Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Scan Tools. Show all posts
Showing posts with label Scan Tools. Show all posts

Sunday, August 12, 2018

AutoNSE - Massive NSE (Nmap Scripting Engine) AutoSploit And AutoScanner


Massive NSE (Nmap Scripting Engine) AutoSploit and AutoScanner. The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts (using the Lua programming language ) to automate a wide variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs. For more informations https://nmap.org/book/man-nse.html

Installation
$ git clone https://github.com/m4ll0k/AutoNSE.git
$ cd AutoNSE 
$ bash autonse.sh

Exmaples
$ bash autonse.sh




Share:

Sunday, July 8, 2018

JoomlaScan - Tool To Find The Components Installed In Joomla CMS, Built Out Of The Ashes Of Joomscan


A free and open source software to find the components installed in Joomla CMS, built out of the ashes of Joomscan.

Features
  • Scanning the Joomla CMS sites in search of components/extensions (database of more than 600 components);
  • Locate the browsable folders of component (Index of ...);
  • Locate the components disabled or protected
  • Locate each file useful to identify the version of a components (Readme, Manifest, License, Changelog)
  • Locate the robots.txt file or error_log file
  • Supports HTTP or HTTPS connections
  • Connection timeout

Next Features
  • Locate the version of Joomla CMS
  • Find Module
  • Customized User Agent and Random Agent
  • The user can change the connection timeout
  • A database of vulnerable components

Usage
usage: python joomlascan.py [-h] [-u URL] [-t THREADS] [-v]
optional arguments:
-h, --help              show this help message and exit

-u URL, --url URL       The Joomla URL/domain to scan.
-t THREADS, --threads   THREADS
                        The number of threads to use when multi-threading
                        requests (default: 10).
-v, --version           show program's version number and exit

Requirements
  • Python
  • beautifulsoup4 (To install this library from terminal type: $ sudo easy_install beautifulsoup4 or $ sudo pip install beautifulsoup4)

Changelog
  • 2016.12.12 0.5beta > Implementation of the Multi Thread, Updated database from 656 to 686 components, Fix Cosmetics and Minor Fix.
  • 2016.05.20 0.4beta > Find README.md, Find Manifes.xml, Find Index file of Components (Only if descriptive), User Agent and TimeOut on Python Request, Updated database from 587 to 656 components, Fix Cosmetics and Minor Fix.
  • 2016.03.18 0.3beta > Find index file on components directory
  • 2016.03.14 0.2beta > Find administrator components and file Readme, Changelog, License.
  • 2016.02.12 0.1beta > Initial release




Share:

Wednesday, July 4, 2018

WPSeku v0.4 - Wordpress Security Scanner



WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

Installation
$ git clone https://github.com/m4ll0k/WPSeku.git wpseku
$ cd wpseku
$ pip3 install -r requirements.txt
$ python3 wpseku.py

Usage

Generic Scan
python3 wpseku.py --url https://www.xxxxxxx.com --verbose

  • Output
----------------------------------------
 _ _ _ ___ ___ ___| |_ _ _ 
| | | | . |_ -| -_| '_| | |
|_____|  _|___|___|_,_|___|
      |_|             v0.4.0

WPSeku - Wordpress Security Scanner
by Momo Outaadi (m4ll0k)
----------------------------------------

[ + ] Target: https://www.xxxxxxx.com
[ + ] Starting: 02:38:51

[ + ] Server: Apache
[ + ] Uncommon header "X-Pingback" found, with contents: https://www.xxxxxxx.com/xmlrpc.php
[ i ] Checking Full Path Disclosure...
[ + ] Full Path Disclosure: /home/ehc/public_html/wp-includes/rss-functions.php
[ i ] Checking wp-config backup file...
[ + ] wp-config.php available at: https://www.xxxxxxx.com/wp-config.php
[ i ] Checking common files...
[ + ] robots.txt file was found at: https://www.xxxxxxx.com/robots.txt
[ + ] xmlrpc.php file was found at: https://www.xxxxxxx.com/xmlrpc.php
[ + ] readme.html file was found at: https://www.xxxxxxx.com/readme.html
[ i ] Checking directory listing...
[ + ] Dir "/wp-admin/css" listing enable at: https://www.xxxxxxx.com/wp-admin/css/
[ + ] Dir "/wp-admin/images" listing enable at: https://www.xxxxxxx.com/wp-admin/images/
[ + ] Dir "/wp-admin/includes" listing enable at: https://www.xxxxxxx.com/wp-admin/includes/
[ + ] Dir "/wp-admin/js" listing enable at: https://www.xxxxxxx.com/wp-admin/js/
......

