Vulnerability Scanner - HellRaiser

Install
Install ruby, bundler and rails. https://gorails.com/setup/ubuntu/16.04
Install redis-server and nmap.

sudo apt-get update
sudo apt-get install redis-server nmap

Clone HellRaiser repository, change to hellraiser web app directory and run bundle install.

git clone https://github.com/m0nad/HellRaiser/
cd HellRaiser/hellraiser/
bundle install

Start
Start redis server.

redis-server

Go to the hellraiser web app directory and start sidekiq.

bundle exec sidekiq

Go to the hellraiser web app directory and start rails server.

rails s

Usage
Access http://127.0.0.1:3000

How it works?
HellRaiser scan with nmap then correlates cpe's found with cve-search to enumerate vulnerabilities.

Download HellRaiser

Read More

OpenSource /Malware Analysis Pipeline System - Aleph

What?

Aleph is designed to pipeline the analysis of malware samples. It has a series of collectors that will gather samples from many sources and shove them into the pipeline. The sample manager has a series of plugins that are ran against the sample and returns found data into JSON form.

These JSON data can be further processed and queried in a objective manner instead of grepping and regexing.

How?

The main Aleph daemon is a loose-coupled python application and library. These are composed by the Aleph Service that spawns:

1.The Collectors. These are responsible for going to multiple sources (Filesystem folder, IMAP folder, FTP directory etc) and collect all the files there, store locally and add them to the processing queue. Each collector runs in its own process (fork).

2.Multiple (quantity is configurable) parallel SampleManager services (that will pull samples from the work queue and process them) and run the plugins that receives the sample path and return the JSON object of found artifacts.

3.The sample object is converted to JSON along with its data and is stored into an Elasticsearch backend.

Installing Aleph

Requirements

In order to get a clean and nice install, you should download some requirements: Ubuntu/Debian

apt-get install python-pyrex libffi-dev libfuzzy-dev python-dateutil libsqlite3-dev

ElasticSearch

First if you don't have an Elasticsearch instance ready, you must install one.
For Debian/Ubuntu/Redhat/Fedora/CentOS (yum + apt basically) users, follow this guide.
** Remember: Elasticsearh uses JVM, so you also must install it =) **

Python modules

We strongly suggest that you use python's virtual environment so you don't pollute the rest of your OS installation with python modules. To make a contained virtual environment, install virtualenv with pip:

pip install virtualenv

Go to the desired Aleph installation folder and type the following to create and activate your virtual environment:

virtualenv venv # 'venv' can be any name

source venv/bin/activate

There will be the environment name (venv) appended to your PS1 variable:

(venv)(2014-08-19 17:36:%)(~/opt/aleph/)

All python modules required are listed on the requirements.txt file on the root repository folder. You can install all of them at once using pip:

pip install -r requirements.txt

Then clone the repository and copy the settings file:

git clone https://github.com/merces/aleph.git --branch aleph-python --single-branch .

cp aleph/settings.py.orig aleph/settings.py

Edit settings.py and add a local source (a folder where Aleph will search for samples - WARNING: ALEPH WILL MOVE THE SAMPLE THUS REMOVING FROM THE ORIGINAL FOLDER) The folder must exists as Aleph won't try to create them

SAMPLE_SOURCES = [

    ('local', {'path': '/opt/aleph/unprocessed_samples'}),

]

Review your Elasticsearch installation URI

ELASTICSEARCH_URI = '127.0.0.1:9200'

** Workaround step ** As I still finish some of the code, there are some folders that are not on the repository and must be created manually and set accordingly on the settings.py file:

SAMPLE_TEMP_DIR = '/opt/aleph/temp'

SAMPLE_STORAGE_DIR = '/opt/aleph/samples'

Remember to verify folders permissioning. And Aleph is ready to run!

Running

Go to Aleph folder, activate the virtual environment and run the bin/aleph-server.py as following:

cd /opt/aleph/

source venv/bin/activate

./bin/aleph-server.py

And that's it. Check your logs under log/aleph.log to any troubleshooting.

