Hackers Group Of India

Websecurify – Web Security Testing Framework

2009-09-27T13:15:00.000-07:00

Websecurify is a web and web2.0 security initiative specializing in researching security issues and building the next generation of tools to defeat and protect web technologies.

Key Features

1.JavaScript – Websecurify Security Testing Framework is the first tool of its kind to be written entirely in JavaScript using only standard technologies adopted by the leading browsers.
2.Multiple Environments – The core technology can run in normal browsers, xulrunner, xpcshell (command line), inside Java or as part of a custom V8 (Chrome’s JavaScript Engine) build. The core is written with extensibility in mind so that more environments can be supported without changing even a single line of code.
3.Multi-platform – The tool is available and successfully runs on Windows, Mac OS, Linux and other operating systems.
4.Automatic Updates – Every single piece of the tool is subjected to automatic updates. This means that newer and more advanced versions of the tool can be shipped to your front door without you lifting your finger. This however is completely optional. The automatic update can be turned off if needed.
5.Extensions – Because the tool comes wrapped in xulrunner by default (keep in mind that we can support any other JavaScript environment) we benefit from all cool features that Firefox has, such as extensions. Extensions are easy to write and maintain and can customize every single aspect of the tool and there are already tones of resources and documentation, including books and what not, out there to teach you exactly how to do that. We will be providing documentation as well.

You can download Websecurify 0.3 here:

Windows – Websecurify 0.3.exe
Linux – Websecurify 0.3.tgz
Mac – Websecurify 0.3.dmg

Wireshark 1.2.1 Released – Network Protocol Analyzer

2009-08-03T02:27:00.000-07:00

Wireshark is the world’s foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Many of you will know it as Ethereal.

Features

•Deep inspection of hundreds of protocols, with more being added all the time

•Live capture and offline analysis

•Standard three-pane packet browser

•Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others

•Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility

•The most powerful display filters in the industry

•Rich VoIP analysis

•Capture files compressed with gzip can be decompressed on the fly

You can see the full changelog for version 1.2.1 here:
Wireshark 1.2.1 Release Notes

You can download Wireshark 1.2.1 here:
Windows 32-bit – wireshark-win32-1.2.1.exe
Source code – wireshark-1.2.1.tar.bz2

bsqlbf v2.3 Released – Blind SQL Injection Brute Forcing Tool

2009-08-03T02:20:00.000-07:00

This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections.

Bsqlbf first hit the net back in April 2006 with bsqlbf v1.1, then the v2.0 update in June 2008 .This new update adds much better Oracle support.

Databases supported:

•MS-SQL
•MySQL
•PostgreSQL
•Oracle

The 6 Attack Models

•Type 0: Blind SQL Injection based on true and false conditions returned by back-end server

•Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.

•Type 2: Blind SQL Injection in “order by” and “group by”.

•Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)

•Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)

•Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)

New additions

-type: Type of injection:

3: Type 3 is extracting data with DBA privileges
(e.g. Oracle password hashes from sys.user$)
4: Type 4 is O.S code execution(default: ping 127.0.0.1)
5: Type 5 is Reading O.S files(default: c:\boot.ini)

Type 4 (O.S code execution) supports the following sub types:

-stype: How you want to execute command:

0: SType 0 (default) is based on java,
universal but won’t work against XE
1: SType 1 against oracle 9 with plsql_native_make_utility
2: SType 2 against oracle 10 with dbms_scheduler

You can download bsqlbf v2.3 here:
bsqlbf-v2-3.pl

GFI LANguard 9 Review – Network Security Scanner & Vulnerability Management Tool

2009-08-03T01:50:00.000-07:00

GFI released version 9 of their scanner (overview here) with improvements to the scanning engine and the interface (including the monitoring dashboard which gives you a good heads-up of the scan results).

One of the big positives with LANguard was the ability to detect patch levels and automatically roll out patches over the network. This makes it a very comprehensive solution, the recent versions also include checks to ensure 3rd party software such as Anti-virus solutions are also up to date (full features here).

It’s as easy to install and get up and running as ever, if you do have any issues the Installation Guide is here [PDF].

Getting started with a scan is as easy as clicking 1 button, the interface has been simplified and it’s a lot more attractive . In fact it’s simple enough that non-security IT folks could use it without much problem.

After a scan is complete you have a choice to Analyze or Remediate. The Analysis section will give you fairly detailed instructions on any vulnerabilities found (including a vulnerability level) and full system information including shares, patch levels and so on.

