Collection Of Tools To Detect, Record And Prevent Attacks On Web Applications - Shadowd

Shadow Daemon is a collection of tools to detect , record and prevent attacks on web application. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability.

This is the main component that handles the analysis and storage of requests.

Documentation
For the full documentation please refer to shadowd.zecure.org .

Installation

Preparation
Use cmake to configure and prepare the project. It is a good idea to create a separate directory for this. A typical installation might look like this.

mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_BUILD_TYPE=Release ..

Compilation
If cmake is successful it creates a makefile. Use it to compile and install the project.

make shadowd
make install

Database
Install and configure a database server. At the moment shadowd officially supports PostgreSQL and MySQL. Afterwards create a new user and database for shadowd and import the correct layout.
If you are using PostgreSQL you can use psql to import the layout.

psql -Ushadowd shadowd < /usr/share/shadowd/pgsql_layout.sql

If you are using MySQL you can use mysql to import the layout. The user requires the CREATE ROUTINE privilege.

mysql -ushadowd -p shadowd < /usr/share/shadowd/mysql_layout.sql

Configuration
The installer copies the configuration file to /etc/shadowd/shadowd.ini . The file is annotated and should be self-explanatory.

Download Shadowd

Read More

Ruby In The Middle (HTTP/HTTPS Interception Proxy) - RITM

Ruby in the middle (RITM) is an HTTP/HTTPS interception proxy with on-the-fly certificate generation and signing, which leaves the user with the full power of the Ruby language to intercept and even modify requests and responses as she pleases.

Installation

    gem install ritm   

Basic usage

1. Write your interception handlers
   

   require 'ritm'
   
   # A single answer for all your google searches
   Ritm.on_request do |req|
     if req.request_uri.host.start_with? 'www.google.'
       new_query_string = req.request_uri.query.gsub(/(?<=^q=|&q=)(((?!&|$).)*)(?=&|$)/, 'RubyInTheMiddle')
       req.request_uri.query = new_query_string
     end
   end
   
   my_picture = File.read('i_am_famous.jpg')
   
   # Replaces every picture on the web with my pretty face
   Ritm.on_response do |_req, res|
     if res.header['content-type'] && res.header['content-type'].start_with?('image/')
       res.header['content-type'] = 'image/jpeg'
       res.body = my_picture
     end
   end

2. Start the proxy server
   

   proxy = Ritm::Proxy::Launcher.new
   proxy.start
   
   puts 'Hit enter to finish'
   gets
   
   proxy.shutdown

3. Configure your browser
   Or whatever HTTP client you want to intercept traffic from, to connect to the proxy in localhost:8080
   
4. Browse the web!
   For the examples above, search anything in google and also visit your favorite newspaper website.
   

Trusting self-signed certificates generated by RITM

With the previous example your client might have encountered issues when trying to access HTTPS resources. In some cases you can add an exception to your browser (or instruct your http client not to verify certificates) but in some other cases you won't be able to add exceptions. The reason for this is that in order to decrypt and to be able to modify SSL traffic, RITM will have to be the one doing the SSL negotiatiation with the client (using its own set of certificates) and then it will establish a separate SSL session towards the server. I.e.:

Client <--- SSL session ---> RITM <--- SSL session ---> Server

For every different server's hostname your client tries to communicate with, RITM will generate a certificate on the fly and sign it with a pre-configured Certificate Authority (CA). So, in order to be able to establish a secure connection you will need to configure your client (e.g. browser) to trust RITM's CA.

For security reasons, every time you start RITM's proxy with the default settings it will generate a new internal Certificate Authority. To use your own CA instead (so it can be loaded and trusted by your browser) perform the following steps:

1. Generate a Certificate Authority PEM and Private Key files
   You can use OpenSSL or RITM to generate these two files. With OpenSSL:
   

   openssl req -new -nodes -x509 -days 365 -extensions v3_ca -keyout insecure_ca.key -out insecure_ca.crt

   Or with RITM:
   

   require 'ritm/certs/ca'
   
   ca = Ritm::CA.create common_name: 'InsecureCA'
   
   File.write('insecure_ca.crt', ca.pem)
   File.write('insecure_ca.key', ca.private_key.to_s)

2. Repeat step 2 from the previous example, this time indicating what CA should be used to sign certificates
   

   proxy = Ritm::Proxy::Launcher.new(ca_crt_path: 'path/to/insecure_ca.crt',
                                     ca_key_path: 'path/to/insecure_ca.key')
   proxy.start
   
   puts 'Hit enter to finish'
   gets
   
   proxy.shutdown

3. Trust the CA certificate into your browser or client
   I'll leave it to you to figure out how this is done in your browser or client.
   