Install the Web interface(Webui)

Edit the "SERVER_NAME" constant at your settings.py file. ex: SERVER_NAME = 'mydomain.com:90'
then create the following entry:

SECRET_KEY = 'Pu7s0m3cryp7l337here' #do not use this ;)

SAMPLE_SUBMIT_FOLDER= '/some/path' #where samples will be submitted from webui

Setup your database:

python bin/db_create.py

Run the webui script:

bin/aleph-webui.sh

To access your webinterface open your favorite browser at http://SERVER_NAME #That value you changed before.

Login: admin

Password: changeme12!

Note: For sake of Security's God, CHANGE YOUR PASSWORD! ;)

But if you do not like our webinterface you still can use other softwares to review and query data on elasticsearch. I strongly suggest this Chrome REST client plugin or the great Kibana

Currently implemented

Collectors

ºFileCollector: grabs samples from a local directory
ºMailCollector: grabs samples from email attachments on a IMAP folder

Plugins

ºPEInfo : extracts info from PE files such as entrypoint, number of sections and some PE characteristics(SEH/ASLR/DEP).
ºZipArchivePlugin: extracts zip files and puts their contents back into analysis queue.
ºStringsPlugin: extracts strings from sample into three categories: All Strings, URI Strings and Filename Strings (not 100% but we do our best).
ºVirustotalPlugin: check a sample SHA256 hash against Virustotal database and get the report. If that hash doesnt exist, send the file to analise.
ºTrID: check the filetype of a sample.

Download Aleph

Read More

Network Logon Cracker - THC-Hydra 8.2

 A very fast network logon cracker which support many different services.

See feature sets and services coverage page - incl. a speed comparison against ncrack and medusa.Number one of the biggest security holes are passwords, as every password security study shows.

This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.

There are already several login hacker tools available, however none does either support more than one protocol to attack or support parallized connects.

It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and OSX.

Currently this tool supports the following protocols:

Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

CHANGELOG for 8.2

 ! Development moved to a public github repository: https://github.com/vanhauser-thc/thc-hydra
 
 * Added RTSP module, thanks to jjavi89 for supplying!
 * Added patch for ssh that fixes hyra stopping to connect, thanks to ShantonRU for the patch
 * Added new -O option to hydra to support SSL servers that do not suport TLS
 * Added xhydra gtk patche by Petar Kaleychev to support modules that do not use usernames
 * Added patch to redis for initial service checking by Petar Kaleychev - thanks a lot!
 * Added support in hydra-http for http-post (content length 0)
 * Fixed important bug in http-*://server/url command line processing
 * Added SSL SNI support
 * Fixed bug in HTTP Form redirection following - thanks for everyone who reported and especially to Hayden Young for setting up a test page for debugging
 * Better library finding in ./configure for SVN + support for Darwin Homebrew (and further enhanced)
 * Fixed http-form module crash that only occurs on *BSD/OSX systems. Thanks to zdk for reporting!
 * Fixed for SSL connection to support TLSv1.2 etc.
 * Support for different RSA keylengths, thanks to fann95 for the patch
 * Fixed a bug where the cisco-enable module was not working with the password-only logon mode
 * Fixed an out of memory bug in http-form
 * Fixed imap PLAIN method
 * Fixed -x option to bail if it would generate too many passwords (more than 4 billion)
 * Added warning if HYDRA_PROXY_CONNECT environment is detected, that is an outdated setting
 * Added --fhs switch to configure (for Linux distribution usage)

Download THC-Hydra 8.2

Read More

Collection Of Tools To Detect, Record And Prevent Attacks On Web Applications - Shadowd

Shadow Daemon is a collection of tools to detect , record and prevent attacks on web application. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability.

This is the main component that handles the analysis and storage of requests.

Documentation
For the full documentation please refer to shadowd.zecure.org .

Installation

Preparation
Use cmake to configure and prepare the project. It is a good idea to create a separate directory for this. A typical installation might look like this.

mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_BUILD_TYPE=Release ..

