Most of todays tools for fingerprinting are focusing on server-side services. Well-known and widely-accepted implementations of such utilities are available for http web services, smtp mail server, ftp servers and even telnet daemons. Of course, many attack scenarios are focusing on server-side attacks.
Client-based attacks, especially targeting web clients, are becoming more and more popular. Browser-targeted attacks, drive-by pharming and web-based phishing provide a broad aspect of threats during surfing in the world wide web. Attacker might initialize and optimize their attacks by fingerprinting the target application to find the best possible way to compromise the client.
The browserrecon project is going to prove, that client-side fingerprinting is possible and useful too. In this particular implementation, currently available in php only, the given web browser is identified by the used http requests. Similar to the http fingerprinting provided within httprecon the header lines and values are analyzed and compared to a fingerprint database.
Read more on this article...
If you don’t know, BackTrack is a top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.
Back in January we mentioned the BackTrack Live Hacking CD BETA 3 was released, at last the final version is ready for download!
Tools
As usual, updated, sharpened, SVN’ed and armed to the teeth. This release we have some special features such as spoonwep, fastrack and other cool additions.
Kernel
2.6.21.5. Yes, yes, stop whining….We had serious deliberations concerning the BT3 kernel. We decided not to upgrade to a newer kernel as wireless injection patches were not fully tested and verified. We did not want to jeopardize the awesome wireless capabilities of BT3 for the sake of sexiness or slightly increased hardware compatibilities. All relevant security patches have been applied.
Availability
For the first time we distribute three different version of Backtrack 3:
* CD version
* USB version
* VMWare version
FREE DOWNLOAD
BackTrack Final 3 Hacking
Read More
Read more on this article...
Pantera is actually using an improved version of SPIKE Proxy and is a project under the umbrella of OWASP.
It’s aiming to be a more automated method for testing Web Application Security.
Features:
* User-friendly custom web GUI. (CSS): Pantera itself is a web application that runs inside the browser and can be customized using CSS by the user. Some of the customizations are visual style, colors, fonts, views for easy information access, etc.
* 100% python: Python is cross-platform, easy to install and use. Making it the perfect language of choice to use.
* Multi-platform (Windows, Linux, etc.) and multi-browser (IE, Firefox, etc.): By using Python, Pantera is cross-platform. And we have made sure Pantera works fine with the most common browsers.
* Supports SSL, NTLM, HTTP Basic: All this is supported by Pantera, still most open source tools have problems with things like NTLM.
* Powerful analysis engine: Pantera has a powerful analysis engine, meaning that each web page that Pantera sees is analyzed for several things like comments, scripts, vulnerabilities, hidden tags and more. All this is done in background and transparent for the user while testing the website manual and of course all this info is stored in the database.
* XML data files for configuration and attacks: Pantera uses XML files for configuration but also all the attacks and tests are stored in XML files, so it’s easy to add content to these files.
* MySQL support: Most tools do not allow you to save the assessment. While performing an assessment with Pantera you can create a session, so all the info generated while the assessment is stored in the database. You can edit, delete and modify the content of the assessment at your will. You can continue the next day on the same point you stopped. Currently only MySQL is supported, more databases will be supported in the future.
* Project Management: Each assessment is a session. Pantera offers project management to create new, open and delete projects.
* Plug-in support: Pantera offers plug-in support so advanced users can add and extent its features.
* Report generation: As Pantera can save assessments it can generate reports with all the gather data and vulnerabilities found. Some reports formats are HTML, XML, PDF, etc. Reports can also be customized!!
Requirements:
* Python 2.4
* MySQL 5 (Due to the use of triggers)
* pyOpenSSL
* FormBuild (install script inside Pantera zip)
Read more on this article...
So the latest news with the Gary McKinnon case that was he was trying to fight against Extradition, he started off with Appeals against US Extradition, then he Won The Right to Lords Appeal Extradition Hearing and then he lost the Lords case then went for the European Court.
Sadly it seems he lost his appeal in the European Court of Human Rights and he is to face immediate extradition and trial in the US possibly still under charges of terrorism, which is ridiculous.
The British hacker facing extradition to the US for breaking into the computer systems of the Pentagon and NASA has lost his appeal with the European Court of Human Rights.
Gary McKinnon (42) was hoping to be tried in the UK where the alleged offences took place. The Glaswegian now faces immediate extradition for trial.
McKinnon lost an appeal in the House of Lords last month and applied to the European court for temporary relief on August 12. After yesterday’s verdict, that relief will no longer apply.
So the decision is out finally, after temporary relief until August 28th he was safe in the UK but now extradition has been granted he will be heading to the US.
I hope they don’t try and make an example of him because he doesn’t wish to comply with their wishes, apparently he has Asperger’s too (a form of autism).
He has previously declined a deal with the US authorities in which he would receive a shorter sentence in return for a guilty appeal. He now faces up to 60 years in prison although the sentence is likely to be much shorter.
McKinnon’s lawyers are now appealing to the home secretary to allow their client to be tried in the UK as he has recently been diagnosed with Asperger’s Syndrome.
McKinnon denies his activities were a threat to US security and claims he was then motivated by a belief that the computer systems contained information about UFOs that was being concealed from the public.
I really wonder what kind of sentence he will get, he surely won’t get the full 60 years terrorism sentence but still they could be harsh with him.
If I had to make a conservative guess I’d say 3-5 years in the clink, up to a maximum of about 7.
Source: Tech Radar
Read more on this article...
We respect your privacy. All of your personal information that you leave on this site is completely secure. We do not provide this information to any other third party notice without your prior permission. We fully comply with the privacy norms of Google. We have a very strong policy toward spam mails. We do not send our newsletters to you unless you subscribe with us for the same. In case, that you have earlier subscribed to our newsletter and now you want to stop receiving the same then just unsubscribe and you will never see them again in your mailbox.
We reserve the exclusive right to change any of our policies without any prior notice.
Read more on this article...
SQL Power Injector is a graphical application created in .NET 1.1 that helps the penetrating tester to inject SQL commands on a web page.
For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode).
Moreover this application will get all the parameters you need to test the SQL injection, either by GET or POST method, avoiding thus the need to use several applications or a proxy to intercept the data.
The emphasis for this release is maturity, stability and reliability with secondary goals of usability, documentation and innovation.
There’s also a nifty Firefox Extension now.
One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%.
