[Drozer] The Leading Security Testing Framework for Android.

August 13, 2013, 7:46 pm

≫ Next: [Zarp v0.1.3] Local Network Attack Tool

≪ Previous: [Browser Password Dump] Tool to instantly recover your lost password from all the popular web browsers

drozer enables you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

drozer provides tools to help you use and share public Android exploits. It helps you to deploy a drozer agent by using weasel– MWR’s advanced exploitation payload.

For the latest Mercury updates, follow @mwrdrozer.

Features

drozer allows you to use dynamic analysis during an Android security assessment. By assuming the role of an Android app you can:

find information about installed packages.
interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services.
use a proper shell to play with the underlying Linux OS (from the content of an unprivileged application).
check an app’s attack surface, and search for known vulnerabilities.
create new modules to share your latest findings on Android.

drozer’s remote exploitation features provide a unified framework for sharing Android payloads and exploits. It helps to reduce the time needed for vulnerability assessments and mobile red-teaming exercises, and includes the outcome of some of MWR’s cutting-edge research into advanced Android payloads and exploits.

How it Works

drozer does all of this over the network: it does not require ADB.

Download Drozer

↧

[Zarp v0.1.3] Local Network Attack Tool

August 13, 2013, 8:01 pm

≫ Next: [Samurai Web Testing Framework v2.1] Live linux environment that has been pre-configured to function as a web pen-testing environment

≪ Previous: [Drozer] The Leading Security Testing Framework for Android.

Zarp is a network attack tool centered around the exploitation of local networks. This does not include system exploitation, but rather abusing networking protocols and stacks to take over, infiltrate, and knock out. Sessions can be managed to quickly poison and sniff multiple systems at once, dumping sensitive information automatically or to the attacker directly. Various sniffers are included to automatically parse usernames and passwords from various protocols, as well as view HTTP traffic and more. DoS attacks are included to knock out various systems and applications. These tools open up the possibility for very complex attack scenarios on live networks quickly, cleanly, and quietly.

The long-term goal of zarp is to become the master command center of a network; to provide a modular, well-defined framework that provides a powerful overview and in-depth analysis of an entire network. This will come to light with the future inclusion of a web application front-end, which acts as the television screen, whereas the CLI interface will be the remote. This will provide network topology reports, host relationships, and more. zarp aims to be your window into the potential exploitability of a network and its hosts, not an exploitation platform itself; it is the manipulation of relationships and trust felt within local intranets. Look for zeb, the web-app frontend to zarp, sometime in the future.

Download Zarp v0.1.3

↧

[Samurai Web Testing Framework v2.1] Live linux environment that has been pre-configured to function as a web pen-testing environment

August 13, 2013, 8:11 pm

≫ Next: [WATOBO 0.9.13] THE Web Application Toolbox

≪ Previous: [Zarp v0.1.3] Local Network Attack Tool

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

Download Samurai Web Testing Framework v2.1

↧

[WATOBO 0.9.13] THE Web Application Toolbox

August 13, 2013, 8:19 pm

≫ Next: [Nishang v0.3.0] The PowerShell for Penetration Testing released (introducing Powerpreter)

≪ Previous: [Samurai Web Testing Framework v2.1] Live linux environment that has been pre-configured to function as a web pen-testing environment

WATOBO is intended to enable security professionals to perform highly efficient (semi-automated) web application security audits. WATOBO works like a local proxy, similar to Webscarab, Paros or BurpSuite. Additionally, WATOBO supports passive and active checks. Passive checks are more like filter functions. They are used to collect useful information, e.g. email or IP addresses. Passive checks will be performed during normal browsing activities. No additional requests are sent to the (web) application.

New Features:

* WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures.

* WATOB can act as a transparent proxy (requires nfqueue)

* WATOBO can perform vulnerability checks out of the box

* WATOBO can perform checks on functions which are protected by Anti-CSRF-/One-Time-Tokens

* WATOBO supports Inline De-/Encoding.

* WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.

