device, as well as attempt to resolve the device's MAC address to the largest known Bluetooth MAC address Vendor list.

If you are running Harald Scan and see a entry with 'Unknown' in the vendor column please email me the file which is created in the same directory with the first 8 characters of the MAC address.
Feature Requests If you would like to see a feature added the Harald Scan, Fill in a Issue report and set the label as Type-Enhancement

Download Harald scan

Read More

[IP-reputation-snort-rule-generator] A tool to generate Snort rules based on public IP reputation data

A tool to generate Snort rules or Cisco IDS signatures based on public IP/domain reputation data.

Usage

./tepig.pl [ [--file=LOCAL_FILE] | [--url=URL] ] [--csv=FIELD_NUM] [--sid=INITIAL_SID] [--ids=[snort|cisco]] | --help

LOCAL_FILE is a file stored locally that contains a list of malicious domains, IP addresses and/or URLs. If omitted then it is assumed that a URL is provided. URL is a URL that contains a list of malicious domains, IP addresses or URLs. The default is https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist. FIELD_NUM is the field number (indexing from 0) that contains the information of interest. If omitted then the file is treated as a simple list. INITIAL_SID is the SID that will be applied to the first rule. Every subsequent rule will increment the SID value. The default is 9000000.

Examples

Malicious IP address

./tepig.pl --url=https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist is a plain text file containing a list of known bad IP addresses. At the time of writing, the first entry is 108.161.130.191. The first rule output would be:
alert ip any any <> 108.161.130.191 any (msg:"Traffic to known bad IP (108.161.130.191)"; reference:"url,https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist"; sid:9000000; rev:0;)
This rule looks for any traffic going to or coming from the bad IP address.

Malicious Domain

./tepig.pl --url=http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/Storm_2_domain_objects_3-11-2011.txt
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/Storm_2_domain_objects_3-11-2011.txt is a plain text file containing a list of known bad domain names. At the time of writing the first entry is *.bethira.com. The first rule output would be:
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for *.bethira.com"; reference:"url,http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/Storm_2_domain_objects_3-11-2011.txt"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth: 10; offset: 2; content:"|07|bethira|03|com"; nocase; distance:0; sid:9000000; rev:0;)
This rule looks for any DNS lookup for the bad domain.

Download IP-reputation-snort-rule-generato

Read More

[Sahi] Web Test Automation Tool

Sahi Pro is a powerful tool for automation of web application testing. Sahi Pro helps test web applications across different browsers with high reliability and low maintenance. Existing testing teams with minimal programming knowledge can easily get started and contribute to test automation.

Sahi is especially suited for cross-browser/multi-browser testing of complex web 2.0 applications with lots of AJAX and dynamic content. Sahi works well in Agile development environments, enabling rapid automation and maintenance and easily integrating with build systems. Sahi saves time and effort with faster development, less maintenance and fast distributed playback. Sahi runs on any modern browser which supports javascript.

For testing teams in product companies and captive IT units which need rapid reliable web automation, Sahi would be the best choice among web automation tools. 

Record & Playback on Any Browser

Record and playback any web application on any browser, any operating system. Recording saves time and helps non-technical users contribute to automation. The Sahi Controller helps easily identify and experiment with elements on any browser. The same script works on all browsers 

Smart Accessor Identification

Sahi identifies elements in simple stable ways. Sahi works even on applications with dynamic ids, using _near, _in etc. APIs to easily locate one element with respect to another. Sahi can automate applications built using ExtJS, ZK, Dojo, YUI or any other framework. 

AJAX? No Timeout Issues

Sahi’s technology eliminates need for wait statements even for inconsistent page loads and AJAX. Sahi tests are stable and do not fail because of timing issues. Sahi scripts need less code and are easier to maintain. 

Rich Inbuilt Reports and Logs

See complete information of script execution. From concise summaries and graphs across runs, to exact line of script failure in code, get full end to end reporting. All logs are stored in database. Reports can be easily customized. 

Fast Parallel Batch Playback

Club together thousands of Sahi scipts in a suite file and let Sahi execute them in parallel on one machine or distribute it across machines. Cut play back time by upto 90%. Run from command line, ant or build and continuous integration systems. 

Simple Powerful Scripting

Sahi Script is based on Javascript. Interact with your File-System, Databases, Excel sheets, CSV files with ease. Call any Java code or library from Sahi Script to get added power. 

Inbuilt Excel Framework

Use the inbuilt Excel Framework to let your business analysts and non technical testers contribute to testing. Easily test from the Controller. Get detailed inbuilt reports.

Download Sahi

Read More

[THC-Hydra 7.5] Fast Parallel Network Logon Cracker

Hydra is a parallelized network logon cracker which supports numerous protocols to attack, new modules are easy to add, beside that, it is flexible and very fast.

Features

• IPv6 Support
• Graphic User Interface
• Internationalized support (RFC 4013)
• HTTP proxy support
• SOCKS proxy support

The tool supports the following protocols

Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Changelog for 7.5

• Added module for Asterisk Call Manager
• Added support for Android where some functions are not available
• hydra main:
• – reduced the screen output if run without -h, full screen with -h
• – fix for ipv6 and port parsing with service://[ipv6address]:port/OPTIONS
• – fixed -o output (thanks to www417)
• – warning if HYDRA_PROXY is defined but the module does not use it
• – fixed an issue with large input files and long entries
• hydra library:
• – SSL connections are now fixed to SSLv3 as some SSL servers fail otherwise, report if this gives you problems
• – removed support for old OPENSSL libraries
• HTTP Form module:
• – login and password values are now encoded if special characters are present
• – ^USER^ and ^PASS^ are now also supported in H= header values
• – if you the colon as a value in your option string, you can now escape it with \: – but do not encode a \ with \\
• Mysql module: protocol 10 is now supported
• SMTP, POP3, IMAP modules: Disabled the TLS in default. TLS must now be defined as an option “TLS” if required. This increases performance.
• Cisco module: fixed a small bug (thanks to Vitaly McLain)
• Postgres module: libraries on Cygwin are buggy at the moment, module is therefore disabled on Cygwin

Download THC-Hydra 7.5

Read More

[Blue|Smash] Bluetooth Penetration Testing Suite

Blue|Smash is a free open source bluetooth pentest suite, powered by python for linux. I built Blue|Smash to aid me in my bluetooth adventures and thought others might benefit from my work :D. Here is a list of some of the tools included.

• Sorbo's Frontline bluetooth sniffer.
• A bruteforce scanner
• Mac address spoofer
• Load's of exploits
• Autopwn vunrebility checker
• CSR Firmware Backup/Updater

Download Blue|Smash

Read More