Added to this it’s now possible to define a range list that will replace a variable (<<@>>) inside a blind SQL injection string and automatically play them for you. That means you can get all the database names from the sysdatabases table in MS SQL without having to input the dbid each time for example.
Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. No more time wasted to copy paste the session cookies after you logged… And of course you can make the easy SQL tests in your browser and you use the plugin once you want to search more thoroughly.
To make your life easier there is now a new feature that will search the diff between a positive condition (1=1) response with a negative condition (1=2) and display the list for you.
Last major addition is the extensive databases Help file (chm) that contains most of the information you need when you SQL inject. It covers the 5 DBMS supported by SQL Power Injector. You can find in it the system tables and views with their columns, environment variables, the useful functions and stored procedures. All this with some notes to how to use them and why it’s useful for SQL injection.
FREE DOWNLOAD
SQL Power Injector 1.2
[Read More]
Read more on this article...
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
Features
* Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
* Bruteforce of ’sa’ password (in 2 flavors: dictionary-based and incremental)
* Privilege escalation to sysadmin group if ’sa’ password has been found
* Creation of a custom xp_cmdshell if the original one has been removed
* Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
* TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
* Direct and reverse bindshell, both TCP and UDP
* DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
Read more on this article...
As you all seem to pretty interested in Inguma, there’s something else similar called w3af - the fifth BETA was released a while back and the team are now working on the sixth.
w3af is a Web application attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and We did mention when it was first released - w3af - Web Application Attack and Audit Framework.
There are a lot of small changes, but the basic and bigger ones are:
* Virtual daemon, a way to use Metasploit framework payloads/shellcodes while exploiting web applications.
* w3afAgent, a reverse VPN that allows you to route packets through the compromised server
* Good samaritan, a module that allows you to exploit blind sql injections much faster
* 20+ new plugins
* A lot of bug fixes
* A much more stable core
A full plugin
w3af - Plugins
The users guide can be found here:
users guide
The author has also uploaded the presentation material he made for the T2 conference in Finland - this can serve as a good introduction.
w3af-T2.pdf
FREE DOWNLOAD
w3af Fifth BETA
Read more on this article...
sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.
Features
* Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server database management system back-end.
* Can also identify Microsoft Access, DB2, Informix and Sybase;
* Extensive database management system back-end fingerprint based upon:
* - Inband DBMS error messages
* - DBMS banner parsing
* - DBMS functions output comparison
* - DBMS specific features such as MySQL comment injection
* - Passive SQL injection fuzzing
* It fully supports two SQL injection techniques:
* - Blind SQL injection, also known as Inference SQL injection
* - Inband SQL injection, also known as UNION query SQL injection
Read more on this article...
For those that don’t know, Inguma is an open source penetration testing and vulnerability research toolkit written completely in Python. The environment is mainly oriented to attack Oracle related systems but, anyway, it can be used against any other kind of systems.
It’s becoming a mature and useful package! I’m glad to see continued developing and especially that they are concentrating on fixing bugs and improving the modules rather than adding loads of new features and just making it worse.
In this version there is new modules added, new exploits, many many bug fixes and the enhancing of existing modules, such as the Oracle related stuff.
PyShellcodelib has been enhanced as well and now supports Mac OS X. But, for the moment, just BSD syscalls. Mac syscalls implementation is on the way. You will also notice that it is now object oriented as opposed to the previous versions.
Among with the aforementioned changes, there are 5 new Oracle modules: 4 modules for bugs fixed in the Critical Patch Update of
January 2008 and one skr1pT k1|>i3 like module for the Oracle PL/SQL gateway flaw. Give to the module the target’s address and port and run “oragateway”. The module will automagically guess the correct DAD and bypass technique. After it an SQL terminal will be opened.
The new modules added to the framework are the following:
* nikto: A plugin that uses Nikto based databases (Thanks you Sullo!).
* archanix: As you may imagine, it gathers information from archaic Unix services.
* brutesmtp: A brute forcer for SMTP servers.
* anticrypt: A tool to guess the encryption algorithm of a password’s hash. It saves a lot of time when auditing passwords.
[Read More]
Read more on this article...
Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on:
* Linux
* FreeBSD
* Mac OS X
Features
* Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, authentication mode)
* Bruteforce of ’sa’ password, both dictionary-based and incremental
* Privilege escalation to ’sa’ if its password has been found
* Creation of a custom xp_cmdshell if the original one has been disabled
* Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
* TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
* Direct and reverse bindshell, both TCP and UDP
* DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
[Read More]
Read more on this article...
We’ve been folowing the development of sqlninja since the early days, it’s growing into a well matured and more polished tool with advanced features.
Sqlninja is a tool written in PERL to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
* Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, authentication mode)
* Bruteforce of ’sa’ password, both dictionary-based and incremental
* Privilege escalation to ’sa’ if its password has been found
* Creation of a custom xp_cmdshell if the original one has been disabled
* Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
* TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
* Direct and reverse bindshell, both TCP and UDP
* DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
* Evasion techniques, in order to obfuscate the injected code and confuse/bypass signature-based IPS and application firewalls
Fancy going from a SQL Injection to a full GUI access on the DB server? What about extracting password hashes on the fly? Take a few SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have the latest release of sqlninja! See it in action here.
What’s new in 0.2.3?
* A Metasploit3 wrapper, which allows the user to use SQL Injection to execute Metasploit payloads on the remote DB server
* Several other minor improvements
Read more on this article...
There are quite a lot of SQL Injection Tools available and now there is one more to add to the stable for testing - Bsqlbf V2, which is a Blind SQL Injection Brute Forcer..
The original tool (bsqlbfv1.2-th.pl) was intended to exploit blind sql injection against a mysql backend database, this new version supports blind sql injection against the following databases:
* MS-SQL
* MY-SQL
* PostgreSQL
* Oracle
It supports injection in string and integer fields. The feature which separates this tool from all other sql injection tools is that it supports custom SQL queries to be supplied with the -sql switch.
1. Type 0: Blind SQL Injection based on True And Flase response
2. Type 1: Blind SQL Injection based on True And Error Response(details)
Read more on this article...
BSQL Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities in virtually any database.
It ships with Automated Attack modules which allows the dumping of whole databases for the following DBMS:
* MS-SQL Server
* ORACLE
* MySQL (experimental)
Attack Templates for:
* MS Access
* MySQL
* ORACLE
* PostgreSQL
* MS-SQL Server
Also you can write your own attack template for any other database as well (see the manual for details). New attack templates and exploits for specific web application can be shared via Exploit Repository.
BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).
It supports :
* Blind SQL Injection (Boolean Injection)
* Full Blind SQL Injection (Time Based)
* Deep Blind SQL Injection (a new way to exploit BSQLIs, explained here)
* Error Based SQL Injection
It allows metasploit alike exploit repository to share and update exploits and attack temlpates.
Read more on this article...
Google Hacking Back in The News - Google Takes Action
Google hacking was the big thing back in 2004, I actually did a talk on it in Hack in the Box 2004, it’s resurfaced again as a serious threat with Google noticing more queries relating to things like social security numbers.
The Google Hacking Database has been active for years now and there are hundreds of queries that can bring up juicy information. Goolag was also released this year which gives a much easier, automated way of Google Hacking for specific domains or info.
Search engines such as Google are increasingly being used by hackers against Web applications that hold sensitive data, according to a security expert.
Even with rising awareness about data security, it takes all of a few seconds to pluck Social Security numbers from Web sites using targeted search terms, said Amichai Shulman, founder and CTO for database- and application-security company Imperva.
The fact that Social Security numbers are even on the Web is a human error; the information should never be published in the first place. But hackers are using Google in more sophisticated ways to automate attacks against Web sites, Shulman said.
Shulman said Imperva recently discovered a way to execute a SQL injection attack that comes from an IP address that belongs to Google.
It seems like it’s becoming big business on both sides, finding information and vulnerable sites and by gaming Google into dropping pages from the index (Blackhat SEO).
Even with the throttling it’ll still continue, people will find smarter ways to make the queries so it’s not blocked and they’ll build rate limiting into their tools so they don’t get dropped. The bad guys have plenty of patience, trust me on that.
Manipulating Google is particularly useful since it offers anonymity for a hacker plus an automated attack engine, Shulman said.
Tools such as Goolag and Gooscan can execute broad searches across the Web for specific vulnerabilities and return lists of Web sites that have those problems.
“This is no more a script kiddy game — this is a business,” Shulman said. “This is a very powerful hacking capability.”
Another attack method is so-called Google worms, which use the search engine to find specific vulnerabilities. With the inclusion of additional code, the vulnerability can be exploited, Shulman said.
“In 2004, this was science fiction,” Shulman said. “In 2008, this is a painful reality.”
Google and other search engines are taking steps to stop the abuse. For example, Google has stopped certain kinds of searches that could yield a trove of Social Security numbers in a single swoop. It also puts limits on the number of search requests sent per minute, which can slow down mass searches for vulnerable Web sites.
As they said, this is not some script kiddy stuff, with the amount of queries going on and the complexity this is some serious business!
Any pen-test or vulnerability assessment should have an information gathering stage and it’s here you should be using Google Hacking techniques and tools to uncover anything on the domain or company infrastructure that shouldn’t be there.
Just be warned that this kind of stuff is on the up, so brief your clients of the dangers and make sure this step is included in the audit.
Source: Network World
Read more on this article...
MultiInjector claims to the first configurable automatic website defacement software, I’m not sure if that’s a good thing - or a bad thing.
Features
* Receives a list of URLs as input
* Recognizes the parameterized URLs from the list
* Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
* Automatic defacement - you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
* OS command execution - remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
* Configurable parallel connections exponentially speed up the attack process - one payload, multiple targets, simultaneous attacks
* Optional use of an HTTP proxy to mask the origin of the attacks
Requirements
* Python >= 2.4
* Pycurl (compatible with the above version of Python)
* Psyco (compatible with the above version of Python)
Read more on this article...
SAP Penetration Testing Framework Tool
sapyto is the first SAP Penetration Testing Framework, sapyto provides support to information security professionals in SAP platform discovery, investigation and exploitation activities.
sapyto is periodically updated with the outcome of the deep research on the various security aspects in SAP systems.
Although sapyto is a versatile and powerful tool, it is of major importance for it to be used by consultants who are highly skilled and specialized in its usage, preventing any interference with your organization’s usual SAP operation.
This version is mainly a complete re-design of sapyto’s core and architecture to support future releases. Some of the new features now available are:
* Target configuration is now based on “connectors”, which represent different ways to communicate with SAP services and components. This makes the
framework extensible to handle new types of connections to SAP platforms.
* Plugins are now divided in three categories: Discovery, Audit & Exploit.
* Exploit plugins now generate shells and/or sapytoAgent objects.
* New plugins!: User account bruteforcing, client enumeration, SAProuter assessment, and more…
* Plugin-developer interface drastically simplified and improved.
* New command switches to allow the configuration of targets/scripts/output independently.
* Installation process and general documentation improved.
Read More here.
Read more on this article...
sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more..
* Major enhancement to get list of targets to test from Burp proxy requests log file path or WebScarab proxy ‘conversations/’ folder path with option -l;
* Major enhancement to support Partial UNION query SQL injection technique;
* Major enhancement to test if the web application technology sup ports stacked queries (multiple statements) by providing option –stacked-test which will be then used someday also by takeover functionality;
* Major enhancement to test if the injectable parameter is affected by a time based blind SQL injection technique by providing option –time-test;
* Major bug fix to correctly enumerate columns on Microsoft SQL Server;
* Major bug fix so that when the user provide a SELECT statement to be processed with an asterisk as columns, now it also work if in the FROM
there is no database name specified;
Read More here
Read more on this article...
MultiInjector v0.3 - Automatic SQL Injection and Defacement Tool
You might remember a while ago we posted about MultiInjector which claims to the first configurable automatic website defacement tool, it got quite a bit of interest and shortly after that it was updated. Anyway, good or bad I think people deserve to know what is out there.
Features
* Receives a list of URLs as input
* Recognizes the parameterized URLs from the list
* Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
* Automatic defacement - you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
* OS command execution - remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
* Configurable parallel connections exponentially speed up the attack process - one payload, multiple targets, simultaneous attacks
* Optional use of an HTTP proxy to mask the origin of the attacks
Changes
* Automatic defacement - Try to concatenate a string to all user-defined text fields in DB
* Run any OS command as if you’re running a command console on the DB machine
* Execute SQL commands of your choice
* Enable OS shell procedure on DB - Revive the good old XP_CMDSHELL where it was turned off
* Add administrative user to DB server with password: T0pSeKret
* Enable remote desktop on DB server
* Fixed nvarchar cast to varchar. Verified against MS-SQL 2000
* Added numeric / string parameter type detection
* Improved defacement content handling by escaping quotation marks
* Improved support for Linux systems
* Fixed the “invalid number of concurrent connections” failure due to non-parameterized URLs
Read more on this article...