* WATOBO is written in (FX)Ruby and enables you to easily define your own checks

* WATOBO runs on Windows, Linux, MacOS ... every OS supporting (FX)Ruby

* WATOBO is free software ( licensed under the GNU General Public License Version 2)

Download WATOBO 0.9.13

↧

[Nishang v0.3.0] The PowerShell for Penetration Testing released (introducing Powerpreter)

August 13, 2013, 8:29 pm

≫ Next: [MISP v2.1] Malware Information Sharing Platform

≪ Previous: [WATOBO 0.9.13] THE Web Application Toolbox

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation during Penetraion Tests. The scripts are written on the basis of requirement by the author during real Penetration Tests.

Powerpreter is a powershell module. I decided to make it a part of Nishang as there is a large amount of repeated code. This post assumes that we have Administrative access to a Windows 7 machine.

Powerpreter can surely be used as a non-admin user but obviously with limited (but still useful functionalities. Like other scripts in Nishang, I have tried my best to keep powerpreter compatible to powershellv2 so you may see some code which could be done by a cmdlet in powershellv3 and v4.

Changelog

Added Powerpreter
Added Execute-DNSTXT-Code
Bug fix in Create-MultipleSessions.
Changes to StringToBase64. It now supports Unicode encoding which makes it usable with -Encodedcommand.
More Changes to StringToBase64. Now a file can be converted.
Added Copy-VSS
Information_Gather shows output in better format now.
Information_Gather renamed to Get-Information.
Wait for command renamed to HTTP-Backdoor.
Time_Execution renamed Execute-OnTime
Invoke-PingSweep renamed to Port-Scan
Invoke-Medusa renamed to Brute-Force

More information about v0.3.0

↧

[MISP v2.1] Malware Information Sharing Platform

August 13, 2013, 9:40 pm

≫ Next: [Arachni v0.4.4] The Web Application Security Scanner Framework

≪ Previous: [Nishang v0.3.0] The PowerShell for Penetration Testing released (introducing Powerpreter)

The problem that we experienced in the past was the difficulty to exchange information about (targeted) malwares and attacks within a group of trusted partners, or a bilateral agreement. Even today much of the information exchange happens in unstructured reports where you have to copy-paste the information in your own text-files that you then have to parse to export to (N)IDS and systems like log-searches, etc…

A huge challenge in the Cyber Security domain is the information sharing inside and between organizations. This platform has as goal to facilitate:

central IOC database: storing technical and non-technical information about malwares and attacks, … Data from external instances is also imported into your local instance
correlation: automatically creating relations between malwares, events and attributes
storing data in a structured format (allowing automated use of the database for various purposes)
export: generating IDS, OpenIOC, plain text, xml output to integrate with other systems (network IDS, host IDS, custom tools, …)
import: batch-import, import from OpenIOC, GFI sandbox, ThreatConnect CSV, …
data-sharing: automatically exchange and synchronization with other parties and trust-groups

Exchanging info results in faster detection of targeted attacks and improves the detection ratio while reducing the false positives. We also avoid reversing similar malware as we know very fast that others already worked on this malware.

Download MISP v2.1

↧

[Arachni v0.4.4] The Web Application Security Scanner Framework

August 13, 2013, 9:48 pm

≫ Next: [Auto Rooting v 1.0] Local root [2010 - 2011 - 2012]

≪ Previous: [MISP v2.1] Malware Information Sharing Platform

Arachni is a Free/Open Source project, the code is released under the Apache License Version 2.0 and you are free to use it as you see fit.

Initially started as an educational exercise, it has since evolved into a powerful and modular framework allowing for fast, accurate and flexible security/vulnerability assessments. More than that, Arachni is highly extend-able allowing for anyone to improve upon it by adding custom components and tailoring most aspects to meet most needs.

Modules

There are new passive (recon) and active (audit) modules along with big coverage improvements for existing ones.

Recon

New

X-Forwarded-For Access Restriction Bypass ( x_forwarded_for_access_restriction_bypass)
- Retries denied requests with a X-Forwarded-For header to try and trick the web application into thinking that the request originates from localhost and checks whether the restrictions were bypassed.
Form-based upload ( form_upload)
- Flags file-upload forms as they require manual testing.

Improved

.htaccess LIMIT misconfiguration ( htaccess_limit)

Updated to use verb tampering as well.

Audit

New

Source code disclosure ( source_code_disclosure)
- Checks whether or not the web application can be forced to reveal source code.
Code execution via the php://input wrapper ( code_execution_php_input_wrapper)
- It injects PHP code into the HTTP request body and uses the php://input wrapper to try and load it.