4. Surf the web!
5. When you are done Remove the CA from your trusted authorities!
   Or take really good care of the CA private key since anyone in possession of that key will be capable of decrypting all your traffic! Also notice that when using the proxy every server will be automatically trusted even if the end server certificate is not valid.

Download RITM

Read More

Hackpack & Kali Linux Tools - Lalin

Lalin is a remake of Lazykali by bradfreda with fixed bugs , added new features and uptodate tools . It's compatible with the latest release of Kali (Rolling)

Changelog

Lalin gets updated weekly with new features, improvements and bugfixes. Be sure to check out the [Changelog]

How it works

• Extract The lalin-master to your home or another folder
• chmod +x Lalin.sh
• And run the tools
• Easy to Use just input your number

Usage

How to start a script?

$ sudo chmod +x Lalin.sh

$ sudo ./Lalin.sh

Screenshots

Credits

1. Miffly @Edo -m- main developer of Lalin
   
2. Bradfrea @Lazykali main developer of Lazykali
3. Daniel for lazynmap www.commonexploits.com
4. https://github.com/mazen160/Firefox-Security-Toolkit
5. http://www.linuxsec.org/ ( Jack Wilder )
6. Offensive Secuirty for the awesome os
7. http://www.kali.org
8. http://www.offensive-security.com

Disclaimer
Note: modifications, changes, or alterations to this sourcecode is acceptable, however,any public releases utilizing this code must be approved by writen this tool ( Edo -m- ).

Download Lalin

Read More

Web Application XSS Scanner - XssPy

XssPy is a python tool for finding Cross Site Scripting vulnerabilities in websites. This tool is the first of its kind. Instead of just checking one page as most of the tools do, this tool traverses the website and find all the links and subdomains first. After that, it starts scanning each and every input on each and every page that it found while its traversal. It uses small yet effective payloads to search for XSS vulnerabilities.

The tool has been tested parallel with paid Vulnerability Scanners and most of the scanners failed to detect the vulnerabilities that the tool was able to find. Moreover, most paid tools scan only one site whereas XSSPY first finds a lot of subdomains and then scan all the links altogether. The tool comes with:

• Short Scanning
• Comprehensive Scanning
• Finding subdomains
• Checking every input on every page

With this tool, Cross Site Scripting vulnerabilities have been found in the websites of MIT, Stanford, Duke University, Informatica, Formassembly, ActiveCompaign, Volcanicpixels, Oxford, Motorola, Berkeley and many more.

Download XssPy

Read More

A Tool that Transforms Firefox Browsers into a Penetration Testing Suite - Firefox Security Toolkit

A tool that transforms Firefox Browsers into a penetration testing suite

How?

It downloads the most important extensions, and install it on your browser. The used extensions has been chosen by a survey among the information security community. Based on it's results, Firefox Security Toolkit was made. Also, it allows you to download Burp Suite certificate and a large user-agent list for User-Agent Switcher. Making it one-click away to prepare your web-application testing browser.

How does it differs from well-known projects, such as OWASP Mantra and Hcon STF ?

OWASP Mantra and Hcon STF are not regularly updated, and needs a lot of work in order to develop and maintain. Meanwhile, Firefox Security Toolkit does not need a additional maintaining, although I would be maintaining it for any issues/bugs if needed. The used extensions are downloaded from Mozilla Addons Store with its latest version, to ensure the best testing experience for the penetration tester.

Who can use Firefox Security Toolkit ?

Web-Application Penetration Testers, Information Security Learners, and basically anyone interested in web-application security.

Compatibility:

The project currently supports Linux/Unix environments.

Usage:

bash ./firefox_security_toolkit.sh

Demo Video:

Available Addons:

• Cookie Export/Import
• Cookie Manager
• Copy as Plain Text
• Crypto Fox
• CSRF-Finder
• Disable WebRTC
• FireBug
• Fireforce
• FlagFox
• Foxy Proxy
• HackBar
• Live HTTP Headers
• Multi Fox
• PassiveRecon
• Right-Click XSS
• Tamper Data
• User Agent Switcher
• Wappalyzer
• Web Developer

Additional Features:

• Downloading Burp Suite Certificate
• Downloading a large user-agent list for User-Agent Swithcer

Download Firefox-Security-Toolkit

Read More

Security Layer for Arch Linux - ArchStrike

An Arch Linux repository for security professionals and enthusiasts.