Another big flaw has been discovered in Microsoft software just a few days after they broke their patch cycle to issue a patch for the IE bug that allowed remote code execution.
This time however it doesn’t really effect home users or the general consumer, it’s a more specific server side vulnerability affecting Microsoft SQL Server 2000 and 2005 versions. It seems pretty serious though as it also appears that this vulnerability if exploited properly could lead to remote code execution.
Just days after patching a critical flaw in its Internet Explorer browser, Microsoft is now warning users of a serious bug in its SQL Server database software. Microsoft issued a security advisory late Monday, saying that the bug could be exploited to run unauthorized software on systems running versions of Microsoft SQL Server 2000 and SQL Server 2005.
Attack code that exploits the bug has been published, but Microsoft said that it has not yet seen this code used in online attacks. Database servers could be attacked using this flaw if the criminals somehow found a way to log onto the system, and Web applications that suffered from relatively common SQL injection bugs could be used as stepping stones to attack the back-end database, Microsoft said.
Desktop users running the Microsoft SQL Server 2000 Desktop Engine or SQL Server 2005 Express could be at risk in some circumstances, Microsoft said.
Again I wonder how far behind the curve Microsoft is with this? Usually these kind of bugs have been discovered by the more malicious parties way before Microsoft has any idea that their software is vulnerable.
It claims that the code hasn’t been used in online attacks, but honestly if it was used well by a smart party who would even know? SQL injection could lead to this attack being executed and the code is published online so I find it unlikely that it hasn’t been used.
The bug lies in a stored procedure called “sp_replwritetovarbin,” which is used by Microsoft’s software when it replicates database transactions. It was publicly disclosed on December 9 by SEC Consult Vulnerability Lab, which said it had notified Microsoft of the issue in April.
“Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue,” Microsoft said in its advisory.
This is the third serious bug in Microsoft’s software to be disclosed in the past month, but it is unlikely to be used in widespread attacks, according to Marc Maiffret, director of professional services, with The DigiTrust Group, a security consulting firm. “It is rather low risk given other vulnerabilities that exist,” he said via instant message. “There are a lot of better ways to currently compromise windows systems.”
The bug was discovered by someone in April this year, so that’s at least 7 months someone has known about it..but only know when the vendor discloses it then Microsoft chooses to say something about it.
It is a fairly low risk vulnerability due to the requirements needed to execute it effectively, but still it’s another chink in the Microsoft armour to add to the (long long) list.
Read more on this article...
sapyto is the first SAP Penetration Testing Framework, sapyto provides support to information security professionals in SAP platform discovery, investigation and exploitation activities.
sapyto is periodically updated with the outcome of the deep research on the various security aspects in SAP systems.
Although sapyto is a versatile and powerful tool, it is of major importance for it to be used by consultants who are highly skilled and specialized in its usage, preventing any interference with your organization’s usual SAP operation.
New in This Version
This version is mainly a complete re-design of sapyto’s core and architecture to support future releases. Some of the new features now available are:
* Target configuration is now based on “connectors”, which represent different ways to communicate with SAP services and components. This makes the
framework extensible to handle new types of connections to SAP platforms.
* Plugins are now divided in three categories: Discovery, Audit & Exploit.
* Exploit plugins now generate shells and/or sapytoAgent objects.
* New plugins!: User account bruteforcing, client enumeration, SAProuter assessment, and more…
* Plugin-developer interface drastically simplified and improved.
* New command switches to allow the configuration of targets/scripts/output independently.
* Installation process and general documentation improved.
Read more on this article...
An interesting collection of tools for pen-testing including a DoS tool (something you don’t often see publicly released).
Complemento is a collection of tools that the author originally created for his own personal toolchain for solving some problems or just for fun. Now he has decided to release it to the public.
LetDown is a TCP flooder written after the author read the article by fyodor entitled article “TCP Resource Exhaustion and Botched Disclosure“.
ReverseRaider is a domain scanner that uses brute force wordlist scanning for finding a target sub-domains or reverse resolution for a range of ip addresses. This is similar to some of the functionality in DNSenum.
Httsquash is an HTTP server scanner, banner grabber and data retriever. It can be used for scanning large ranges of IP addresses and finding devices or HTTP servers (there is an alpha version of a GUI for this).
Read more on this article...
sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more..
* Major enhancement to get list of targets to test from Burp proxy requests log file path or WebScarab proxy ‘conversations/’ folder path with option -l;
* Major enhancement to support Partial UNION query SQL injection technique;
* Major enhancement to test if the web application technology sup ports stacked queries (multiple statements) by providing option –stacked-test which will be then used someday also by takeover functionality;
* Major enhancement to test if the injectable parameter is affected by a time based blind SQL injection technique by providing option –time-test;
* Major bug fix to correctly enumerate columns on Microsoft SQL Server;
* Major bug fix so that when the user provide a SELECT statement to be processed with an asterisk as columns, now it also work if in the FROM
there is no database name specified;
FREE DOWNLOAD
SQLmap 0.6.3(Linux)
SQLmap 0.6.3(Windows)
This is another oldskool tool, but still relevant! TCP and UDP still work in the same way and firewalls/edge devices are still often configured wrongly.
Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.
To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hopcount (at that point the scan is said to be `bound`) we can begin our scan.
It is significant to note the fact that the ultimate destination host does not have to be reached. It just needs to be somewhere downstream, on the other side of the gateway, from the scanning host.
Read more on this article...
Web-Harvest is Open Source Web Data Extraction tool written in Java. It offers a way to collect desired Web pages and extract useful data from them. In order to do that, it leverages well established techniques and technologies for text/xml manipulation such as XSLT, XQuery and Regular Expressions. Web-Harvest mainly focuses on HTML/XML based web sites which still make vast majority of the Web content. On the other hand, it could be easily supplemented by custom Java libraries in order to augment its extraction capabilities.
Process of extracting data from Web pages is also referred as Web Scraping or Web Data Mining. World Wide Web, as the largest database, often contains various data that we would like to consume for our needs. The problem is that this data is in most cases mixed together with formatting code - that way making human-friendly, but not machine-friendly content. Doing manual copy-paste is error prone, tedious and sometimes even impossible. Web software designers usually discuss how to make clean separation between content and style, using various frameworks and design patterns in order to achieve that. Anyway, some kind of merge occurs usually at the server side, so that the bunch of HTML is delivered to the web client.