Bruteforce Login
python3 wpseku.py --url https://www.xxxxxxx.com --brute --user test --wordlist wl.txt --verbose

  • Output
----------------------------------------
 _ _ _ ___ ___ ___| |_ _ _ 
| | | | . |_ -| -_| '_| | |
|_____|  _|___|___|_,_|___|
      |_|             v0.4.0

WPSeku - Wordpress Security Scanner
by Momo Outaadi (m4ll0k)
----------------------------------------

[ + ] Target: https://www.xxxxxxx.com
[ + ] Starting: 02:46:32

[ + ] Bruteforcing Login via XML-RPC...
[ i ] Setting user: test
[ + ] Valid Credentials: 

-----------------------------
| Username | Passowrd       |
-----------------------------
| test     | kamperasqen13  |
-----------------------------

Scan plugin,theme and wordpress code
python3 wpseku.py --scan <dir/file> --verbose

Note: Testing Akismet Directory Plugin https://plugins.svn.wordpress.org/akismet
  • Output
----------------------------------------
 _ _ _ ___ ___ ___| |_ _ _ 
| | | | . |_ -| -_| '_| | |
|_____|  _|___|___|_,_|___|
      |_|             v0.4.0

WPSeku - Wordpress Security Scanner
by Momo Outaadi (m4ll0k)
----------------------------------------

