Archive for the Tools Category

Wordlist Generator and Password Lists

Posted in Fu (a.k.a Tips), Tools on August 16, 2010 by Skyler

I am a dedicated follower of the Darknet blog. Today they posted about an awesome wordlist mangling tool that improves upon John the Ripper. They also reposted a link to a past entry about already generated lists. You should definitely check these out.

Darknet- RSMangler

and

Darknet – Wordlists

[Tool] pivot-scan

Posted in Tools on August 13, 2010 by Skyler

I am trying to figure out how to perform port scans via an exploited host using meterpreter. It can be done with netcat relays, but I really want to see it done in metepreter. Unfortunately, as far as I know, pivoting with metasploit only pivots exploits and such plugins.

To overcome this you usually have to upload a port scanner onto the first exploited machine and scan from there. Not too sexy, but works.

http://seclists.org/pen-test/2009/Mar/113 mentions a metasploit plugin called pivot-scan by Augusto Pereyra. You better believe I have added this tool into my arsenal.

get it here!

Also, if you are looking to do full metasploit functionality on the first compromised host, check out Mubix’s plugin here to send metasploit as a payload.

BTW, if anyone has figured out how to namp through a metasploit route, then let me know!!!

Core Impact

Posted in Reviews, Tools on August 11, 2010 by Skyler

Most of you have probably heard of Core Impact before. If you havn’t then you probably should. Essentially, Impact is a tool created by a company called Core. It is most likely the premier commercial Pen Testing framework. I had often heard about Impact, but never had I really looked at how it worked or what it did specifically. I was looking through their site and a video demo that was pretty impressive! Check it out and start wishing you could afford it!

check out the video demo here!

[Tool] Bait and Switch Honeypot

Posted in Reviews, Tools on August 10, 2010 by Skyler

This is a pretty nifty tool Ive followed for some time.

For those unfamiliar with what a honeypot is, here is a brief definition. A honeypot is a system that is designed to mimic a real production environment. There are different types of honeypots, but they both share the same goal; effective observation and research of hackers and their behavior. By setting up a honeypot, researchers (or security personnel) can create an environment to distract, or in some cases draw in, hostile hackers. They can then observe the attackers activities and learn about his techniques. Most likely the hacker will eventually discover that the honeypot is not real (although there are a ton of honeypots with different functionality), but until then he has been effectively deterred.

Up until recently, Honeypots have really only served those purposes. Not really an active participant in system defense. Thats what ‘Bait and Switch’ does. This honeypot is configured to mimic a production server that is likely to be targeted by hackers. When an attack is detected, its traffic is routed to the ‘bait and switch’. Therefore, the attack has been successfully mitigated while leading the hacker to believe that he has been successful.

here is the definition of ‘Bait and Switch’ as found on its website:

The Bait and Switch Honeypot is a multifaceted attempt to take honeypots out of the shadows of the network security model and to make them an active participant in system defense. To do this, we are creating a system that reacts to hostile intrusion attempts by redirecting all hostile traffic to a honeypot that is partially mirroring your production system.  Once switched, the would-be hacker is unknowingly attacking your honeypot instead of the real data and your clients and/or users still safely accessing the real system. Life goes on, your data is safe, and you are learning about the bad guy as an added benefit. The system is based on snort, linux’s iproute2, netfilter, and custom code for now…

For more information on Bait and Switch, check out their sourceforge here!

for more information about honeypots, check out the honeynet project.

[Tool] Firewalk + installation fix

Posted in Tools on August 6, 2010 by Skyler

With the release of the new Backtrack, I completely reinstalled my VM image of the distro. Of course, I then have to reinstall some of my favorite tools that I added myself. These typically include: Nexpose, nng, inundator, firewalk, etc.

Firewalk

Firewalk is a tool that allows you to test Firewall configurations. This works differently than a typical scan in a few ways. Generally, people test ACLs/Firewalls with an nmap ACK scan. However, there are a few issues with that:

  1. Nmap -sA only tests based on open ports of an end machine. This inadvertently reveals information about the firewall, but it does not test the firewall itself and can therefore miss vital information.
  2. An ACK scan just verifies that ACK packets can get through. It works with nmap because it is not caught as a connection initiation. However, this doesn’t do much for us when we are testing to see what can connect through a firewall. Although it is good to know, we would rather know what can actually establish a connection through the firewall

Enter Firewalk. This dated (yet important) tool is used to enumerate firewall configurations. It works by using TTL values to step its way through the firewall. It does not require a machine behind the firewall to have the specific port, instead it just attempts to send packets to each port with a TTL = hops_to_firewall+1. If the firewall allows the port, then a ICMP time exceeded message will come back; If it is blocked, I believe it is either dropped with no response, given an ICMP type 13 code 3, or perhaps a RST. The result will depend on firewall implementations.

all that is required is the IP of the firewall, and the IP for a host behind the firewall.

get Firewalk here!

Installation Walkthrough

Note: Installation is pretty simple, but here are the steps and a small coding error walkthrough (make sure you have the proper dependencies also):

  1. download firewalk
  2. tar zxvf firewalk.tar.gz
  3. cd Firewalk/src
  4. vi firewalk.c
  5. go to line 193
  6. insert:   break;
  7. close editor, and cd ../
  8. ./configure && make && make install

thats it! For clarity, this is what the portion of the firewalk.c code should look like:

default:

/* empty */

break;

}

….

[Release] ModularUrl Java Class

Posted in Research, Tools on July 30, 2010 by Skyler

So in the development of my Web Application fuzzer, I came upon the challenge of creating test cases from enumerated URLs. After fussing (play on words intended) around with some chunky logic, I had a palm-to-face moment. Perhaps it was that I had recently spent too much time in “procedural-language land”, but then the obvious object-oriented approach hit me.

The result was a quick creation of two java classes that would allow me to easily manipulate URLs and their parameters; essentially these classes do all the parsing for you. They are very simple, but quite effective. Perhaps it was the contrast of frustration to such a simple fix, but I feel like the release of this code could simply not wait to be released with my fuzzer.

UPDATED: The code here has been picked up by softpedia! you can get it here!

Here it is on sourceforge

And in typical Security Reliks fashion, a nasty copy&past version:

import java.util.ArrayList;
public class ModularUrl {
String base;
ArrayList<ModularUrlParameter> params;
public ModularUrl(String url){
String[] baseSplit = url.split(“[?]”);
base = baseSplit[0];
//split parameters up
String[] paramSplit = baseSplit[1].split(“&”);
params = new ArrayList<ModularUrlParameter>();
for(int i = 0; i < paramSplit.length; i++){
params.add(new ModularUrlParameter(paramSplit[i]));
}
}
public String getAllParametersAsString(){
StringBuilder result = new StringBuilder();

import java.util.ArrayList;
public class ModularUrl {
String base; ArrayList<ModularUrlParameter> params; public ModularUrl(String url){ String[] baseSplit = url.split(“[?]”); base = baseSplit[0]; //split parameters up String[] paramSplit = baseSplit[1].split(“&”); params = new ArrayList<ModularUrlParameter>(); for(int i = 0; i < paramSplit.length; i++){ params.add(new ModularUrlParameter(paramSplit[i])); } } public String getAllParametersAsString(){ StringBuilder result = new StringBuilder(); Continue reading

Python Tools for Pen Testers

Posted in Tools on July 29, 2010 by Skyler

I have started to delve into the realm of Python in order to improve my technical aptitude. In the search, I discovered this website which lists out Python pen testing tools. Check it out, its pretty handy!

Check it out here!