Every Web site and every Web page is composed using some logic. It is therefore needed to describe reverse process - how to fetch desired data from the mixed content. Every extraction procedure in Web-Harvest is user-defined through XML-based configuration files. Each configuration file describes sequence of processors executing some common task in order to accomplish the final goal. Processors execute in the form of pipeline. Thus, the output of one processor execution is input to another one. This can be best explained using the simple configuration fragment:
--------------------------------------------------------------------
1. http processor downloads content from the specified URL.
2. html-to-xml processor cleans up that HTML producing XHTML content.
3. xpath processor searches specific links in XHTML from previous step giving URL sequence as a result.
Web-Harvest supports a set of useful processors for variable manipulation, conditional branching, looping, functions, file operations, HTML and XML processing, exception handling. See User manual for technical description of provided processors.
Read more on this article...
Sam Spade is one of the oldest network security tools around in terms of a neat package containing a lot of stuff you need, it’s one of the first things I used when I got into information security and I was on a crusade against spammers and scammers.
It has all kinds of useful tools in a neat graphical interface, a lot of them are available on the command line in Windows - but they aren’t so easy to use. It’s extremely useful for tracking spam or ‘UCE’ as it’s known (Unsolicited Commercial E-mail).
* Ping
* NSlookup
* Whois
* IP block search
* Dig
* Traceroute
* Finger
* SMTP VRFY
* Web browser keep-alive
* DNS zone transfer
* SMTP relay check
* Usenet cancel check
* Website download
* Website search
* Email header analysis
* Email blacklist
* Query Abuse address
Some other cool stuff it does is:
* Each tool displays it’s output in it’s own window, and everything is multi-threaded so you don’t need to wait for one query to complete before starting the next one
* Some functions are threaded still further to allow lazy reverse DNS lookups (never do a traceroute -n again)
* The output from each query is hotlinked, so you can right click on an email address, IP address, hostname or internic tag to run another query on it
* Appending the results of a query to the log window is a single button function
* There’s a lot of online help, in both WinHelp and HTMLHelp formats. This includes tutorials, background information and links to online resources as well as the program manual itself
FREE DOWNLOAD
Sam Spade
The Internet will mark an infamous anniversary on Sunday, when the Morris worm turns 20. Considered the first major attack on the ‘Net, the Morris worm served as a wake-up call to the Internet engineering community about the risk of software bugs, and it set the stage for network security to become a valid area of research and development.
“It was a really big deal,” says Eric Allman, a computer programmer who in 1981 authored sendmail, open source Internet e-mail software, while he was a student at the University of California at Berkeley. Today, Allman serves as chief science officer at Sendmail, a company that sells commercial-grade versions of the software.
“The biggest implication of the Morris worm was that the Internet was very small … and it was considered a friendly place, a clubhouse,” Allman says. “This [attack] made it clear that there were some people in that clubhouse who didn’t have the best interests of the world in mind … This made it clear we had to think about security.”
It was when the Internet first got into the mainstream media and was known to the general public, albeit it was for the wrong reason. But still I doubt anyone expected back then how dependant we would eventually become on the Internet.
Now if something like this went on and 10% of the Internet was down and seriously effected by a worm which caused denial of service….the whole World would be in turmoil.
It’d be chaos seriously!
The Morris worm was written by Cornell University student Robert Tappan Morris, who was later convicted of computer fraud for the incident. Today, Morris is a respected associate professor of computer science at MIT.
Launched around 6 p.m. on Nov. 2, 1988, the Morris worm disabled approximately 10% of all Internet-connected systems, which were estimated at more than 60,000 machines.
The Morris worm was a self-replicating program that exploited known weaknesses in common utilities including sendmail, which is e-mail routing software, and Finger, a tool that showed which users were logged on to the network.
The Morris worm was able to break into Sun 3 systems and Digital VAX computers running BSD Unix. The fast-spreading worm kept copying itself and infecting computers multiple times, causing many systems to fail.
It’s an interesting story to read if you are familiar with it and probably even more interesting if you’re not, so do check out the Wiki pages on the history of the situation.
There have been very few worms that have caused such widespread infection and failures. Blaster was quite memory and on the virus front I remember CIH was terrible.
Read more on this article...
A US-based prescription processing and benefits firm has taken the unusual step of offering a $1m bounty for information that leads to the arrest and conviction of an unknown group which targeted it in a cyber-extortion scam.
Express Scripts went public last week with news that it received personal details on 75 end users including, in some cases, prescription data. Blackmailers threatened to expose millions of records they claimed were in their possession unless the firm paid up.
The cyber-extortionists responded to a refusal to pay up by moving onto the customers of Express Scripts with similar threats, sent in letters to these various organisations. Express Scripts responded on Tuesday by upping the ante and offering a $1m reward for information that put the unidentified miscreants behind bars
Also in situations like this you have to bear in mind the terms and conditions, the reward actually requires that legal action be taken against the criminals and not just their identity known.
Imagine if they are in a country that has no extradition laws or doesn’t have good relations with the US.
In a related move, Express Scripts offered identity restoration services to anyone who becomes a victim of identity theft as a result of its security breach. It has set up a website to provide information to its members - insurance carriers, employers, unions and the like who run health benefit plans - to provide support at esisupports.com. It has also has hired risk consulting firm Kroll to help its members.
The cause of the breach that led to the data leak and the extent of the compromise are still under investigation. Beyond saying it “deploys a variety of security systems designed to protect their members’ personal information from unauthorized access”, Express Scripts (which handles a reported 50 million prescriptions a year) has said little about the breach or how it intends to prevent a repetition.
As well as posting a reward, Express Scripts has called in the FBI in its attempts to bring the blackmailers threatening its business to book. Anyone with information on that threats is advised to contact the FBI on 800-CALL-FBI. ®
It’s interesting that the whole issue of how the data integrity was comprised and what happened exactly to expose the customer details.
Perhaps the whole thing is a PR management exercise to divert attention away from the real issues, they may have issued the reward in safe knowledge the people involved will never be served justice.
But then that’s just me being a skeptic.
Read more on this article...
Another teen hacker in the news, this guy looks like he has some formidable skills though with the list of crimes he’s perpetrated.