The Remediate section will inform you of missing patches and allow you to apply these. Other than the standard MS patches and service packs you can also deploy 3rd party applications and uninstall rogue software.

Most things in the scanner can be scheduled too so for example if you want to scan outside of office ours or roll out software/patches at the weekend you can set LANguard to do that.

The dashboard is a nice addition which gives you an overview of the network security and the changes in vulnerabilities over time.

It also comes with the generic network utilities like Whois, DNS Lookup, Traceroute & SNMP Walk.

All in all it’s a great tool, especially for those managing Windows based networks. It makes your life a LOT easiest and it makes it easier to manage patches and software across the Domain.

It’s not a hardcore security tool, which means it also appeals to people more in the Sys Admin & Network areas of the industry. If you have any Windows machines do give it a look, perhaps start with the free version below.

You can download the latest version here:
GFI LANguard 9 Download

Pricing is done on a per-IP basis with prices starting from around $32USD per IP for a 10-24 IP block.

There is also a FREE version available here:

GFI LANguard 9 5-IP Freeware edition

Chinese Firm Writes First SMS Worm

2009-08-03T01:39:00.000-07:00

Once again China is at the forefront! A group of Chinese companies has managed to develop the first SMS worm!

" Three Chinese companies — XiaMen Jinlonghuatian Technology, ShenZhen ChenGuangWuXian Technology, and XinZhongLi TianJin — created the ‘Sexy Space’ worms or Yxe Worm (Worm:SymbOS/Yxe.D) and submitted to Symbian OS-based phones through the express signing procedure, said F-Secure Security Labs recently.

“The worm is the first text message worm in history,” said Chia Wing Fei, security response senior manager at F-Secure. “Our labs have received few confirmed reports from China and Middle East at the moment.”

The first stage of Symbian’s signing process is done automatically using an antivirus engine, said Chia, adding that once an application has been submitted and scanned, random samples are then submitted for human audit.

However, most applications are not inspected by humans through the express signing procedure, he noted.

An attacker can therefore put a web link pointing to the worm’s web site into a text message and invite the user to download the worm by clicking the link, Chia said. Once activated, the worm will install itself on the device, and send a similar text messages to all phonebook contacts listed, he added.

“These messages are sent in your name and from your phone. It means you will pay for each SMS sent by the worm. A typical cost for a single text message might be 5 cents. If you have 500 contacts in your phone, an infection would cost you 500 times 5 cents,” Chia noted. "

Source: Network World

sqlmap 0.7 Released – Automatic SQL Injection Tool

2009-08-03T01:08:00.000-07:00

Sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications.

Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Recent Changes
Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:

•Adapted Metasploit wrapping functions to work with latest 3.3 development version too.

•Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.

•Reset takeover OOB features (if any of –os-pwn, –os-smbrelay or –os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter.

•This make sqlmap 0.7 to work again on Windows too.

•Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).

•HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.

For a complete list of changes view the ChangeLog.

The manual is available here – README.pdf [PDF]

You can download sqlmap 0.7 here:
Linux Source: sqlmap-0.7.tar.gz
Windows Portable: sqlmap-0.7_exe.zip

Kon-Boot – Reset Windows & Linux Passwords

2009-07-21T01:55:00.000-07:00

Kon-Boot is an prototype piece of software which allows to change contents of a Linux kernel (and now Windows kernel also!!!) on the fly (while booting).

In the current compilation state it allows to log into a Linux system as ’root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password.

It was mainly created for Ubuntu, later the author has made a few add-ons to cover some other Linux distributions.

Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

Latest Updates – Kon-Boot for Windows

Kon-Boot was moved to Windows platforms. So now it provides support for Microsoft Windows systems and also the Linux systems listed below. Kon-Boot for Windows enables logging in to any password protected machine profile without without any knowledge of the password. This tool changes the contents of Windows kernel while booting, everything is done virtually – without any interferences with physical system changes. So far following systems were tested to work correctly with Kon-Boot:

•Windows Server 2008 Standard SP2 (v.275)
•Windows Vista Business SP0
•Windows Vista Ultimate SP1
•Windows Vista Ultimate SP0
•Windows Server 2003 Enterprise
•Windows XP
•Windows XP SP1
•Windows XP SP2
•Windows XP SP3
•Windows 7

No special usage instructions are required for Windows users, just boot from Kon-Boot CD/Floppy, select your profile and put any password you want. You lost your password? Now it doesnt matter at all.