Compilation
If cmake is successful it creates a makefile. Use it to compile and install the project.

make shadowd
make install

Database
Install and configure a database server. At the moment shadowd officially supports PostgreSQL and MySQL. Afterwards create a new user and database for shadowd and import the correct layout.
If you are using PostgreSQL you can use psql to import the layout.

psql -Ushadowd shadowd < /usr/share/shadowd/pgsql_layout.sql

If you are using MySQL you can use mysql to import the layout. The user requires the CREATE ROUTINE privilege.

mysql -ushadowd -p shadowd < /usr/share/shadowd/mysql_layout.sql

Configuration
The installer copies the configuration file to /etc/shadowd/shadowd.ini . The file is annotated and should be self-explanatory.

Download Shadowd

Read More

A Tool that Transforms Firefox Browsers into a Penetration Testing Suite - Firefox Security Toolkit

A tool that transforms Firefox Browsers into a penetration testing suite

How?

It downloads the most important extensions, and install it on your browser. The used extensions has been chosen by a survey among the information security community. Based on it's results, Firefox Security Toolkit was made. Also, it allows you to download Burp Suite certificate and a large user-agent list for User-Agent Switcher. Making it one-click away to prepare your web-application testing browser.

How does it differs from well-known projects, such as OWASP Mantra and Hcon STF ?

OWASP Mantra and Hcon STF are not regularly updated, and needs a lot of work in order to develop and maintain. Meanwhile, Firefox Security Toolkit does not need a additional maintaining, although I would be maintaining it for any issues/bugs if needed. The used extensions are downloaded from Mozilla Addons Store with its latest version, to ensure the best testing experience for the penetration tester.

Who can use Firefox Security Toolkit ?

Web-Application Penetration Testers, Information Security Learners, and basically anyone interested in web-application security.

Compatibility:

The project currently supports Linux/Unix environments.

Usage:

bash ./firefox_security_toolkit.sh

Demo Video:

Available Addons:

• Cookie Export/Import
• Cookie Manager
• Copy as Plain Text
• Crypto Fox
• CSRF-Finder
• Disable WebRTC
• FireBug
• Fireforce
• FlagFox
• Foxy Proxy
• HackBar
• Live HTTP Headers
• Multi Fox
• PassiveRecon
• Right-Click XSS
• Tamper Data
• User Agent Switcher
• Wappalyzer
• Web Developer

Additional Features:

• Downloading Burp Suite Certificate
• Downloading a large user-agent list for User-Agent Swithcer

Download Firefox-Security-Toolkit

Read More

Identifies and Fingerprints Web Application Firewall (WAF) Products - WAFW00F

WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.

How does it work?

To do its magic, WAFW00F does the following:

• Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions
• If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is
• If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks

For further details, check out the source code on the main site, github.com/sandrogauci/wafw00f .

What does it detect?

It detects a number of WAFs. To view which WAFs it is able to detect run WAFW00F with the -l option. At the time of writing the output is as follows:

$ ./wafw00f -l

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
                                <
                                 ...'

    WAFW00F - Web Application Firewall Detection Tool

    By Sandro Gauci && Wendel G. Henrique

Can test for these WAFs:

Anquanbao
Juniper WebApp Secure
IBM Web Application Security
Cisco ACE XML Gateway
F5 BIG-IP APM
360WangZhanBao
ModSecurity (OWASP CRS)
PowerCDN
Safedog
F5 FirePass
DenyALL WAF
Trustwave ModSecurity
CloudFlare
Imperva SecureSphere
Incapsula WAF
Citrix NetScaler
F5 BIG-IP LTM
Art of Defence HyperGuard
Aqtronix WebKnight
Teros WAF
eEye Digital Security SecureIIS
BinarySec
IBM DataPower
Microsoft ISA Server
NetContinuum
NSFocus
ChinaCache-CDN
West263CDN
InfoGuard Airlock
Barracuda Application Firewall
F5 BIG-IP ASM
Profense
Mission Control Application Shield
Microsoft URLScan
Applicure dotDefender
USP Secure Entry Server
F5 Trafficshield

How do I use it?