He’s pleaded guilty though, so he should get a reduced sentence and he’s still classified as a juvenile offender being only 17 - so that works in his favour too.
A juvenile hacker with a reputation for stirring up trouble in online gaming groups has admitted to multiple computer felonies, including cyber attacks that overwhelmed his victims with massive amounts of data and the placing of hoax emergency phone calls that elicited visits by heavily armed police teams.
Known by the online handle of Dshocker, the 17-year-old Massachusetts hacker also admitted he breached multiple corporate computer systems, called in bomb threats and engaged in credit card fraud. The defendant, who was identified only by the initials N.H., pleaded guilty to charges in court documents that included one count each of computer fraud and interstate threats and four counts of wire fraud.
Dshocker is best known in hacker and gaming circles as the miscreant said to have perpetrated a series of attacks on members of myg0t, an online confederation dedicated to cheating and disrupting play in online games such as Counter Strike. He also unleashed attacks on other well-known hackers, according to online accounts.
It seems like he’s mixed up in some pretty dodgy online communities and has quite a number of people who have grudges against him.
I think he stepped off the mark a bit when he got engaged in credit card fraud - that’s a really dangerous business and serious if you get caught (which he has unfortunately for him).
To fool police, Dshocker spoofed his phone number so it appeared to originate from a victim who was located thousands of miles away. He obtained the victims’ numbers and addresses by breaking into the computer systems of their internet service providers and accessing subscriber records. Charter Communications, Road Runner, and Comcast are among the ISPs he broke into.
One call falsely reporting a violent crime in progress was made in March to the police department in Seattle. Another in April was made to police in Roswell, Georgia. Both calls originated from a phone located in Dshocker’s home town of Worcester, Massachusetts. He also phoned in a false bomb threat at one school and the presence of an armed gunman at another.
Dshocker didn’t limit his illegal hacking to settling grudges with fellow gamers. From 2005 to earlier this year, he used stolen credit card information to make fraudulent purchases. He also managed to gain free internet access by stealing proprietary software from a large, unnamed electronics company and then using it to modify his cable modem.
He was involved with phone number spoofing too and prank calls about bombs and gunmen. He was also perpetrating all these crimes over free Internet which he’d jacked by stealing the cable modem software.
Apparently he’ll get 11-month sentence of juvenile detention, which could have been 10 years if he was tried as an adult.
Read more on this article...
I found an interesting article today which sums up most of the acryonyms involved in wireless networks and wireless security and explain them all in brief.
It may clear things up for some people who get overwhelmed by all the jargon, especially with the recent news hitting the mainstream about WPA being partially cracked.
Users have every right to be perplexed by wireless security standards. Faced by an alphabet soup of AES, RADIUS, WEP, WPA, TKIP, EAP, LEAP and 802.1x, many users don’t secure their wireless networks at all. Now that earlier wireless security standards such as Wi-Fi Protected Access and Wired Equivalent Privacy are being cracked, it’s time to examine what all the terms mean and think about changes.
Just about a month ago, in early November, the news came out that the first cracks were appearing in WPA, or Wi-Fi Protected Access, a very popular wireless security standard. The compromise that was accomplished by some researchers was not a real killer, but the affected version of WPA (and the associated encryption process, TKIP, or Temporal Key Integrity Protocol), was always meant as a stopgap standard.
* WEP (Wired Equivalent Privacy)—The old, original, now discredited wireless security standard. Easily cracked.
* WEP 40/128-bit key, WEP 128-bit Passphrase—See WEP. The user key for WEP is generally either 40- or 128-bit, and generally has to be supplied as a hexadecimal string.
* WPA, WPA1—Wi-Fi Protected Access. The initial version of WPA, sometimes called WPA1, is essentially a brand name for TKIP. TKIP was chosen as an interim standard because it could be implemented on WEP hardware with just a firmware upgrade.
* WPA2—The trade name for an implementation of the 802.11i standard, including AES and CCMP.
* TKIP—Temporal Key Integrity Protocol. The replacement encryption system for WEP. Several features were added to make keys more secure than they were under WEP.
* AES—Advanced Encryption Standard. This is now the preferred encryption method, replacing the old TKIP. AES is implemented in WPA2/802.11i.
* Dynamic WEP (802.1x)—When the WEP key/passphrase is entered by a key management service. WEP as such did not support dynamic keys until the advent of TKIP and CCMP.
* EAP—Extensible Authentication Protocol. A standard authentication framework. EAP supplies common functions and a negotiation mechanism, but not a specific authentication method. Currently there are about 40 different methods implemented for EAP. See WPA Enterprise.
* 802.1x, IEEE8021X—The IEEE family of standards for authentication on networks. In this context, the term is hopelessly ambiguous.
* LEAP, 802.1x EAP (Cisco LEAP)—(Lightweight Extensible Authentication Protocol) A proprietary method of wireless LAN authentication developed by Cisco Systems. Supports dynamic WEP, RADIUS and frequent reauthentication.
* WPA-PSK, WPA-Preshared Key—Use of a shared key, meaning one manually set and manually managed. Does not scale with a large network either for manageability or security, but needs no external key management system.
* RADIUS—Remote Authentication Dial In User Service. A very old protocol for centralizing authentication and authorization management. The RADIUS server acts as a remote service for these functions.
* WPA Enterprise, WPA2 Enterprise—A trade name for a set of EAP types. Products certified as WPA Enterprise or WPA2 Enterprise will interoperate (EAP-TLS, EAP-TTLS/MSCHAPv2, PEAPv0/EAP-MSCHAPv2, PEAPv1/EAP-GTC & EAP-SIM)
* WPA-Personal, WPA2-Personal—See Pre-Shared Key.
* WPA2-Mixed—Support for both WPA1 and WPA2 on the same access point.
* 802.11i—An IEEE standard specifying security mechanisms for 802.11 networks. 802.11i uses AES and includes improvements in key management, user authentication through 802.1X and data integrity of headers.
* CCMP—Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol that uses AES.
Read more on this article...
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.
The Samurai project team is happy to announce the release of a development version of the Samurai Web Testing Framework. This release is currently a fully functional linux environment that has a number of the tools pre-installed. Our hope is that people who are interested in making this the best live CD for web testing will provide feedback for what they would like to see included on the CD.
ike-scan is a command-line tool for discovering, fingerprinting and testing IPsec VPN systems. It constructs and sends IKE Phase-1 packets to the specified hosts, and displays any responses that are received.
ike-scan allows you to:
* Send IKE packets to any number of destination hosts, using a configurable output bandwidth or packet rate. (This is useful for VPN detection, when you may need to scan large address spaces.)