It has been tested with the following Linux distributions:

•Gentoo 2.6.24-gentoo-r5 GRUB 0.97
•Ubuntu 2.6.24.3-debug GRUB 0.97
•Debian 2.6.18-6-6861 GRUB 0.97
•Fedora 2.6.25.9-76.fc9.i6862 GRUB 0.97

You can download Kon-Boot here:

Floppy Image – FD0-konboot-v1.1-2in1.zip
CD ISO Image – CD-konboot-v1.1-2in1.zip

The Middler – User Session Cloning & MITM Tool

2009-07-21T01:47:00.000-07:00

The Middler is a Man in the Middle tool to demonstrate protocol middling attacks. Led by Jay Beale, the project involves a team of authors including InGuardians agents Justin Searle and Matt Carpenter. The Middler is intended to man in the middle, or “middle” for short, every protocol for which we can create code.

The current codebase is in the alpha state, but a beta release is coming soon, with better documentation , easier installation, and even more plug-ins.

Plug-ins

•plugin-beef.py – inject the Browser Exploitation Framework (BeEF) into any HTTP requests originating on the local LAN
•plugin-metasploit.py – inject an IFRAME into cleartext (HTTP) requests that loads Metasploit browser exploits
•plugin-keylogger.py – inject a JavaScript? onKeyPress event handler to cleartext forms that get submitted via HTTPS, forcing the browser to send the password character-by-character to the attacker’s server, before the form is submitted.
The author team has done a tremendous amount of research, design and pseudo-code work, fleshing out attacks on web-based e-mail systems and social networking sites.

Dependencies

The Middler depends on the following Python modules:

•scapy
•libpcap
•readline
•libdnet
•beautifulsoup

You can download The Middler here:
middler-alpha-2009022301.tgz

MultiISO LiveDVD v1.0 – BackTrack, Knoppix & Ophcrack

2009-07-21T01:41:00.000-07:00

MultiISO LiveDVD is an integrated Live DVD technology which combines some of the very popular Live CD ISOs already available on the internet. It can be used for security reconnaissance, vulnerability identification, penetration testing, system rescue, media center and multimedia, system recovery, etc. It’s a all-in-one multipurpose LiveDVD put together. There’s something in it for everyone.

MultiISO LiveDVD Version 1.0 consists of:

•Backtrack 3
•Damn Small Linux (DSL) 4.2.5
•GeeXboX 1.1
•Damn Vulnerable Linux (Strychnine) 1.4 edition
•Knoppix 5.1.1, MPentoo 2006.1
•Ophcrack 1.2.2 (remastered to contain SSTIC04-5k [720MB] table sets)
•Puppy Linux 3.01
•Byzantine OS i586-20040404

You can download MultiISO LiveDVD here (to conserve bandwidth only a Torrent link is available, please seed after downloading):

Torrent: EmErgEs_MultiBOOT_ISO.torrent (4.03GB)

MD5SUM: 1b1f37ed6b6f958cde0529a8a1f06637
SHA1SUM: 593ffbfa3c4b665220dcd63b2e4b77bacde5237d

Damn Vulnerable Web App – Learn & Practise Web Hacking

2009-07-21T01:25:00.000-07:00

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be light weight, easy to use and full of vulnerabilities to exploit. Used to learn or teach the art of web application security.

Vulnerabilities

•SQL Injection
•XSS (Cross Site Scripting)
•LFI (Local File Inclusion)
•RFI (Remote File Inclusion)

•Command Execution

•Upload Script
•Login Brute Force

Changes

•Added Acunetix scan report.
•All links use http://hiderefer.com to hide referrer header.
•Updated/added ‘more info’ links.
•Moved change log info to CHANGELOG.txt.
•Fixed the exec.php UTF-8 output.
•Moved Help/View source buttons to footer.
•Fixed phpInfo bug.
•Made DVWA IE friendly.
•Fixed html bugs.
•Improved README.txt and fixed typos.
•Made SQL injection possible in sqli_med.php.

WARNING

It should come as no shock..but this application is damn vulnerable! Do not upload it to your hosting provider’s public html folder or any working web server as it will be hacked. It’s recommend that you download and install XAMP onto a local machine inside your LAN which is used solely for testing.

You can download DVWA 1.0.4 here:
dvwa_v1.0.4.zip

bsqlbf v2.3 Released – Blind SQL Injection Brute Forcing Tool

2009-07-21T01:07:00.000-07:00

This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections.