Done the Arch Way and optimized for i686, x86_64, ARMv6, and ARMv7.

ArchStrike is a penetration testing and security layer on top of Arch Linux. We follow the Arch Linux standards very closely in order to keep our packages clean, proper and easy to maintain.

The team is working very hard to maintain the repository and give you the best ArchStrike experience.

Twitter: https://twitter.com/ArchStrike

Send us a pull request: https://github.com/ArchStrike/ArchStrike

FAQ

Q: What difference does ArchStrike have from other penetration distributions?

A: We are a layer on top of ArchLinux that you can install and remove easily. We try and follow the Arch Linux standards when making our packages.

Q: Do you have an ISO?

A: As of yet, we do not have an ISO, although our team is working on an ISO to be released as you are reading this. Updates on the ISO will be made on twitter and our website.

Download ArchStrike

Read More

The Amnesic Incognito Live System - Tails 2.4

Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly.

It is a complete operating system designed to be used from a DVD, USB stick, or SD card independently of the computer's original operating system. It is Free Software and based on Debian GNU/Linux.

Tails comes with several built-in applications pre-configured with security in mind: web browser, instant messaging client, email client, office suite, image and sound editor, etc.

New features

• We enabled the automatic account configuration of Icedove which discovers the correct parameters to connect to your email provider based on your email address. We improved it to rely only on secure protocol and we are working on sharing these improvements with Mozilla so that users of Thunderbird outside Tails can benefit from them as well.

Upgrades and changes

• Update Tor Browser to 6.0.1, based on Firefox 45.
• Remove the preconfigured #tails IRC channel. Join us on XMPP instead!
• Always display minimize and maximize buttons in titlebars. (#11270)
• Remove GNOME Tweak Tool and hledger. You can add them back using the Additional software packages persistence feature.
• Use secure HKPS OpenPGP key server in Enigmail.
• Harden our firewall by rejecting RELATED packets and restricting Tor to only send NEW TCP syn packets. (#11391)
• Harden our kernel by:
  • Setting various security-related kernel options: slab_nomerge slub_debug=FZ mce=0 vsyscall=none. (#11143)
  • Removing the .map files of the kernel. (#10951)

Fixed problems

• Update the DRM and Mesa graphical libraries. This should fix recent problems with starting Tails on some hardware. (#11303)
• Some printers that stopped working in Tails 2.0 should work again. (#10965)
• Enable Packetization Layer Path MTU Discovery for IPv4. This should make the connections to obfs4 Tor bridges more reliable. (#9268)
• Fix the translations of Tails Upgrader. (#10221)
• Fix displaying the details of a circuit in Onion Circuits when using Tor bridges. (#11195)

For more details, read our changelog.

Known issues

• The automatic account configuration of Icedove freezes when connecting to some email providers. (#11486)
• In some cases sending an email with Icedove results in the error: "The message could not be sent using Outgoing server (SMTP) mail.riseup.net for an unknown reason." When this happens, simply click "Ok" and try again and it should work. (#10933)
• The update of the Mesa graphical library introduce new problems at least on AMD HD 7770 and nVidia GT 930M.

See the list of long-standing issues.

Download Tails 2.4

Read More

Everything you Need to Safely Browse the Internet - Tor Browser 6.0

The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.

The Tor Browser lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.

The Tor Browser Team is proud to announce the first stable release in the 6.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release brings us up to date with Firefox 45-ESR, which should mean a better support for HTML5 video on Youtube, as well as a host of other improvements.

Beginning with the 6.0 series code-signing for OS X systems is introduced. This should help our users who had trouble with getting Tor Browser to work on their Mac due to Gatekeeper interference. There were bundle layout changes necessary to adhere to code signing requirements but the transition to the new Tor Browser layout on disk should go smoothly.

The release also features new privacy enhancements and disables features where we either did not have the time to write a proper fix or where we decided they are rather potentially harmful in a Tor Browser context.

On the security side this release makes sure that SHA1 certificate support is disabled and our updater is not only relying on the signature alone but is checking the hash of the downloaded update file as well before applying it. Moreover, we provide a fix for a Windows installer related DLL hijacking vulnerability.