* Construct the outgoing IKE packet in a flexible way. (This includes IKE packets which do not comply with the RFC requirements.)
* Decode and display any returned packets.
* Crack aggressive mode pre-shared keys. (You can use ike-scan to obtain the PSK hash data, and then use psk-crack to obtain the key.)
ike-scan is free software, licensed under the GPL. It runs on Windows, Linux and most Unix systems. If you don’t already have ike-scan installed on your system, read the installation guide.
Download ike-scan 1.9 here:
Source distribution: ike-scan-1.9.tar.gz
Windows binary: ike-scan-win32-1.9.zip
Older versions of ike-scan
Read more on this article...
Browser Rider is a hacking framework to build payloads that exploit the browser. The project aims to provide a powerful, simple and flexible interface to any client side exploit.
Browser Rider is not a new concept. Similar tools such as BeEF or Backframe exploited the same concept. However most of the other existing tools out there are unmaintained, not updated and not documented. Browser Rider wants to fill those gaps by providing a better alternative.
Features
* Easily create powerful payloads and plugins
* Manage payloads automatically with plugins
* All data can be saved in a database
* Obfuscation
* Polymorphism
* Control more than one zombie at a time
* Simple administration panel
Requirements
* PHP 5, with json installed
* Mysql
* Apache with url_rewrite on
* Targets must have Javascript turned on
Download Browser Rider
Browser Rider v20081124 (changelog)
Read more on this article...
FireCAT (Firefox Catalog of Auditing exTension) is a mindmap collection of the most efficient and useful firefox extensions oriented application security auditing and assessment
Changes for version 1.4
Information Gathering (Enumeration and Fingerprinting)
* Passive Recon : PassiveRecon allows Information Security professionals the ability to perform “packetless” discovery of target resources utilizing publicly available information
Security Auditing
* Selenium IDE : Selenium is a test tool for web applications. Selenium tests run directly in a browser, just like real users do
* RESTTest : Construct custom HTTP requests to directly test requests against a server. RESTTest uses the XmlHttpRequest object and allows you to simulate XHR to quickly prototype requests and test security problems. Designed specifically for working with REST sources, supporting all HTTP methods
* Acunetix Firefox plugin: Read here a good review by Kev Orrey. Extension submitted by Kev Orrey from VulnerabilityAssessment
IT Security Related
* Added Milw0rm Exploits Search
Fixes
* Fixed HashMDTool link
* Fixed OSVB extension link
* Fixed US Homeland Security Threat link
Download FireCAT v1.4
FireCAT 1.4 Source (Zip - 4.6 kb)
FireCAT 1.4 Browsable HTML (Zip - 37.2 kb)
FireCAT 1.4 pdf (PDF - 186.3 kb)
All The Tools
http://phrack.fr/tools/FireCAT-1.4
Read more on this article...
BarsWF is basically an MD5 cracking tool and at the moment, is currently the fastest. Right now on nVidia 9600GT/C2D 3Ghz CUDA version does 350 M keys/sec, SSE2 version does 108 M keys/sec. You may check benchmarks of all known good MD5 bruteforcers here.
Changes in 0.8
* Added checks for errors when calling CUDA kernel.
* Now you can specify custom characters for charset using -X switch.
* You may specify minimal password length using -min_len.
* Save/restore feature added. State is being stored to barswf.save every 5 minutes or on exit. You may continue computation using -r switch. You may manually edit .save file to distribute job on several computers (but this is up to you - it is quite simple and non-documented ). BarsWF will also write found password into barswf.save at the end.
* Improved speed for cards GTX260, GTX280, 8800GT, 9600GSO, 8800GS, 8800GTS - by approximately 10%, all other cards will get just 1-2%.
System Requirements
* CUDA version only:nVidia GeForce 8xxx and up, at least 256mb of video memory.
* LATEST nVidia-driver with CUDA support.Standard drivers might be a bit older (as CUDA 2.0 is still beta)
* CPU with SSE2 support (P4, Core2Duo, Athlon64, Sempron64, Phenom).
* Recommended 64-bit OS (WinXP 64 or Vista64). 32-bit version is also available.
Download BarsWF 0.8 here:
CUDA:
BarsWF CUDA x64
BarsWF CUDA x32
SSE2:
BarsWF SSE x64
BarsWF SSE x32
Read More
Read more on this article...
sapyto is the first SAP Penetration Testing Framework, sapyto provides support to information security professionals in SAP platform discovery, investigation and exploitation activities.
sapyto is periodically updated with the outcome of the deep research on the various security aspects in SAP systems.
Although sapyto is a versatile and powerful tool, it is of major importance for it to be used by consultants who are highly skilled and specialized in its usage, preventing any interference with your organization’s usual SAP operation.
New in This Version
This version is mainly a complete re-design of sapyto’s core and architecture to support future releases. Some of the new features now available are:
* Target configuration is now based on “connectors”, which represent different ways to communicate with SAP services and components. This makes the
framework extensible to handle new types of connections to SAP platforms.
* Plugins are now divided in three categories: Discovery, Audit & Exploit.
* Exploit plugins now generate shells and/or sapytoAgent objects.
* New plugins!: User account bruteforcing, client enumeration, SAProuter assessment, and more…
* Plugin-developer interface drastically simplified and improved.
* New command switches to allow the configuration of targets/scripts/output independently.
* Installation process and general documentation improved.
You can download sapyto v0.98 here
sapyto Public Edition v0.98
Read more on this article...
This is hereby declared that all the content published on other sites beforehand and are the sole property of the respective sites. The items seen on this site are requested from their owners on a shareware basis and is provided as is to the visitors. The information on this site may be used to cause potential damage (monetary or otherwise).
The person visiting this site agrees to accept that the information contained in here may not be misused (including hacking in practical terms or otherwise).
Through this disclaimer the administrator of this site declares that he is not obliged to entertain any kind of damage compensation(monetary or otherwise) in case the information on this site is misused against any person.
Read more on this article...