Improved

Blind SQL Injection (Boolean/Differential analysis) ( sqli_blind_rdiff)
- Improved accuracy of results.
Path traversal ( path_traversal)
- Severity set to “High”.
- Updated to start with / and go all the way up to /../../../../../../.
- Added fingerprints for /proc/self/environ.
- Improved coverage for MS Windows.
Remote file inclusion ( rfi)
- Updated to handle cases where the web application appends its own extension to the injected string.

Download Arachni v0.4.4

↧

[Auto Rooting v 1.0] Local root [2010 - 2011 - 2012]

August 13, 2013, 9:58 pm

≫ Next: [IronWASP v0.9.6.5] Open Source Advanced Web Security Testing Platform

≪ Previous: [Arachni v0.4.4] The Web Application Security Scanner Framework

Auto Rooting:

2.6.32-46-2011
2.6.37
2.6.33
2.6.18-164-2010
2.6.18-194
2.6.18-6-x86-2011
2.6.18-164
2.6.18-274-2011
2.6.28-2011
etc...

CLICK HERE FOR LOGIN TO ARCHIVE

Download Auto Rooting v 1.0

↧

[IronWASP v0.9.6.5] Open Source Advanced Web Security Testing Platform

August 13, 2013, 10:06 pm

≫ Next: [Pyew v2.2] A Python tool for static malware analysis

≪ Previous: [Auto Rooting v 1.0] Local root [2010 - 2011 - 2012]

IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.

What’s new in IronWASP v0.9.6.5

IronWASP v0.9.6.5 is now available for download. Users of older versions should get an update prompt when using IronWASP. This is what you get with the new version.

Completely redesigned awesome new Results section
Support for editing, scanning and fuzzing SOAP messages
New active checks for Server Side Includes, Sever Side Request Forgery and Expression Language Injection
New passive check for JSON messages that are vulnerable to JSON hijacking
Significantly faster and robust parsers for XML, JSON and Multi-part messages with auto-detection support
Enhancements to the Payload Effect Analysis feature
Enhancements to the Scan Trace Viewer feature
Ability to create Request in Manual Testing section from clipboards
New Network address parsing APIs
Update to FiddlerCore v2.4.4.8

Detailed changelog here >> http://blog.ironwasp.org/2013/08/whats-new-in-ironwasp-v0965.html

Download IronWASP v0.9.6.5

↧

[Pyew v2.2] A Python tool for static malware analysis

August 13, 2013, 10:11 pm

≫ Next: [The Burp SessionAuth] Extension for Detection of Possible Privilege escalation vulnerabilities

≪ Previous: [IronWASP v0.9.6.5] Open Source Advanced Web Security Testing Platform

Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.

Pyew have been successfully used in big malware analysis systems since almost 2 years, processing thousand of files daily.

See some usage examples, example batch scripts or a tool to compare and group programs (PE and ELF) using the API provided by Pyew.

NOTE: It's highly recommended to always use the Mercurial version instead of the versions available in the Downloads section.

ChangeLog:

Version 2.2 Stable (12-30-2012)

Loads of bug fixes.
Many little enhancements to the x86 code analysis engine, notoriously increasing the overall speed and finding more functions and basic blocks missed in previous versions.
Updated PEFile version to 1.2.10.
Support for 2 more disassembly engines: diStorm v3 and pymsasid (pure python disassembler).
Automatic calculation of the application call graph and function's flow graphs.
Support for analysing x86 boot sector files.

Version 2.1 Beta (11-27-2011)

Added Kenshoto's VTrace.
Initial support for integrated debugging.
Good support for ELF file format (both 32 and 64 bits).
Code analysis engine enhanced.
Fixed a lot of bugs.

Version 2.0

Code analysis system for x86 rewritten from scratch.
Support for databases. You can analyze binaries (PE or ELF) and save/open databases.
Added graph's based clusterization tool 'gcluster.py'.
Added new PDF utilities:

pdfss: Seek to one stream
pdfobj: Show object's list
pdfso: Seek to one object

Added new plugins:

binvi: Show an image representing the contents of the file. Usefull to see different sections in a binary.
packer: Check if the PE file is packed
cgraph: Show the callgraph of the whole program (needs PyGTK to show a GUI).