The full changelog since Tor Browser 5.5.5 is

Tor Browser 6.0 

• All Platforms
  • Update Firefox to 45.1.1esr
  • Update OpenSSL to 1.0.1t
  • Update Torbutton to 1.9.5.4
    • Bug 18466: Make Torbutton compatible with Firefox ESR 45
    • Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
    • Bug 18905: Hide unusable items from help menu
    • Bug 16017: Allow users to more easily set a non-tor SSH proxy
    • Bug 17599: Provide shortcuts for New Identity and New Circuit
    • Translation updates
    • Code clean-up
  • Update Tor Launcher to 0.2.9.3
    • Bug 13252: Do not store data in the application bundle
    • Bug 18947: Tor Browser is not starting on OS X if put into /Applications
    • Bug 11773: Setup wizard UI flow improvements
    • Translation updates
  • Update HTTPS-Everywhere to 5.1.9
  • Update meek to 0.22 (tag 0.22-18371-3)
    • Bug 18371: Symlinks are incompatible with Gatekeeper signing
    • Bug 18904: Mac OS: meek-http-helper profile not updated
  • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
  • Bug 18900: Fix broken updater on Linux
  • Bug 19121: The update.xml hash should get checked during update
  • Bug 18042: Disable SHA1 certificate support
  • Bug 18821: Disable libmdns support for desktop and mobile
  • Bug 18848: Disable additional welcome URL shown on first start
  • Bug 14970: Exempt our extensions from signing requirement
  • Bug 16328: Disable MediaDevices.enumerateDevices
  • Bug 16673: Disable HTTP Alternative-Services
  • Bug 17167: Disable Mozilla's tracking protection
  • Bug 18603: Disable performance-based WebGL fingerprinting option
  • Bug 18738: Disable Selfsupport and Unified Telemetry
  • Bug 18799: Disable Network Tickler
  • Bug 18800: Remove DNS lookup in lockfile code
  • Bug 18801: Disable dom.push preferences
  • Bug 18802: Remove the JS-based Flash VM (Shumway)
  • Bug 18863: Disable MozTCPSocket explicitly
  • Bug 15640: Place Canvas MediaStream behind site permission
  • Bug 16326: Verify cache isolation for Request and Fetch APIs
  • Bug 18741: Fix OCSP and favicon isolation for ESR 45
  • Bug 16998: Disable <link rel="preconnect"> for now
  • Bug 18898: Exempt the meek extension from the signing requirement as well
  • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
  • Bug 18890: Test importScripts() for cache and network isolation
  • Bug 18886: Hide pocket menu items when Pocket is disabled
  • Bug 18703: Fix circuit isolation issues on Page Info dialog
  • Bug 19115: Tor Browser should not fall back to Bing as its search engine
  • Bug 18915+19065: Use our search plugins in localized builds
  • Bug 19176: Zip our language packs deterministically
  • Bug 18811: Fix first-party isolation for blobs URLs in Workers
  • Bug 18950: Disable or audit Reader View
  • Bug 18886: Remove Pocket
  • Bug 18619: Tor Browser reports "InvalidStateError" in browser console
  • Bug 18945: Disable monitoring the connected state of Tor Browser users
  • Bug 18855: Don't show error after add-on directory clean-up
  • Bug 18885: Disable the option of logging TLS/SSL key material
  • Bug 18770: SVGs should not show up on Page Info dialog when disabled
  • Bug 18958: Spoof screen.orientation values
  • Bug 19047: Disable Heartbeat prompts
  • Bug 18914: Use English-only label in <isindex/> tags
  • Bug 18996: Investigate server logging in esr45-based Tor Browser
  • Bug 17790: Add unit tests for keyboard fingerprinting defenses
  • Bug 18995: Regression test to ensure CacheStorage is disabled
  • Bug 18912: Add automated tests for updater cert pinning
  • Bug 16728: Add test cases for favicon isolation
  • Bug 18976: Remove some FTE bridges
• Windows
  • Bug 13419: Support ICU in Windows builds
  • Bug 16874: Fix broken https://sports.yahoo.com/dailyfantasy page
  • Bug 18767: Context menu is broken on Windows in ESR 45 based Tor Browser
• OS X
  • Bug 6540: Support OS X Gatekeeper
  • Bug 13252: Tor Browser should not store data in the application bundle
  • Bug 18951: HTTPS-E is missing after update
  • Bug 18904: meek-http-helper profile not updated
  • Bug 18928: Upgrade is not smooth (requires another restart)
• Build System
  • All Platforms
    • Bug 18127: Add LXC support for building with Debian guest VMs
    • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
    • Bug 18919: Remove unused keys and unused dependencies
  • Windows
    • Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
    • Bug 18290: Bump mingw-w64 commit we use
  • OS X
    • Bug 18331: Update toolchain for Firefox 45 ESR
    • Bug 18690: Switch to Debian Wheezy guest VMs
  • Linux
    • Bug 18699: Stripping fails due to obsolete Browser/components directory
    • Bug 18698: Include libgconf2-dev for our Linux builds
    • Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)

Download Tor Browser 6.0

Read More

Advanced Pentest System - Parrot OS 3.0 (Lithium)

Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting, privacy/anonimity and cryptography. Based on Debian and developed by Frozenbox network.