[ + ] Checking PHP code...
[ + ] Scanning directory...
[ i ] Scanning trunk/class.akismet.php file
----------------------------------------------------------------------------------------------------------
| Line | Possibile Vuln.      | String                                                                   |
----------------------------------------------------------------------------------------------------------
|  597 | Cross-Site Scripting | [b"$_GET['action']", b"$_GET['action']"]                                 |
|  601 | Cross-Site Scripting | [b"$_GET['for']", b"$_GET['for']"]                                       |
|  140 | Cross-Site Scripting | [b"$_POST['akismet_comment_nonce']", b"$_POST['akismet_comment_nonce']"] |
|  144 | Cross-Site Scripting | [b"$_POST['_ajax_nonce-replyto-comment']"]                               |
|  586 | Cross-Site Scripting | [b"$_POST['status']", b"$_POST['status']"]                               |
|  588 | Cross-Site Scripting | [b"$_POST['spam']", b"$_POST['spam']"]                                   |
|  590 | Cross-Site Scripting | [b"$_POST['unspam']", b"$_POST['unspam']"]                               |
|  592 | Cross-Site Scripting | [b"$_POST['comment_status']", b"$_POST['comment_status']"]               |
|  599 | Cross-Site Scripting | [b"$_POST['action']", b"$_POST['action']"]                               |
|  214 | Cross-Site Scripting | [b"$_SERVER['HTTP_REFERER']", b"$_SERVER['HTTP_REFERER']"]               |
|  403 | Cross-Site Scripting | [b"$_SERVER['REQUEST_TIME_FLOAT']", b"$_SERVER['REQUEST_TIME_FLOAT']"]   |
|  861 | Cross-Site Scripting | [b"$_SERVER['REMOTE_ADDR']", b"$_SERVER['REMOTE_ADDR']"]                 |
|  930 | Cross-Site Scripting | [b"$_SERVER['HTTP_USER_AGENT']", b"$_SERVER['HTTP_USER_AGENT']"]         |
|  934 | Cross-Site Scripting | [b"$_SERVER['HTTP_REFERER']", b"$_SERVER['HTTP_REFERER']"]               |
| 1349 | Cross-Site Scripting | [b"$_SERVER['REMOTE_ADDR']"]                                             |
----------------------------------------------------------------------------------------------------------
[ i ] Scanning trunk/wrapper.php file
[ + ] Not found vulnerabilities
[ i ] Scanning trunk/akismet.php file
-----------------------------------------------
| Line | Possibile Vuln.    | String          |
-----------------------------------------------
|   55 | Authorization Hole | [b'is_admin()'] |
-----------------------------------------------
[ i ] Scanning trunk/class.akismet-cli.php file
[ + ] Not found vulnerabilities
[ i ] Scanning trunk/class.akismet-widget.php file
[ + ] Not found vulnerabilities
[ i ] Scanning trunk/index.php file
[ + ] Not found vulnerabilities
[ i ] Scanning trunk/class.akismet-admin.php file
--------------------------------------------------------------------------------------------------------------------
| Line | Possibile Vuln.      | String                                                                             |
--------------------------------------------------------------------------------------------------------------------
|   39 | Cross-Site Scripting | [b"$_GET['page']", b"$_GET['page']"]                                               |
|  134 | Cross-Site Scripting | [b"$_GET['akismet_recheck']", b"$_GET['akismet_recheck']"]                         |
|  152 | Cross-Site Scripting | [b"$_GET['view']", b"$_GET['view']"]                                               |
|  190 | Cross-Site Scripting | [b"$_GET['view']", b"$_GET['view']"]                                               |
|  388 | Cross-Site Scripting | [b"$_GET['recheckqueue']"]                                                         |
|  841 | Cross-Site Scripting | [b"$_GET['view']", b"$_GET['view']"]                                               |
|  843 | Cross-Site Scripting | [b"$_GET['view']", b"$_GET['view']"]                                               |
|  850 | Cross-Site Scripting | [b"$_GET['action']"]                                                               |
|  851 | Cross-Site Scripting | [b"$_GET['action']"]                                                               |
|  852 | Cross-Site Scripting | [b"$_GET['_wpnonce']", b"$_GET['_wpnonce']"]                                       |
|  868 | Cross-Site Scripting | [b"$_GET['token']", b"$_GET['token']"]                                             |
|  869 | Cross-Site Scripting | [b"$_GET['token']"]                                                                |
|  873 | Cross-Site Scripting | [b"$_GET['action']"]                                                               |
|  874 | Cross-Site Scripting | [b"$_GET['action']"]                                                               |
| 1005 | Cross-Site Scripting | [b"$_GET['akismet_recheck_complete']"]                                             |
| 1006 | Cross-Site Scripting | [b"$_GET['recheck_count']"]                                                        |
| 1007 | Cross-Site Scripting | [b"$_GET['spam_count']"]                                                           |
|   31 | Cross-Site Scripting | [b"$_POST['action']", b"$_POST['action']"]                                         |
|  256 | Cross-Site Scripting | [b"$_POST['_wpnonce']"]                                                            |
|  260 | Cross-Site Scripting | [b'$_POST[$option]', b'$_POST[$option]']                                           |
|  267 | Cross-Site Scripting | [b"$_POST['key']"]                                                                 |
|  392 | Cross-Site Scripting | [b"$_POST['offset']", b"$_POST['offset']", b"$_POST['limit']", b"$_POST['limit']"] |
|  447 | Cross-Site Scripting | [b"$_POST['id']"]                                                                  |
|  448 | Cross-Site Scripting | [b"$_POST['id']"]                                                                  |
|  460 | Cross-Site Scripting | [b"$_POST['id']", b"$_POST['url']"]                                                |
|  461 | Cross-Site Scripting | [b"$_POST['id']"]                                                                  |
|  464 | Cross-Site Scripting | [b"$_POST['url']"]                                                                 |
|  388 | Cross-Site Scripting | [b"$_REQUEST['action']", b"$_REQUEST['action']"]                                   |
|  400 | Cross-Site Scripting | [b"$_SERVER['HTTP_REFERER']", b"$_SERVER['HTTP_REFERER']"]                         |
--------------------------------------------------------------------------------------------------------------------
[ i ] Scanning trunk/class.akismet-rest-api.php file
[ + ] Not found vulnerabilities

Credits and Contributors
Original idea and script from WPScan Team (https://wpscan.org/)
WPScan Vulnerability Database (https://wpvulndb.com/api)




Share:

Nmap 7.70 - Free Security Scanner: Better service and OS detection, 9 new NSE scripts, new Npcap, and much more



Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies, including The Matrix ReloadedDie Hard 4Girl With the Dragon Tattoo, and The Bourne Ultimatum.