Many bug fixes.

Version 1.1.1

Support for ELF file formats (AMD64 and IA32) using the Kenshoto's ELF library (VTrace).
Code analysis by recursively traversing all possible code paths from entry points.
Added the following APIS:

resolveName: Resolves the internal name of the given address/offset.
NextHead: Return the next disassembly offset given an address/offset.
GetMnem/GetMnems: Returns the mnemonic or mnemonic list given an offset and the number of mnemonics to retrieve.

Pyew is very similar in some aspects to the following tools:

The Interactive Disassembler (IDA). Although Pyew does not compete with IDA (and the author of the tool doesn't want it at all), it can be considered as a "mini IDA" focused on batch malware analysis.
The almighty radare.
The open source Biew and the commercial Hiew.

Download Pyew v2.2

↧

[The Burp SessionAuth] Extension for Detection of Possible Privilege escalation vulnerabilities

August 13, 2013, 10:16 pm

≫ Next: [Raft v3.0.1] Response Analysis and Further Testing Tool

≪ Previous: [Pyew v2.2] A Python tool for static malware analysis

Normally a web application should identify a logged in user by data which is stored on the server side in some kind of session storage. However, in web application audits someone can often observe that internal user identifiers are transmitted in HTTP requests as parameters or cookies. Applications which trust identity information provided by the client can be vulnerable to privilege escalation attacks. Finding all occurrences of identity data transmissions can be quite straining, especially if this information is sent in different parameters, among other information or only in particular requests.

The motivation behind the Burp SessionAuth extension was to support the web application auditor in finding such cases of privilege escalation vulnerabilities. The idea is, that the auditor provides some information, internal identifiers and strings which identify different users (e.g. his/her real name) or content. The extension performs the following tasks:

Monitoring of all requests for occurrences of the given identifiers. Such requests are typical candidates for privilege escalation vulnerabilities. Even if a web application doesn’t seems to be vulnerable in one part, it can still be vulnerable in other ones.
Preparing an Intruder configuration on request of the user and implementation of a Intruder payload generator which delivers the user identifiers.
Actively scan a suspicious request and try to determine vulnerabilities automatically by some heuristics.

Please be aware that this piece of software is still very experimental!

More information here >> http://skora.net/news/24-itsec-projects/26-the-burp-sessionauth-extension

Download The Burp SessionAuth

↧

[Raft v3.0.1] Response Analysis and Further Testing Tool

August 13, 2013, 10:20 pm

≫ Next: [Introspy] Monitor app in your iDevice

≪ Previous: [The Burp SessionAuth] Extension for Detection of Possible Privilege escalation vulnerabilities

Not an inspection proxy

RAFT is a testing tool for the identification of vulnerabilities in web applications. RAFT is a suite of tools that utilize common shared elements to make testing and analysis easier. The tool provides visibility in to areas that other tools do not such as various client side storage.

RAFT uses markup to create templates for fuzz testing.

Download Raft v3.0.1

↧

[Introspy] Monitor app in your iDevice

August 20, 2013, 5:41 pm

≫ Next: [Tunna Framework] Tool designed to bypass firewall restrictions on remote webservers

≪ Previous: [Raft v3.0.1] Response Analysis and Further Testing Tool

The Problem

In 2013, assessing the security of iOS applications still involves a lot of manual, time-consuming tasks - especially when performing a black-box assessment. Without access to source code, a comprehensive review of these application currently requires in-depth knowledge of various APIs and the ability to use relatively complex, generic tools such as Cycript, or Mobile Substrate - or just jump straight into the debugger.

To simplify this process, we are releasing Introspy - an open-source security profiler for iOS. Introspy is designed to help penetration testers understand what an application does at runtime.

How Introspy works

The tool comprises two separate components: an iOS tracer and an analyzer.

The iOS tracer can be installed on a jailbroken iOS device. It will hook security-sensitive APIs called by a given application, including functions related to cryptography, IPCs, data storage / protection, networking, and user privacy. The call details are all recorded and persisted in a SQLite database on the device.

This database can then be fed to the Introspy analyzer, which generates an HTML report displaying all recorded calls, plus a list of potential vulnerabilities affecting the application.

Tracer

Once installed, the tracer will store in a SQLite database all calls made by iOS applications to security-sensitive APIs.