For help please make use of the --help option. The basic usage is to pass it a URL as an argument. 

Example:

$./wafw00f https://www.ibm.com/

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
                                <
                                 ...'

    WAFW00F - Web Application Firewall Detection Tool

    By Sandro Gauci && Wendel G. Henrique

Checking https://www.ibm.com/
The site https://www.ibm.com/ is behind a Citrix NetScaler
Number of requests: 6

How do I install it?

The following should do the trick:

python setup.py install

or

pip install wafw00f

Download WAFW00F

Read More

Burp Suite JavaScript Beautifier - BurpSuiteJSBeautifier

Most of the websites compress their resources such as JS files in order to increase the loading speed. However, security testing and debugging a compressed resource is not an easy task. This is a Burp Suite open source extension which makes it possible to beautify most of the resources properly. Therefore, it will help the web application security researchers to view the compressed resources easier. It also helps them to have the decompressed versions of the resources (such as JS, CSS, HTML, XML, and so on) inside the browsers to debug them without any problem.

Using the application:

Step 0- (Downloading) Download "jsbeautifier.jar" file and "libs" directory.

Step 1- (Adding Libraries) Now under "Extender" tab, click on the "Options" tab; in "Java Environment" section, click on "Select folder ..." button and select the "libs" folder that contains "js.jar" and "rsyntaxtextarea.jar".

Step 2- (Adding Extension) In Burp Suite, click on the "Extender" tab, then click on "Add" button and select "jsbeautifier.jar" file.

Step 3- (Testing Extension) Now you should be able to see "JSBeautifier Settings" tab in burp suite. You can also manually beautify requests/responses by using right click and selecting the "Beautify This!" option. If it cannot beautify anything, check your Burp Suite extension settings and make sure that you have added the requested libraries; Unload/Load the extension and try again.

Features:

• Works with the latest version of Burp Suite (tested on 1.5.21)
• Manual beautifying the requests/responses
• Automatic beautifying the responses in proxy
• Automatic beautifying the responses in all tabs
• Can support Burp suite scope
• Mimicking exact behaviour of JSBeautifier.org website by using Rhino library
• Supporting multiple file types (JS, CSS, HTML, and so on)
• Detecting packers and obfuscators (based on JSBeautifier.org)
• Syntax highlighter in the read-only editor by using Fifesoft RSyntaxTextArea library
• Open Source

This extension is based on the following modules/libraries (included in repository):

• JS files of http://jsbeautifier.org/ - Written by Einar Lielmanis, einar@jsbeautifier.org
• Rhino library - http://www.mozilla.org/rhino/
• Fifesoft RSyntaxTextArea library: http://fifesoft.com/rsyntaxtextarea/

Limitations:

• Limitations of jsbeautifier.org
• Only support UTF-8 for texts

Reporting bugs:

If you have found an issue, please use “Debug Mode” option and attach the extension's Output and Error files to your report. I may not be able to replicate the issue without having this information.

Tested on:

This extension has been tested on Burp Suite Pro v1.5.21 with Java v7ux. If you are using an older version of Burp Suite, you may be able to use version 0.1a of this extension which is located at https://code.google.com/p/burp-suite-beautifier-extension/

Some screenshots:

Download BurpSuiteJSBeautifier

Read More

Browser Based Security Framework - Mantra Janus

OWASP Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers,security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software.

Browser Based Security Framework: Mantra Janus

OWASP Mantra is a free and open source security toolkit with a collection of add-ons and scripts based on Firefox and Chromium. It is intended for web application penetration testers, web application developers, security professionals, etc. Earlier versions of Mantra used Firefox as base named “Mantra Security Toolkit’. From September 2011 onwards Mantra started offering a new distribution called ‘MoC’, based on Google Chrome. As of May 2012, both the products are available and are active.


Features

Mantra comes packed with many tools and other extensions that are useful for web application penetration testing. Some additional changes are applied to the normal Firefox to avoid extra traffic and noises.