Features
  • Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detectionversion detection, ping sweeps, and more. See the documentation page.
  • Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
  • Portable: Most operating systems are supported, including LinuxMicrosoft WindowsFreeBSDOpenBSDSolarisIRIXMac OS XHP-UXNetBSDSun OSAmiga, and more.
  • Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
  • Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
  • Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
  • Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
  • Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
  • Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

Changelog

Here is the full list of significant changes:

• [Windows] We made a ton of improvements to our Npcap Windows packet
capturing library (https://nmap.org/npcap/) for greater performance and
stability, as well as smoother installer and better 802.11 raw frame
capturing support. Nmap 7.70 updates the bundled Npcap from version 0.93 to
0.99-r2, including all these changes from the last seven Npcap releases:
https://nmap.org/npcap/changelog

• Integrated all of your service/version detection fingerprints submitted
from March 2017 to August 2017 (728 of them). The signature count went up
1.02% to 11,672, including 26 new softmatches.  We now detect 1224
protocols from filenet-pch, lscp, and netassistant to sharp-remote,
urbackup, and watchguard.  We will try to integrate the remaining
submissions in the next release.

• Integrated all of your IPv4 OS fingerprint submissions from September
2016 to August 2017 (667 of them). Added 298 fingerprints, bringing the new
total to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android
7, and more.

• Integrated all 33 of your IPv6 OS fingerprint submissions from September
2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were
added, as well as strengthened groups for Linux and OS X.

• Added the --resolve-all option to resolve and scan all IP addresses of a
host.  This essentially replaces the resolveall NSE script. [Daniel Miller]

• [NSE][SECURITY] Nmap developer nnposter found a security flaw (directory
traversal vulnerability) in the way the non-default http-fetch script
sanitized URLs. If a user manualy ran this NSE script against a malicious
web server, the server could potentially (depending on NSE arguments used)
cause files to be saved outside the intended destination directory.
Existing files couldn't be overwritten.  We fixed http-fetch, audited our
other scripts to ensure they didn't make this mistake, and updated the
httpspider library API to protect against this by default. [nnposter,
Daniel Miller]

• [NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below:

   - deluge-rpc-brute performs brute-force credential testing against
   Deluge BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
   - hostmap-crtsh lists subdomains by querying Google's Certificate
   Transparency logs. [Paulino Calderon]
   - [GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and
   reports back the IP address and port of the actual server behind the
   load-balancer. [Seth Jackson]
   - http-jsonp-detection Attempts to discover JSONP endpoints in web
   servers. JSONP endpoints can be used to bypass Same-origin Policy
   restrictions in web browsers. [Vinamra Bhatia]
   - http-trane-info obtains information from Trane Tracer SC controllers
   and connected HVAC devices. [Pedro Joaquin]
   - [GH#609] nbd-info uses the new nbd.lua library to query Network Block
   Devices for protocol and file export information. [Mak Kolybabi]
   - rsa-vuln-roca checks for RSA keys generated by Infineon TPMs
   vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks
   SSH and TLS services. [Daniel Miller]
   - [GH#987] smb-enum-services retrieves the list of services running on a
   remote Windows machine. Modern Windows systems requires a privileged domain
   account in order to list the services. [Rewanth Cool]
   - tls-alpn checks TLS servers for Application Layer Protocol Negotiation
   (ALPN) support and reports supported protocols. ALPN largely replaces NPN,
   which tls-nextprotoneg was written for. [Daniel Miller]

• [GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN.
This was causing Ncat 7.60 in connect mode to quit with error: libnsock
select_loop(): nsock_loop error 10038: An operation was attempted on
something that is not a socket.  [nnposter]

• [Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on
renegotiation, the same issue that was partially fixed for server mode in
[GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel
Miller]

• [NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle
misbehaving or rate-limiting services. Most significantly,
brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for
reporing infinite loops and proposing changes.

• [NSE] VNC scripts now support Apple Remote Desktop authentication (auth
type 30) [Daniel Miller]

• [NSE][GH#1111] Fix a script crash in ftp.lua when PASV connection timed
out. [Aniket Pandey]

• [NSE][GH#1114] Update bitcoin-getaddr to receive more than one response
message, since the first message usually only has one address in it. [h43z]

• [Ncat][GH#1139] Ncat now selects the correct default port for a given
proxy type. [Pavel Zhukov]

• [NSE] memcached-info can now gather information from the UDP memcached
service in addition to the TCP service. The UDP service is frequently used
as a DDoS reflector and amplifier. [Daniel Miller]