Download Introspy

↧

[Tunna Framework] Tool designed to bypass firewall restrictions on remote webservers

August 20, 2013, 5:47 pm

≫ Next: [I2P] Anonymizing Network

≪ Previous: [Introspy] Monitor app in your iDevice

Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments. The web application file must be uploaded on the remote server. It will be used to make a local connection with services running on the remote web server or any other server in the DMZ. The local application communicates with the webshell over the HTTP protocol. It also exposes a local port for the client application to connect to.

Since all external communication is done over HTTP it is possible to bypass the filtering rules and connect to any service behind the firewall using the webserver on the other end.

Tunna framework

Tunna framework comes witht he following functionality:

	Ruby client - proxy bind: Ruby client proxy to perform the tunnel to the remote web application and tunnel TCP traffic.
	Python client - proxy bind: Python client proxy to perform the tunnel to the remote web application and tunnel TCP traffic.
	Metasploit integration module, which allows transparent execution of metasploit payloads on the server
	ASP.NET remote script
	Java remote script
	PHP remote script

Download Tunna

↧

[I2P] Anonymizing Network

August 20, 2013, 5:50 pm

≫ Next: [LinEnum] Scripted Local Linux Enumeration & Privilege Escalation Checks

≪ Previous: [Tunna Framework] Tool designed to bypass firewall restrictions on remote webservers

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties.

Many applications are available that interface with I2P, including mail, peer-peer, IRC chat, and others.

The I2P project was formed in 2003 to support the efforts of those trying to build a more free society by offering them an uncensorable, anonymous, and secure communication system. I2P is a development effort producing a low latency, fully distributed, autonomous, scalable, anonymous, resilient, and secure network. The goal is to operate successfully in hostile environments - even when an organization with substantial financial or political resources attacks it. All aspects of the network are open source and available without cost, as this should both assure the people using it that the software does what it claims, as well as enable others to contribute and improve upon it to defeat aggressive attempts to stifle free speech.

Anonymity is not a boolean - we are not trying to make something "perfectly anonymous", but instead are working at making attacks more and more expensive to mount. I2P is a low latency mix network, and there are limits to the anonymity offered by such a system, but the applications on top of I2P, such as Syndie, I2P mail, and I2PSnark extend it to offer both additional functionality and protection.

I2P is still a work in progress. It should not be relied upon for "guaranteed" anonymity at this time, due to the relatively small size of the network and the lack of extensive academic review. It is not immune to attacks from those with unlimited resources, and may never be, due to the inherent limitations of low-latency mix networks.

I2P works by routing traffic through other peers, as shown in the following picture. All traffic is encrypted end-to-end. For more information about how I2P works, see theIntroduction.

Download I2P

↧

[LinEnum] Scripted Local Linux Enumeration & Privilege Escalation Checks

August 20, 2013, 5:56 pm

≫ Next: [Vulscan] Module which enhances nmap to a vulnerability scanner

≪ Previous: [I2P] Anonymizing Network

High-level summary of the checks/tasks performed by LinEnum:

Kernel and distribution release details
System Information:
- Hostname
- Networking details:
- Current IP
- Default route details
- DNS server information
User Information:
- Current user details
- Last logged on users
- List all users including uid/gid information
- List root accounts
- Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
- Attempt to read restricted files i.e. /etc/shadow
- List current users history files (i.e .bash_history, .nano_history etc.)
Privileged access:
- Determine if /etc/sudoers is accessible
- Determine if the current user has Sudo access without a password
- Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
- Is root’s home directory accessible
- List permissions for /home/
Environmental:
- Display current $PATH
Jobs/Tasks:
- List all cron jobs
- Locate all world-writable cron jobs
- Locate cron jobs owned by other users of the system
Services:
- List network connections (TCP & UDP)
- List running processes
- Lookup and list process binaries and associated permissions
- List inetd.conf/xined.conf contents and associated binary file permissions
- List init.d binary permissions
Version Information (of the following):
- Sudo
- MYSQL
- Postgres
- Apache
Default/Weak Credentials:
- Checks for default/weak Postgres accounts
- Checks for default root/root access to local MYSQL services
Searches:

Locate all SUID/GUID files
Locate all world-writable SUID/GUID files
Locate all SUID/GUID files owned by root
Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
List all world-writable files
Find/list all accessible *.plan files and display contents
Find/list all accesible *.rhosts files and display contents
Show NFS server details
Locate *.conf and *.log files containing keyword supplied at script runtime
List all *.conf files located in /etc
Locate mail

Download LinEnum

↧

[Vulscan] Module which enhances nmap to a vulnerability scanner

August 20, 2013, 6:02 pm

≫ Next: [Malcom] Malware Communication Analyzer

≪ Previous: [LinEnum] Scripted Local Linux Enumeration & Privilege Escalation Checks

Vulscan is a module which enhances nmap to a vulnerability scanner. The nmap option -sV enables version detection per service which is used to determine potential flaws according to the identified product. The data is looked up in an offline version scip VulDB.

Installation

Please install the files into the following folder of your Nmap installation:

Nmap\scripts\vulscan\*

Usage

You have to run the following minimal command to initiate a simple vulnerability scan:

nmap -sV --script=vulscan/vulscan.nse www.example.com

Vulnerability Database

There are the following pre-installed databases available at the moment:

* scipvuldb.csv | http://www.scip.ch/en/?vuldb
* cve.csv | http://cve.mitre.org
* osvdb.csv | http://www.osvdb.org
* securityfocus.csv | http://www.securityfocus.com/bid/
* securitytracker.csv | http://www.securitytracker.com
* xforce.csv | http://xforce.iss.net
* expliotdb.csv | http://www.exploit-db.com
* openvas.csv | http://www.openvas.org

Single Database Mode

You may execute vulscan with the following argument to use a single database:

--script-args vulscandb=your_own_database

It is also possible to create and reference your own databases. This requires to create a database file, which has the following structure:

Just execute vulscan like you would by refering to one of the pre-delivered databases. Feel free to share your own database and vulnerability connection with me, to add it to the official repository.

Download Vulscan

↧

[Malcom] Malware Communication Analyzer

August 20, 2013, 6:07 pm

≫ Next: [The Backdoor Factory] Backdoors win32 PE files

≪ Previous: [Vulscan] Module which enhances nmap to a vulnerability scanner

Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic. This comes handy when analyzing how certain malware species try to communicate with the outside world.

Malcom can help you:

detect central command and control (C&C) servers
understand peer-to-peer networks
observe DNS fast-flux infrastructures
quickly determine if a network artifact is 'known-bad'

The aim of Malcom is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.

Check the wiki for a Quickstart and some nice screenshots.

In the near future, it will also become a collaborative tool (coming soon!)

Download Malcom

↧

[The Backdoor Factory] Backdoors win32 PE files

August 20, 2013, 6:12 pm

≫ Next: [fuzzdb] Attack and Discovery Pattern Database for Application Fuzz Testing

≪ Previous: [Malcom] Malware Communication Analyzer

Backdoors win32 PE files, to continue normal file execution (if the shellcode supports it), by patching the exe/dll directly.

Some executables have built in protections, as such this will not work on all PE files. It is advisable that you test target PE files before deploying them to clients or using them in exercises.

Win32 binaries now run on x64 working with ASLR for proper continued execution after shellcode has run.

Recently tested on all 32bit Sysinternal tools

Usage: ./backdoor.py -h
Usage: backdoor.py [options]
Options: -h, --help show this help message and exit
-f FILE, --file=FILE File to backdoor
-i HOST, --hostip=HOST IP of the C2 for reverse connections
-p PORT, --port=PORT The port to either connect back to for reverse shells or to listen on for bind shells
-o OUTPUT, --output-file=OUTPUT The backdoor output file
-s SHELL, --shell=SHELL Payloads that are available for use.
-n NSECTION, --section=NSECTION New section name must be less than seven characters
-c, --cave The cave flag will find code caves that can be used for stashing shellcode. This will print to all the code caves of a specific size. The -l flag can be use with this setting.
-d DIR, --directory=DIR This is the location of the files that you want to backdoor. You can make a directory of file backdooring faster by forcing the attaching of a codecave to the exe by using the -a setting.
-v, --verbose For debug information output.
-e ENCODER, --encoder=ENCODER Encoders that can help with AV evasion.
-l SHELL_LEN, --shell_length=SHELL_LEN For use with -c to help find code caves of different sizes
-a, --add_new_section Mandating that a new section be added to the exe (better success) but less av avoidance
-w, --change_access This flag changes the section that houses the codecave to RWE. Sometimes this is necessary. Enabled by default. If disabled, the backdoor may fail.
-j, --injector This command turns the backdoor factory in a hunt and shellcode inject type of mechinism. Edit the target settings in the injector module.
-u SUFFIX, --suffix=SUFFIX For use with injector, places a suffix on the original file for easy recovery
-D, --delete_original For use with injector module. This command deletes the original file. Not for use in production systems. Author not responsible for stupid uses.