Who can use it

Parrot is designed for everyone, from the Pro pentester to the newbie, because it provides the most professional tools combined in a easy to use, fast and lightweight pentesting environment, and it can be used also for an everyday use.

Features:

System Specs

• Debian jessie core
• Custom hardened linux 4.5 kernel
• Rolling release upgrade line
• MATE desktop environment
• Lightdm Dislpay Manager
• Custom themes, icons and wallpapers

System Requirements

• CPU: at least 1Ghz dual core cpu
• ARCH: 32bit, 64bit and ARMhf
• RAM: 256Mb - 512Mb suggested
• GPU: No graphic acceleration required
• HDD Standard: 6Gb used - 8Gb suggested
• HDD Full: 8Gb used - 16Gb suggested
• BOOT: Legacy bios or UEFI (testing)

Cloud

• Parrot Server Edition
• Parrot Cloud Controller
• Parrot VPS Service
• Custom installation script for Debian VPS

Digital Forensic

• "Forensic" boot option to avoid boot automounts
• Most famous Digital Forensic tools and frameworks out of the box
• Reliable acquisition and imaging tools
• Top class analysis softwares
• Evidence management and reporting tools
• Disabled automount
• Software blockdev write protection system

Cryptography

• Custom Anti Forensic tools
• Custom interfaces for GPG
• Custom interfaces for cryptsetup
• Support for LUKS, Truecrypt and VeraCrypt
• NUKE patch for cryptsetup LUKS disks
• Encrypted system installation

Anonymity

• AnonSurf
• Entire system anonymization
• TOR and I2P out of the box
• DNS requests anonymization
• "Change Identity" function for AnonSurf
• BleachBit system cleaner
• NoScript plugin
• UserAgentOverrider plugin
• Browser profile manager
• RAM-only browser profile
• Pandora's Box - RAM cleaner
• Hardened system behaviour

Programming

• FALCON Programming Language (1.0)
• System editor tuned for programming
• Many compilers and debuggers available
• Reverse Engineering Tools
• Programming Template Files
• Pre-installed most-used libs
• Full Qt5 development framework
• Full .net/mono development framework
• Development frameworks for embedded devices

Download Parrot Security OS 3.0

Read More

Identifies and Fingerprints Web Application Firewall (WAF) Products - WAFW00F

WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.

How does it work?

To do its magic, WAFW00F does the following:

• Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions
• If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is
• If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks

For further details, check out the source code on the main site, github.com/sandrogauci/wafw00f .

What does it detect?

It detects a number of WAFs. To view which WAFs it is able to detect run WAFW00F with the -l option. At the time of writing the output is as follows:

$ ./wafw00f -l

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
                                <
                                 ...'

    WAFW00F - Web Application Firewall Detection Tool

    By Sandro Gauci && Wendel G. Henrique

Can test for these WAFs:

Anquanbao
Juniper WebApp Secure
IBM Web Application Security
Cisco ACE XML Gateway
F5 BIG-IP APM
360WangZhanBao
ModSecurity (OWASP CRS)
PowerCDN
Safedog
F5 FirePass
DenyALL WAF
Trustwave ModSecurity
CloudFlare
Imperva SecureSphere
Incapsula WAF
Citrix NetScaler
F5 BIG-IP LTM
Art of Defence HyperGuard
Aqtronix WebKnight
Teros WAF
eEye Digital Security SecureIIS
BinarySec
IBM DataPower
Microsoft ISA Server
NetContinuum
NSFocus
ChinaCache-CDN
West263CDN
InfoGuard Airlock
Barracuda Application Firewall
F5 BIG-IP ASM
Profense
Mission Control Application Shield
Microsoft URLScan
Applicure dotDefender
USP Secure Entry Server
F5 Trafficshield

How do I use it?

For help please make use of the --help option. The basic usage is to pass it a URL as an argument. 

Example:

$./wafw00f https://www.ibm.com/

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
                                <
                                 ...'

    WAFW00F - Web Application Firewall Detection Tool

    By Sandro Gauci && Wendel G. Henrique

Checking https://www.ibm.com/
The site https://www.ibm.com/ is behind a Citrix NetScaler
Number of requests: 6

How do I install it?

The following should do the trick:

python setup.py install

or

pip install wafw00f

Download WAFW00F

Read More