• [NSE][GH#1129] Changed url.absolute() behavior with respect to dot and
dot-dot path segments to comply with RFC 3986, section 5.2. [nnposter]

• Removed deprecated and undocumented aliases for several long options that
used underscores instead of hyphens, such as --max_retries. [Daniel Miller]

• Improved service scan's treatment of soft matches in two ways. First of
all, any probes that could result in a full match with the soft matched
service will now be sent, regardless of rarity.  This improves the chances
of matching unusual services on non-standard ports.  Second, probes are now
skipped if they don't contain any signatures for the soft matched service.
Perviously the probes would still be run as long as the target port number
matched the probe's specification.  Together, these changes should make
service/version detection faster and more accurate.  For more details on
how it works, see https://nmap.org/book/vscan.html. [Daniel Miller]

• --version-all now turns off the soft match optimization, ensuring that
all probes really are sent, even if there aren't any existing match lines
for the softmatched service. This is slower, but gives the most
comprehensive results and produces better fingerprints for submission.
[Daniel Miller]

• [NSE][GH#1083] New set of Telnet softmatches for version detection based
on Telnet DO/DON'T options offered, covering a wide variety of devices and
operating systems. [D Roberson]

• [GH#1112] Resolved crash opportunities caused by unexpected libpcap
version string format. [Gisle Vanem, nnposter]

• [NSE][GH#1090] Fix false positives in rexec-brute by checking responses
for indications of login failure. [Daniel Miller]

• [NSE][GH#1099] Fix http-fetch to keep downloaded files in separate
destination directories. [Aniket Pandey]

• [NSE] Added new fingerprints to http-default-accounts:
+ Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon]
+ [GH#1074] ActiveMQ, Purestorage, and Axis Network Cameras [Rob
Fitzpatrick, Paulino Calderon]

• Added a new service detection match for WatchGuard Authentication
Gateway. [Paulino Calderon]

• [NSE][GH#1038][GH#1037] Script qscan was not observing interpacket delays
(parameter qscan.delay). [nnposter]

• [NSE][GH#1046] Script http-headers now fails properly if the target does
not return a valid HTTP response. [spacewander]

• [Ncat][Nsock][GH#972] Remove RC4 from the list of TLS ciphers used by
default, in accordance with RFC 7465. [Codarren Velvindron]

• [NSE][GH#1022] Fix a false positive condition in ipmi-cipher-zero caused
by not checking the error code in responses. Implementations which return
an error are not vulnerable. [Juho Jokelainen]

• [NSE][GH#958] Two new libraries for NSE.

   - idna - Support for internationalized domain names in applications
   (IDNA)
   - punycode (a transfer encoding syntax used in IDNA) [Rewanth Cool]

• [NSE] New fingerprints for http-enum:

   - [GH#954] Telerik UI CVE-2017-9248 [Harrison Neal]
   - [GH#767] Many WordPress version detections [Rewanth Cool]

• [GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues
[nnposter]:

   - Usernames and/or passwords could not be empty
   - Passwords could not contain colons
   - SOCKS5 authentication was not properly documented
   - SOCKS5 authentication had a memory leak

• [GH#1009][GH#1013] Fixes to autoconf header files to allow autoreconf to
be run. [Lukas Schwaighofer]

• [GH#977] Improved DNS service version detection coverage and consistency
by using data from a Project Sonar Internet wide survey. Numerouse false
positives were removed and reliable softmatches added. Match lines for
version.bind responses were also conslidated using the technique below.
[Tom Sellers]

• [GH#977] Changed version probe fallbacks so as to work cross protocol
(TCP/UDP). This enables consolidating match lines for services where the
responses on TCP and UDP are similar. [Tom Sellers]

• [NSE][GH#532] Added the zlib library for NSE so scripts can easily handle
compression. This work started during GSOC 2014, so we're particularly
pleased to finally integrate it! [Claudiu Perta, Daniel Miller]

• [NSE][GH#1004] Fixed handling of brute.retries variable. It was being
treated as the number of tries, not retries, and a value of 0 would result
in infinite retries. Instead, it is now the number of retries, defaulting
to 2 (3 total tries), with no option for infinite retries.