Features:
-After making a copy of the target file, the file copy will be patched directly.
-Finding all codecaves in an EXE/DLL.
-Injecting modified reverse/bind shells that allow continued execution after connection to the attacker.
-Modifying the PE/COFF header to add an additional section for all win32 executables/dlls, including those with an import table.
-Using the existing shellcode options, the ability to select PORT and HOST as connection options
-The ability to backdoor a directory of executables/dlls
-List all codecaves in the exe/dll
-Select the codecave in the exe/dll to backdoor, thereby not changing the filesize.
-Includes a simple XOR shellcode encoder.

Download The Backdoor Factory

↧

[fuzzdb] Attack and Discovery Pattern Database for Application Fuzz Testing

August 20, 2013, 6:17 pm

≫ Next: [ZMap v1.0.3] The Internet Scanner

≪ Previous: [The Backdoor Factory] Backdoors win32 PE files

fuzzdb aggregates known attack patterns, predictable resource names, server response messages, and other resources like web shells into the most comprehensive Open Source database of malicious and malformed input test cases.

What's in fuzzdb?

Predictable Resource Locations - Because of the popularity of a small number of server types, platforms, and package formats, resources such as logfiles and administrative directories are typically located in a small number of predictable locations. FuzzDB contains a comprehensive database of these, sorted by platform type, language, and application, making brute force testing less brutish.

Attack Patterns - Categorized by platform, language, and attack type, malicious and malformed inputs known to cause information leakage and exploitation have been collected into sets of test cases. FuzzDB contains comprehensive lists of attack payloads known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, http header crlf injections, and more.

Response Analysis - Since system responses also contain predictable strings, fuzzdb contains a set of regex pattern dictionaries such as interesting error messages to aid detection software security defects, lists of common Session ID cookie names, and more.

Other useful stuff - Webshells, common password and username lists, and some handy wordlists.

Documentation - Helpful documentation and cheatsheets sourced from around the web that are relevant to the payload categories are also provided.

Why was fuzzdb created?

The sets of payloads currently built in to open source fuzzing and scanning software are poorly representative of the total body of potential attack patterns. Commercial scanners are a bit better, but not much. However, commercial tools also have a downside, in that that they tend to lock these patterns away in obfuscated binaries.

Furthermore, it's impossible for a human pentester to encounter and memorize all permutations of the meta characters and hex encoding likely to cause error conditions to arise.

FuzzDB was created to aggregate all known attack payloads and common predictable resource names into usable fuzzer payload lists, categorized by function and platform, and make them freely available under an Open Source license. It is immediately usable by web application penetration testers and security researchers.

Released under the dual New BSD and Creative Commons by Attribution licenses, FuzzDB can be leveraged to improve the test cases built into open source and commercial testing software.

How was the data collected?

Lots of hours of research while performing penetration tests:

analysis of default app installs
analysis of system and application documentation
analysis of error messages
researching old web exploits for repeatable attack strings
scraping scanner patterns from http logs
various books, articles, blog posts, mailing list threads
patterns gleaned from other open source fuzzers and pentest tools

FuzzDB is like an open source web application security scanner, without the scanner.

How to Use fuzzdb

The most immediate, hands-on way is to use they payload files for web security testing with Burp Proxy's intruder module. The regex/errors.txt file can be loaded to pattern match the server responses.

Use the patterns to test web services.

Use the patterns as malicious input payloads for testing non-HTTP network aware application with custom fuzzing tools.

Use the patterns as malicious input payloads for testing GUI or command line software with standard test automation tools.

Incorporate the patterns into Open Source software, or into your own commercial product.

Use the patterns in training materials and documentation.

Download fuzzdb

↧