Other notable features include:

ºFireCAT/ KromCAT menu structure makes the tools menu more organised and easy to access.
ºSidebar of Mantra provides quick access to tools and other features
ºThe awesome bar acts as URL bar and search bar at the same time. Various details about the currently visited webpage are also shown in the awesome bar.
ºAdd to search bar feature helps users to customise default search feature of awesome bar.
ºURL increment/ decrement buttons helps in applying quick changes to the URL.
ºHackery aka The Open Pentest Bokkmarks Collection gives links to various resources and portal that are related to penetration testing.
ºGalley bookmarks provides links to various on-line penetration testing related services.
ºProxy, Cookie and Cache management tools
ºFTP, SSH, REST and SQLite clients


Tools


The OWASP Mantra Security Toolkit has tools under the following categories:

ºInformation gathering
ºEditors
ºNetwork utilities
ºMiscellaneous
ºApplication auditing
ºProxy


Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.

Download Mantra

Read More

Passive-Analysis Tool - Watcher

Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it won’t damage production systems, it’s completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.

Watcher is built as a plugin for the Fiddler HTTP debugging proxy available at www.fiddlertool.com. Fiddler provides all of the rich functionality of a good Web/HTTP proxy. With Fiddler you can capture all HTTP traffic, intercept and modify, replay requests, and much much more. Fiddler provides the HTTP proxy framework for Watcher to work in, allowing for seamless integration with today’s complex Web 2.0 or Rich Internet Applications. Watcher runs silently in the background while you drive your browser and interact with the Web-application.


A Passive tool for Web Security Testing and Auditing

Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it won’t damage production systems, it’s completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.


Major Features:

1. Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, CSS, and development frameworks (e.g. ASP.NET, JavaServer)
2. Works seamlessly with complex Web 2.0 applications while you drive the Web browser
3. Non-intrusive, will not raise alarms or damage production sites
4. Real-time analysis and reporting – findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS)
5. Configurable domains with wildcard support
6. Extensible framework for adding new checks


Watcher is built as a plugin for the Fiddler HTTP debugging proxy available at www.fiddlertool.com. Fiddler provides all of the rich functionality of a good Web/HTTP proxy. With Fiddler you can capture all HTTP traffic, intercept and modify, replay requests, and much much more. Fiddler provides the HTTP proxy framework for Watcher to work in, allowing for seamless integration with today’s complex Web 2.0 or Rich Internet Applications. Watcher runs silently in the background while you drive your browser and interact with the Web-application.

Watcher is built in C# as a small framework with 30+ checks already included. It’s built so that new checks can be easily created to perform custom audits specific to your organizational policies, or to perform more general-purpose security assessments. Examples of the types of issues Watcher will currently identify:


ºASP.NET VIEWSTATE insecure configurations
ºJavaServer MyFaces ViewState without cryptographic protections
ºCross-domain stylesheet and javascript references
ºUser-controllable cross-domain references
ºUser-controllable attribute values such as href, form action, etc.
ºUser-controllable javascript events (e.g. onclick)
ºCross-domain form POSTs
ºInsecure cookies which don’t set the HTTPOnly or secure flags
ºOpen redirects which can be abused by spammers and phishers
ºInsecure Flash object parameters useful for cross-site scripting
ºInsecure Flash crossdomain.xml
ºInsecure Silverlight clientaccesspolicy.xml
ºCharset declarations which could introduce vulnerability (non-UTF-8)
ºUser-controllable charset declarations
ºDangerous context-switching between HTTP and HTTPS
ºInsufficient use of cache-control headers when private data is concerned (e.g. no-store)
ºPotential HTTP referer leaks of sensitive user-information
ºPotential information leaks in URL parameters
ºSource code comments worth a closer look
ºInsecure authentication protocols like Digest and Basic
ºSSL certificate validation errors
ºSSL insecure protocol issues (allowing SSL v2)
ºUnicode issues with invalid byte streams
ºSharepoint insecurity checks
ºmore….



Reducing false positives is a high priority, suggestions are welcome. Right now each check takes steps to reduce false positives, some better than others, and checks can be individually disabled if they’re generating too much noise.

Download  Watcher

Read More