• [NSE] http-devframework-fingerprints.lua supports Jenkins server
detection and returns extra information when Jenkins is detected [Vinamra
Bhatia]

• [GH#926] The rarity level of MS SQL's service detection probe was
decreased. Now we can find MS SQL in odd ports without increasing version
intensity. [Paulino Calderon]

• [GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version".
We were always reporting the version number of the included source, even
when a different version was actually linked. [Pavel Zhukov]

• Add a new helper function for nmap-service-probes match lines: $I(1,">")
will unpack an unsigned big-endian integer value up to 8 bytes wide from
capture 1. The second option can be "<" for little-endian. [Daniel Miller]


Share:

Monday, July 2, 2018

Taipan - Web Application Security Scanner


Taipan is a an automated web application scanner which allows to identify web vulnerabilities in an automatic fashion. This project is the core engine of a broader project which include other components, like a web dashboard where you can manage your scan or download a PDF report and a scanner agent to run on specific host. Below are some screenshots of the Taipan dashboard:







If you are interested in trying the full product, you can contact: aparata[AT]gmail.com
Download

Using Taipan
Taipan can run on both Windows (natively) and Linux (with mono). To run it in Linux you have to install mono in version >= 4.8.0. You can track the implementation of the new features in the related Kanban board.

Scan Profile
Taipan allow to scan the given web site by specify different kind of profiles. Each profile enable or disable a specific scan feature, to show all the available profile just run Taipan with the --show-profiles option.

Scan/Stop/Pause a scan
During a scan you can interact with it by set the scan in Pause or Stop it if necessary. In order to do so you have to press:
  • P: pause the scan
  • S: stop the scan
  • R: resume a paused scan
The state change is not immediate and you have to wait until all threads have reached the desider state.

Launch a scan
To launch a new scan you have to provide the url and the profile which must be used. It is not necessary to specify the full profile name, a prefix is enough. Below an example of execution:


Taipan Components
Taipan is composed of four main components:
  • Web Application fingerprinter: it inspects the given application in order to identify if it is a COTS application. If so, it extracts the identified version.
  • Hidden Resource Discovery: this component scans the application in order to identify resources that are not directly navigable or that shouldn't be accessed, like secret pages or test pages.
  • Crawler: This component navigates the web site in order to provide to the other components a list of pages to analyze. It allows to mutate the request in order to find not so common pathes.
  • Vulnerability Scanner: this component probes the web application and tries to identify possible vulnerabilities. It is composed of various AddOn in order to easily expand its Knowledge Base.

Share:

Sunday, January 21, 2018

Penetration Testing Tool for Testing Web Applications - OWASP ZAP 2.7.0


The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

For general information about ZAP:
  • Home page - the official ZAP page on the OWASP wiki (includes a donate button;)
  • Twitter - official ZAP announcements (low volume)
  • Blog - official ZAP blog
  • Monthly Newsletters - ZAP news, tutorials, 3rd party tools and featured contributors
  • Swag! - official ZAP swag that you can buy, as well as all of the original artwork released under the CC License
For help using ZAP:
Information about the official ZAP Jenkins plugin:
To learn more about ZAP development:


Share:

Saturday, November 25, 2017

Tool To Analyse Packets, Decoding , Scanning Ports, And Geolocation - CyberScan


CyberScan is an open source penetration testing tool that can analyse packets , decoding , scanning ports, pinging and geolocation of an IP including (latitude, longitude , region , country ...)



Operating Systems Supported
  • Windows XP/7/8/8.1/10
  • GNU/Linux
  • MacOSX

Installation
You can download CyberScan by cloning the Git repository:
git clone https://github.com/medbenali/CyberScan.git
cd CyberScan/
python CyberScan.py -v
CyberScan works out of the box with Python version 2.6.x and 2.7.x.


Share:

Saturday, October 28, 2017

Advanced vulnerability scanning with Nmap NSE - Vulscan




Vulscan is a module which enhances nmap to a vulnerability scanner. The nmap option -sV enables version detection per service which is used to determine potential flaws according to the identified product. The data is looked up in an offline version of VulDB.

Installation
Please install the files into the following folder of your Nmap installation:
Nmap\scripts\vulscan\*

Usage
You have to run the following minimal command to initiate a simple vulnerability scan:
nmap -sV --script=vulscan/vulscan.nse www.example.com

Vulnerability Database
There are the following pre-installed databases available at the moment:

Single Database Mode
You may execute vulscan with the following argument to use a single database:
--script-args vulscandb=your_own_database
It is also possible to create and reference your own databases. This requires to create a database file, which has the following structure:
<id>;<title>
Just execute vulscan like you would by refering to one of the pre-delivered databases. Feel free to share your own database and vulnerability connection with me, to add it to the official repository.