Databases supported:

•MS-SQL
•MySQL
•PostgreSQL
•Oracle

The 6 Attack Models

•Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
•Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
•Type 2: Blind SQL Injection in “order by” and “group by”.
•Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
•Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
•Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)

New additions

-type: Type of injection:

3: Type 3 is extracting data with DBA privileges
(e.g. Oracle password hashes from sys.user$)
4: Type 4 is O.S code execution(default: ping 127.0.0.1)
5: Type 5 is Reading O.S files(default: c:\boot.ini)

Type 4 (O.S code execution) supports the following sub types:

-stype: How you want to execute command:

0: SType 0 (default) is based on java,
universal but won’t work against XE
1: SType 1 against oracle 9 with plsql_native_make_utility
2: SType 2 against oracle 10 with dbms_scheduler

You can download bsqlbf v2.3 here:
bsqlbf-v2-3.pl

Fiddler - Web Debugging Proxy For HTTP(S)

2009-05-18T12:03:00.000-07:00

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and “fiddle” with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.

Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.

If you want some info on how to use Fiddler for debugging you can check here:

Fiddler Can Make Debugging Easy

You can download Fiddler here:

Fiddler2Setup.exe

FBController - The Ultimate Utility to Control Facebook Accounts

2009-05-18T11:56:00.000-07:00

Just to put a downer on all the script kiddies, this utility WILL NOT hack/crack Facebook passwords or accounts.

You need to feed it biscuits (cookies) before you can do anything.

You can get the target’s cookie by sniffing, XSS, social engineering, ARP Poison-Sniffing, Scroogle search or however you like.

Once you have the cookies you can use FBController to have Full control over the target’s Facebook account.

Login to your Facebook account and sniff your own cookie OR collect a few live Facebook Biscuit/s of your Target/s.

Till now FBController version 1.0 uses your Target’s provided cookie and only :

A > Downloads the HomePage.
B > Allows you to Update the Target’s Wall and
C > Retrieve your Target’s Friend’s List

There are many APIs available to write apps and 3rd party Tools for FB in Java, Perl, .NET, etc.

FBConTroller was entirely written without knowing any of Facebook’s Dev API’s. Considering the above along with Facebook’s complexity, the next version might take some time to get released

You can download FBController here:

FBConTroller.RAR

Durzosploit v0.1 - JavaScript Exploit Generation Framework

2009-05-18T11:49:00.000-07:00

Durzosploit is a JavaScript exploit generation framework that works through the console. This goal of that project is to quickly and easily generate working exploits for cross-site scripting vulnerabilities in popular web applications or web sites.

Please note that Durzosploit does not find browser vulnerabilities, it only is an framework containing exploits you can use.

At present there aren’t many exploits:

•twitter.com/update_status - Updates a target’s status
•twitter.com/update_settings - Updates your target’s settings
•facebook.com/what_is_on_your_mind - Write your message in your target’s mind
•drupal/edit_user_profile - Drupal 6.x - edit the profile of the user
•drupal/logout - Drupal 6.x - makes target logout
So far the author’s focus has been on the framework itself; allowing people to quickly write their exploits and adding some automated obfuscators.

Durzosploit provides some obfuscators to automatically pack/minify your generated exploit.

You can download the latest version from the Durzosploit SVN here:

svn co svn://www.engineeringforfun.com/svn/durzosploit/trunk

Pangolin - Automatic SQL Injection Tool

2009-05-18T11:43:00.000-07:00

Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.

Database Support

•Access: Informations (Database Path; Root Path; Drivers); Data
•MSSql: Informations; Data; FileReader; RegReader; FileWriter; Cmd; DirTree
•MySql: Informations; Data; FileReader; FileWriter;
•Oracle: Inforatmions (Version; IP; Database; Accounts ……); Data; and any others;
•Informix: Informatons; Data
•DB2: Informatons; Data; and more;
•Sybase: Informatons; Data; and more;
•PostgreSQL: Informatons; Data; FileReader;
•Sqlite: Informatons; Data

At present, most of the functions are directed at MSSQL and MySql coupled with Oracle and Access. Other small and medium-sized companies are using DB2, Informix, Sybase, PostgreSQL, as well as Sqlite which isn’t so common.

You can download Pangolin here:

pangolin_free_edition_2.1.2.924.rar (Download Page)

Samurai Web Testing Framework 0.6 Released - Web Application Security LiveCD

2009-05-18T11:39:00.000-07:00

" The authors of Samurai have updated and fixed a number of issues with the environment as well as improved performance of the java based tools. They have also included a virtual machine of the environment. This VM requires VMWare. "

For those that don’t know, Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. There are tools used in all four steps of a web pen-test.

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

You can download SamuraiWTF 0.6 here:

samurai-0.6.iso

Charles Web Debugging Proxy - HTTP Monitor & Reverse Proxy

2009-04-22T14:30:00.001-07:00

Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP traffic between their machine and the Internet. This includes requests, responses and the HTTP headers (which contain the cookies and caching information).

Charles can act as a man-in-the-middle for HTTP/SSL communication, enabling you to debug the content of your HTTPS sessions.

Charles simulates modem speeds by effectively throttling your bandwidth and introducing latency, so that you can experience an entire website as a modem user might (bandwidth simulator).

Charles is especially useful for Adobe Flash developers as you can view the contents of LoadVariables, LoadMovie and XML loads. Charles also has native support for Flash Remoting (AMF0 and AMF3).

Charles is also useful for XML development in web browsers, such as AJAX (Asynchronous Javascript and XML) and XMLHTTP, as it enables you to see the actual XML that is flowing between the client and the server. Charles natively supports JSON, JSON-RPC and SOAP; displaying each in a simplified tree format for easy viewing and debugging.

You can download Charles Proxy here:

Windows - charles_setup.exe
Linux / Unix - charles.tar.gz
Mac OS X - charles_macosx.zip

EFIPW - Modify Apple EFI Firmware Passwords

2009-04-22T14:22:00.000-07:00

EFIPW is a tool that can be used to decode and modify Apple EFI firmware passwords via the command line. It is designed after the non open source OFPW utility and is designed to work on Intel machines running Leopard or newer. Useful for lab deployments (setting the firmware password of machines as a post install item) and pen tests (recovering the EFI firmware password).

Tested on:
•Core Duo (1st gen) Macbook Pro 15″
•Core 2 Duo Macbook Pro 15″

Technical details on how it works here.

You can download EFIPW v0.1a here:

efipw_v0.1a.zip

ike-scan - IPsec VPN Scanning, Fingerprinting and Testing Tool

2008-11-25T05:20:00.000-08:00

ike-scan is a command-line tool for discovering, fingerprinting and testing IPsec VPN systems. It constructs and sends IKE Phase-1 packets to the specified hosts, and displays any responses that are received.

ike-scan allows you to:
Send IKE packets to any number of destination hosts, using a configurable output bandwidth or packet rate. (This is useful for VPN detection, when you may need to scan large address spaces.)
Construct the outgoing IKE packet in a flexible way. (This includes IKE packets which do not comply with the RFC requirements.)
Decode and display any returned packets.
Crack aggressive mode pre-shared keys. (You can use ike-scan to obtain the PSK hash data, and then use psk-crack to obtain the key.)

You can read more in depth about ike-scan and how to use it - in the User Guide.

ike-scan is free software, licensed under the GPL. It runs on Windows, Linux and most Unix systems. If you don’t already have ike-scan installed on your system, read the installation guide.

You can download ike-scan 1.9 here:

Source distribution: ike-scan-1.9.tar.gz

Windows binary: ike-scan-win32-1.9.zip

Browser Rider - Web Browser Exploitation Framework

2008-11-25T05:12:00.000-08:00

Browser Rider is a hacking framework to build payloads that exploit the browser. The project aims to provide a powerful, simple and flexible interface to any client side exploit.
Browser Rider is not a new concept. Similar tools such as BeEF or Backframe exploited the same concept. However most of the other existing tools out there are unmaintained, not updated and not documented. Browser Rider wants to fill those gaps by providing a better alternative.

Features
Easily create powerful payloads and plugins
Manage payloads automatically with plugins
All data can be saved in a database
Obfuscation
Polymorphism
Control more than one zombie at a time
Simple administration panel

Requirements
PHP 5, with json installed
Mysql
Apache with url_rewrite on
Targets must have Javascript turned on
You can download Browser Rider here:

Browser Rider v20081124 (changelog)

XSS-Proxy - Cross Site Scripting Attack Tool

2008-10-26T13:09:00.000-07:00

XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool. The documents, tools and other content on this site assume you have a basic understanding of XSS issues and existing exploitation methods. If you are not famliar with XSS, then I recommend you check out the primer links/docs below to get a better of idea of what XSS is and how to detect it, fix it, and exploit it.

CERT info on XSSCGISecurity’s Cross Site Scripting FAQ

Gunter Ollmann’s XSS paper

PeterW’s Cross Site Request Forgery (CSRF) Concept

SecureNet’s Session Riding paper

Some Common Misconceptions about XSS

“A user has to click a link to be impacted by XSS.” No - if you visit a page that has
stuff_to_run your browser will run it regardless of you clicking a link. I carefully crafted this example so it would not be run by your browser, but I could have put real script tags/commands here and made you run then transparently.
“XSS only matters with bulliten boards, blogs, and other sites where an attacker can upload script content.” That is one way the attack can happen, but an attacker can also leverage sites that allow HTML/SCRIPT tags to be reflected back to the same user (like a search form that repeats what it was told to look for in the response). These flaws are commonly combined with public site redirects or emails to attack a second site.
“Don’t XSS attacks just create popup windows, alerts and other pesky things?” No - They are commonly used to reveal your cookies or form based login info to attackers. After havesting this info, the attacker uses it to log into the same site as you.
“I understand XSS, but I don’t think it’s a huge issue“. I think you’ll change your mind once you understand this advanced attack. Read the advanced stuff below and play with XSS-Proxy to see how evil XSS really can be.

You can download XSS-Proxy here:
XSS-Proxy_0_0_12-book.pl

Psad - Intrusion Detection and Log Analysis with iptables

2008-09-27T13:52:00.000-07:00

psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data.

psad incorporates many signatures from the Snort intrusion detection system to detect probes for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (FIN, NULL, XMAS) which are easily leveraged against a machine via nmap.

When combined with fwsnort and the Netfilter string match extension, psad is capable of detecting many attacks described in the Snort rule set that involve application layer data. In addition, psad makes use of various packet header fields associated with TCP SYN packets to passively fingerprint remote operating systems (in a manner similar to p0f) from which scans originate.

For more information, see the complete list of features offered by psad.

psad is developed around three main principles:

Good network security starts with a properly configured firewall.
A significant amount of intrusion detection data can be gleaned from firewalls logs, especially if the logs provide information on nearly every field of the network and transport headers (and even application layer signature matches as in Netfilter’s case).

Suspicious traffic should not be detected at the expense of trying to also block such traffic.

You can download psad v2.1.4 here:

psad-2.1.4.tar.gz (Source tar)

psad-2.1.4-1.i386.rpm (i386 binary RPM).

Web Application Security Statistics for 2008

2008-09-27T13:46:00.000-07:00

Purpose

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent regardless of the methodology used to identify them. Industry statistics such as those compiled by Mitre CVE project provide valuable insight into the types of vulnerabilities discovered in open source and commercial applications, this project tries to be the equivalent for custom web applications.

Goals
Identify the prevalence and probability of different vulnerability classes
Compare testing methodologies against what types of vulnerabilities they are likely to identify.

Methodology

The statistics was compiled from web application security assessment projects which were made by the following companies in 2007 (in alphabetic order):

Booz Allen HamiltonBTCenzic with Hailstorm and ClickToSecured
blogic.it
HP Application Security Center with WebInspect
Positive Technologies with MaxPatrol
Veracode with Veracode Security Review

WhiteHat Security with WhiteHat Sentinel

Read the full report here:
http://www.webappsec.org/projects/statistics/

Surf Jack - Cookie Session Stealing Tool

2008-09-27T13:42:00.000-07:00

A tool which allows one to hijack HTTP connections to steal cookies - even ones on HTTPS sites! Works on both Wifi (monitor mode) and Ethernet.

Features:

Does Wireless injection when the NIC is in monitor mode
Supports Ethernet
Support for WEP (when the NIC is in monitor mode)

Known issues:

Sometimes the victim is not redirected correctly (particularly seen when targeting Gmail)
Cannot stop the tool via a simple Control^C. This is a problem with the proxy

Requires:

Python 2.4
Scapy

You can download Surf Jack here:
surfjack-0.2b.zip

Ohrwurm - RTP Fuzzing Tool (SIP Phones)

2008-09-27T13:33:00.000-07:00

ohrwurm is a small and simple RTP fuzzer, it has been tested it on a small number of SIP phones, none of them withstood the fuzzing.

Features:

reads SIP messages to get information of the RTP port numbers
reading SIP can be omitted by providing the RTP port numbers, so that any RTP traffic can be fuzzed
RTCP traffic can be suppressed to avoid that codecs learn about the “noisy line”
special care is taken to break RTP handling itself
the RTP payload is fuzzed with a constant BER
the BER is configurable
requires arpspoof from dsniff to do the MITM attack
requires both phones to be in a switched LAN (GW operation only works partially)

You can download ohrwurm 0.1 here: ohrwurm-0.1.tar.bz2