Linux is a hacker’s dream computer operating system. It supports tons of tools and utilities for cracking passwords, scanning network vulnerabilities, and detecting possible intrusions. I have here a collection of 10 of the best hacking and security software tools for Linux. Please always keep in mind that these tools are not meant to harm, but to protect.1. John the Ripper
John the Ripper is a free password cracking software tool initially developed for the UNIX operating system. It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL and others.
![[john.gif]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzrxecjvjDzVKeJ-Ao5NSHIOSmnuj1swyhIM4hmTUMFabz0b4CxqpKm6JXk6DnK9jmONq8Do2Tjcuy3vNsZkkhN_AsvIUuFi28NmNVp9MhCEHsZX1dxb2-wEG0kRy9_knZYai4fvXXaT2B/s1600/john.gif)
Nmap is my favorite network security scanner. It is used to discover computers and services on a computer network, thus creating a "map" of the network. Just like many simple port scanners, Nmap is capable of discovering passive services on a network despite the fact that such services aren't advertising themselves with a service discovery protocol. In addition Nmap may be able to determine various details about the remote computers. These include operating system, device type, uptime, software product used to run a service, exact version number of that product, presence of some firewall techniques and, on a local area network, even vendor of the remote network card.
Nmap runs on Linux, Microsoft Windows, Solaris, and BSD (including Mac OS X), and also on AmigaOS. Linux is the most popular nmap platform and Windows the second most popular.
3. Nessus
Nessus is a comprehensive vulnerability scanning software. Its goal is to detect potential vulnerabilities on the tested systems such as:
-Vulnerabilities that allow a remote cracker to control or access sensitive data on a system.
-Misconfiguration (e.g. open mail relay, missing patches, etc).
-Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
-Denials of service against the TCP/IP stack by using mangled packets
Nessus is the world's most popular vulnerability scanner, estimated to be used by over 75,000 organizations worldwide. It took first place in the 2000, 2003, and 2006 security tools survey from SecTools.Org.
chkrootkit (Check Rootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits. It is a shell script using common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures and for comparing a traversal of the /proc filesystem with the output of the ps (process status) command to look for discrepancies.
It can be used from a "rescue disc" (typically a Live CD) or it can optionally use an alternative directory from which to run all of its own commands. These techniques allow chkrootkit to trust the commands upon which it depend a bit more.
There are inherent limitations to the reliability of any program that attempts to detect compromises (such as rootkits and computer viruses). Newer rootkits may specifically attempt to detect and compromise copies of the chkrootkit programs or take other measures to evade detection by them.
5. Wireshark
Wireshark is a free packet sniffer computer application used for network troubleshooting, analysis, software and communications protocol development, and education. In June 2006, the project was renamed from Ethereal due to trademark issues.
The functionality Wireshark provides is very similar to tcpdump, but it has a GUI front-end, and many more information sorting and filtering options. It allows the user to see all traffic being passed over the network (usually an Ethernet network but support is being added for others) by putting the network interface into promiscuous mode.
Wireshark uses the cross-platform GTK+ widget toolkit, and is cross-platform, running on various computer operating systems including Linux, Mac OS X, and Microsoft Windows. Released under the terms of the GNU General Public License, Wireshark is free software.
6. netcat
netcat is a computer networking utility for reading from and writing to network connections on either TCP or UDP.
Netcat was voted the second most useful network security tool in a 2000 poll conducted by insecure.org on the nmap users mailing list. In 2003, it gained fourth place, a position it also held in the 2006 poll.
The original version of netcat is a UNIX program. Its author is known as *Hobbit*. He released version 1.1 in March of 1996.
Netcat is fully POSIX compatible and there exist several implementations, including a rewrite from scratch known as GNU netcat.
7. Kismet
Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b and 802.11g traffic.
Kismet is unlike most other wireless network detectors in that it works passively. This means that without sending any loggable packets, it is able to detect the presence of both wireless access points and wireless clients, and associate them with each other.
Kismet also includes basic wireless IDS features such as detecting active wireless sniffing programs including NetStumbler, as well as a number of wireless network attacks.
![[Kismet-2.7.1-screenshot.gif]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuRJf4L8jACrGDZ9GKPxmVlm_KxD3i6uW_aII4GMX0_Ga3QA7x9V_sV3UHqaXZi72v5_K-9QjLNsw7jFJx8hyZ4Ih22pjd8DuSQb6VhN9WtpqfVwrthyphenhyphenUUZuQi4lAIB7vsIaHIzQMAXVx7/s1600/Kismet-2.7.1-screenshot.gif)
8. hping
hping is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique (also invented by the hping author), and now implemented in the Nmap Security Scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in very short time.
Like most tools used in computer security, hping is useful to both system administrators and crackers (or script kiddies).
9. Snort
Snort is a free and open source Network Intrusion prevention system (NIPS) and network intrusion detection (NIDS) capable of performing packet logging and real-time traffic analysis on IP networks.
Snort performs protocol analysis, content searching/matching, and is commonly used to actively block or passively detect a variety of attacks and probes, such as buffer overflows, stealth port scans, web application attacks, SMB probes, and OS fingerprinting attempts, amongst other features. The software is mostly used for intrusion prevention purposes, by dropping attacks as they are taking place. Snort can be combined with other software such as SnortSnarf, sguil, OSSIM, and the Basic Analysis and Security Engine (BASE) to provide a visual representation of intrusion data. With patches for the Snort source from Bleeding Edge Threats, support for packet stream antivirus scanning with ClamAV and network abnormality with SPADE in network layers 3 and 4 is possible with historical observation.
![[snort_8_snippet_4.gif]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqhjrAASaH5oFDlOxdeT4dTs7fhaWmo7LCtURaQ6s-f2leZvMoeMZ1u0xBQi8ge6cFz2Ua8oJrPNlCt_kHu6SUbUqcasdGJYAOklxFgtkl2JthBYLO6t3GlOCJHz8Ta9iYy14dA-gCBGK2/s1600/snort_8_snippet_4.gif)
tcpdump is a common computer network debugging tool that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.
In some Unix-like operating systems, a user must have superuser privileges to use tcpdump because the packet capturing mechanisms on those systems require elevated privileges. However, the -Z option may be used to drop privileges to a specific unprivileged user after capturing has been set up. In other Unix-like operating systems, the packet capturing mechanism can be configured to allow non-privileged users to use it; if that is done, superuser privileges are not required.
The user may optionally apply a BPF-based filter to limit the number of packets seen by tcpdump; this renders the output more usable on networks with a high volume of traffic.
Read more on this article...