Update Database
The vulnerability databases are updated and assembled on a regularly basis. To support the latest disclosed vulnerabilities, keep your local vulnerability databases up-to-date.
If you want to update your databases, go to the following web site and download these files:
Copy the files into your vulscan folder:
/vulscan/

Version Detection
If the version detection was able to identify the software version and the vulnerability database is providing such details, also this data is matched.
Disabling this feature might introduce false-positive but might also eliminate false-negatives and increase performance slighty. If you want to disable additional version matching, use the following argument:
--script-args vulscanversiondetection=0
Version detection of vulscan is only as good as Nmap version detection and the vulnerability database entries are. Some databases do not provide conclusive version information, which may lead to a lot of false-positives (as can be seen for Apache servers).

Match Priority
The script is trying to identify the best matches only. If no positive match could been found, the best possible match (with might be a false-positive) is put on display.
If you want to show all matches, which might introduce a lot of false-positives but might be useful for further investigation, use the following argument:
--script-args vulscanshowall=1

Interactive Mode
The interactive mode helps you to override version detection results for every port. Use the following argument to enable the interactive mode:
--script-args vulscaninteractive=1

Reporting
All matching results are printed one by line. The default layout for this is:
[{id}] {title}\n
It is possible to use another pre-defined report structure with the following argument:
--script-args vulscanoutput=details
--script-args vulscanoutput=listid
--script-args vulscanoutput=listlink
--script-args vulscanoutput=listtitle
You may enforce your own report structure by using the following argument (some examples):
--script-args vulscanoutput='{link}\n{title}\n\n'
--script-args vulscanoutput='ID: {id} - Title: {title} ({matches})\n'
--script-args vulscanoutput='{id} | {product} | {version}\n'
Supported are the following elements for a dynamic report template:
  • {id} - ID of the vulnerability
  • {title} - Title of the vulnerability
  • {matches} - Count of matches
  • {product} - Matched product string(s)
  • {version} - Matched version string(s)
  • {link} - Link to the vulnerability database entry
  • \n - Newline
  • \t - Tab
Every default database comes with an url and a link, which is used during the scanning and might be accessed as {link} within the customized report template. To use custom database links, use the following argument:
--script-args "vulscandblink=http://example.org/{id}"

Disclaimer
Keep in mind that this kind of derivative vulnerability scanning heavily relies on the confidence of the version detection of nmap, the amount of documented vulnerebilities and the accuracy of pattern matching. The existence of potential flaws is not verified with additional scanning nor exploiting techniques.



Share:

Tuesday, August 29, 2017

Nmap 7.60 - Free Security Scanner For Network Exploration & Security Audits



Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies, including The Matrix ReloadedDie Hard 4Girl With the Dragon Tattoo, and The Bourne Ultimatum.

Features
  • Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detectionversion detection, ping sweeps, and more. See the documentation page.
  • Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
  • Portable: Most operating systems are supported, including LinuxMicrosoft WindowsFreeBSDOpenBSDSolarisIRIXMac OS XHP-UXNetBSDSun OSAmiga, and more.
  • Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
  • Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
  • Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
  • Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
  • Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
  • Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

Changelog

• [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several
issues with installation and compatibility with the Windows 10 Creators
Update.

• [NSE][GH#910] NSE scripts now have complete SSH support via libssh2,
including password brute-forcing and running remote commands, thanks to the
combined efforts of three Summer of Code students: [Devin Bjelland, Sergey
Khegay, Evangelos Deirmentzoglou]

• [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below:

   - ftp-syst sends SYST and STAT commands to FTP servers to get system
   version and connection information. [Daniel Miller]
   - [GH#916] http-vuln-cve2017-8917 checks for an SQL injection
   vulnerability affecting Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
   - iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr
   Timorin, Daniel Miller]
   - [GH#915] openwebnet-discovery retrieves device identifying information
   and number of connected devices running on openwebnet protocol. [Rewanth
   Cool]
   - puppet-naivesigning checks for a misconfiguration in the Puppet CA
   where naive signing is enabled, allowing for any CSR to be automatically
   signed. [Wong Wai Tuck]
   - [GH#943] smb-protocols discovers if a server supports dialects NT LM
   0.12 (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
   smbv2-enabled script. [Paulino Calderon]
   - [GH#943] smb2-capabilities lists the supported capabilities of
   SMB2/SMB3 servers. [Paulino Calderon]
   - [GH#943] smb2-time determines the current date and boot date of SMB2
   servers. [Paulino Calderon]
   - [GH#943] smb2-security-mode determines the message signing
   configuration of SMB2/SMB3 servers. [Paulino Calderon]
   - [GH#943] smb2-vuln-uptime attempts to discover missing critical
   patches in Microsoft Windows systems based on the SMB2 server uptime.
   [Paulino Calderon]
   - ssh-auth-methods lists the authentication methods offered by an SSH
   server. [Devin Bjelland]
   - ssh-brute performs brute-forcing of SSH password credentials. [Devin
   Bjelland]
   - ssh-publickey-acceptance checks public or private keys to see if they
   could be used to log in to a target. A list of known-compromised key pairs
   is included and checked by default. [Devin Bjelland]
   - ssh-run uses user-provided credentials to run commands on targets via
   SSH. [Devin Bjelland]

• [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3
improvements. It was fully replaced by the smb-protocols script.

• [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect
(client) mode with --udp --ssl. Also added Application Layer Protocol
Negotiation (ALPN) support with the --ssl-alpn option. [Denis Andzakovic,
Daniel Miller]

• Updated the default ciphers list for Ncat and the secure ciphers list for
Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]

• [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas
Backup Exec Agent 15 or 16. [Andrew Orr]

• [NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino
Calderon]

• [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that
resolve to unique addresses will be listed. [Aaron Heesakkers]

• [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle
TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]

• [NSE][GH#936] Function url.escape no longer encodes so-called
"unreserved" characters, including hyphen, period, underscore, and tilde,
as per RFC 3986. [nnposter]

• [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent
connections are supported on HTTP 1.0 target (unless the target explicitly
declares otherwise), as per RFC 7230. [nnposter]

• [NSE][GH#934] The HTTP response object has a new member, version, which
contains the HTTP protocol version string returned by the server, e.g.
"1.0". [nnposter]

• [NSE][GH#938] Fix handling of the objectSID Active Directory attribute by
ldap.lua. [Tom Sellers]

• [NSE] Fix line endings in the list of Oracle SIDs used by
oracle-sid-brute. Carriage Return characters were being sent in the
connection packets, likely resulting in failure of the script. [Anant
Shrivastava]

• [NSE][GH#141] http-useragent-checker now checks for changes in HTTP
status (usually 403 Forbidden) in addition to redirects to indicate
forbidden User Agents. [Gyanendra Mishra]


Share:

Thursday, July 27, 2017

Avoid being scanned by spoiling movies on all your ports! - spoilerwall




Spoilerwall introduces a brand new concept in the field of network hardening. Avoid being scanned by spoiling movies on all your ports!
Firewall? How about Fire'em'all! Stop spending thousand of dollars on big teams that you don't need! Just fire up the Spoilers Server and that's it!

Movie Spoilers DB + Open Ports + Pure Evil = Spoilerwall

Set your own:
  1. Clone this repo
$ git clone git@github.com:infobyte/spoilerwall.git
  1. Edit the file server-spoiler.py and set the HOST and PORT variables.
  2. Run the server
$ python2 server-spoiler.py
The server will listen on the selected port (8080 by default). Redirect incoming TCP traffic in all ports to this service by running:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1:65535 -j DNAT --to-destination {HOST}:{PORT}
Change {HOST} and {PORT} for the values set in step (2). Also, if the traffic is redirected to localhost, run:
sysctl -w net.ipv4.conf.eth0.route_localnet=1
Using this config, an nmap scan will show every port as open and a spoiler for each one.
View the live demo running in spoilerwall.faradaysec.com
~ ❯❯❯ telnet spoilerwall.faradaysec.com 23

Trying 138.197.196.144...

Connected to spoilerwall.faradaysec.com.

Escape character is '^]'.

Gummo

Fucked up people killing cats after a tornado

Connection closed by foreign host.
Browse in Shodan (but beware of the Spoilers!):
https://www.shodan.io/host/138.197.196.144
Be careful in your next CTF - you never know when the spoilers are coming!



Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition