Wubi

Wifite v2 is now available What's new in this version: support for cracking WPS-encrypted networks (via reaver) 2 new WEP attacks more accurate WPA handshake capture various bug fixes Version 2 does not include a GUI, so everything must be done at the command-line. mention in the New York Times Wifite was mentioned in the New York Times' article "New Hacking Tools Pose Bigger Threats to Wi-Fi Users" from February 16, 2011. Here is a link to the article. introduction Designed and tested on Linux; works with Backtrack 5, BlackBuntu, BackBox, and Pentoo! Linux only; no windows or OSX support (but you're welcome to try). purpose To attack multiple WEP, WPA, and WPS encrypted networks in a row. This tool is customizable to be automated with only a few arguments. Wifite aims to be the "set it and forget it" wireless auditing tool. features sorts targets by signal strength (in dB); cracks closest access points first automatically de-authenticates clients of hidden networks to reveal SSIDs numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc) customizable settings (timeouts, packets/sec, etc) "anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete all captured WPA handshakes are backed up to wifite.py's current directory smart WPA de-authentication; cycles between all clients and broadcast deauths stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit displays session summary at exit; shows any cracked keys all passwords saved to cracked.txt built-in updater: ./wifite.py -upgrade requirements linux operating system (confirmed working on Backtrack 5, BackBox, BlackBuntu, Pentoo, Ubuntu 8.10 (BT4R1), Ubuntu 10.04, Debian 6, Fedora 16) tested working with python 2.6.x, and python 2.7.x, wireless drivers patched for monitor mode and injection. Most security distributions (Backtrack, BlackBuntu, etc) come with wireless drivers pre-patched, aircrack-ng (v1.1) suite: available via apt: apt-get install aircrack-ng or at the aircrack-ng website, suggested applications reaver, for attacking WPS-encrypted networks pyrit, cowpatty, tshark: not required, but help verify WPA handshake captures For help installing any of these programs, see the installation guide (hosted on github) execution download the latest version: wget -O wifite.py http://wifite.googlecode.com/svn/trunk/wifite.pychange permissions to executable: chmod +x wifite.pyexecute: python wifite.pyor, to see a list of commands with info: ./wifite.py -helpscreenshots successful WEP attack (after 90 seconds): successful WPS attacks (after 17 hours): video tutorial (tutorial is for v1 of wifite. new videos coming soon) capturing WPA handshake using Wifite (and then cracking with oclHashCat). video credit: Maurizio Schmidt examples the program contains lots of interactivity (waits for user input). these command-line options are meant to make the program 100% automated -- no supervision required. to crack all WEP access points: ./wifite.py -all -wepto crack all WPS access points with signal strength greater than (or equal to) 50dB: ./wifite.py -p 50 -wpsto attack all access points, use 'darkc0de.lst' for cracking WPA handshakes: ./wifite.py -all --dict /pentest/passwords/wordlists/darkc0de.lstto attack all WPA access points, but do not try to crack -- any captured handshakes are saved automatically: ./wifite.py -all -wpa --dict noneto crack all WEP access points greater than 50dB in strength, giving 5 minutes for each WEP attack method, and send packets at 600 packets/sec: ./wifite.py --pow 50 -wept 300 -pps 600to attempt to crack WEP-encrypted access point "2WIRE752" endlessly -- program will not stop until key is cracked or user interrrupts with ctrl+C): ./wifite.py -e "2WIRE752" -wept 0 donations If you wish to donate to this project, I ask that you donate instead to the aircrack-ng team or you could buy something from Tactical Network Solutions. These are the teams which produced the awesome open-source software that wifite depends on. Wifite would not exist if not for these amazing tools. Sursa Google Code

In one of our recent posts, you must have read about the Social-Engineer Toolkit being updated. This post is about a newer social engineering tool – phemail.py. As of now, this tool is not as advanced as SET is, but it was built to overcome the problem of SET payloads being flagged by antiviruses. Phemail.py is a short for Python Phishing EMAIL. It is an open source social engineering tool that helps you perform security reconnaissance. So, with SET you send a phishing email containing a malicious URL. This URL will then redirect the user to a webserver managed by Metasploit, launching several exploits in order to exploit the victim’s web browser, ultimately gaining a Meterpreter shell. The problem of this approach is that most of the time Meterpreter will be detected by antivirus software running on the victim’s machine. So exploitation is not going to be successfully completed. Moreover so far SET doesn’t have any option to prove who clicked on the phishing email without using Meterpreter. The main purpose of phemail.py is to detect who clicked on the phishing email without attempting to exploit the web browser but collecting as much information as possible. For this reason it will be 100% undetectable by any antivirus and it will obtain sufficient data to have an initial proof of concept for the client which you can later build upon to launch further attacks. Steps to use Phemail.py: Find corporate email addresses: Phemail has an option for harvesting corporate email addresses and save them to a file. Phemail.py leverages Google to search for LinkedIn specific corporate e-mail targets. Create a phishing email template: You get to create your own custom phishing templates. Do not forget to add the string “{0}” in each URL as the script will replace this string with the correct URL automatically. Host/upload a single PHP file: This file contains JavaScript code which attempts to collect web browser information and save it in a log file in /tmp directory. Run the php file as shown in the following example: # phemail.py -e test-emails.txt -f "Tax report " -r "Tax Report " -s "Important information about your tax" -b body.txt -w http://YOUR-WEBSITE.com All you then you need to wait and hoping for the victim to click on the phishing email, allowing you to gain some web browser information from the victim as below. When it comes to Python dependencies, the open source phemail.py requires pyDNS, BeautifulSoup in addition to smtplib, base64, os, sys, getopt, urllib2 and re. Download Phemail.py: Phemail.py version 0.6 – phemail.zip Sursa:PenTestIT — Your source for Information Security Related information!

http://redmine.backtrack-linux.org:8080

apt-get update && apt-get upgrade

The time has come to refresh our security tool arsenal – BackTrack 5 R3 has been released. R3 focuses on bug-fixes as well as the addition of over 60 new tools – several of which were released in BlackHat and Defcon 2012. A whole new tool category was populated – “Physical Exploitation”, which now includes tools such as the Arduino IDE and libraries, as well as the Kautilya Teensy payload collection. Building, testing and releasing a new BackTrack revision is never an easy task. Keeping up-to-date with all the latest tools, while balancing their requirements of dependencies, is akin to a magic show juggling act. Thankfully, active members of our redmine community such as backtracklover and JudasIscariot make our task that much easier by actively reporting bugs and suggesting new tools on a regular basis. Hats off to the both of you. We would like to thank Offensive Security for providing the BackTrack dev team with the funding and resources to make all of this happen. Also, a very special thanks to dookie, our lead developer – for building, testing and packaging most of the new tools in this release. Together with our usual KDE and GNOME, 32/64 bit ISOs, we have released a single VMware Image (Gnome, 32 bit). For those requiring other VM flavors of BackTrack – building your own VMWare image is easy – instructions can be found in the BackTrack Wiki. Lastly, if you’re looking for intensive, real world, hands on Penetration Testing Training – make sure to drop by Offensive Security Training, and learn the meaning of “TRY HARDER“. For the insanely impatient, you can download the BackTrack 5 R3 release via torrent right now. Direct ISO downloads will be available once all our HTTP mirrors have synched, which should take a couple more hours. Once this happens, we will update our BackTrack Download page with all links. BT5R3-GNOME-64.torrent (md5: 8cd98b693ce542b671edecaed48ab06d) BT5R3-GNOME-32.torrent (md5: aafff8ff5b71fdb6fccdded49a6541a0) BT5R3-KDE-64.torrent (md5: 981b897b7fdf34fb1431ba84fe93249f) BT5R3-KDE-32.torrent (md5: d324687fb891e695089745d461268576) BT5R3-GNOME-32-VM.torrent (md5: bca6d3862c661b615a374d7ef61252c5)

I did not find the vulnerability. I simply rewrote a DEP/ASLR bypass PoC for it (for my own exercise). Original poc: The KMPlayer 3.0.0.1440 .mp3 Buffer Overflow Exploit XPSP3 DEP Bypass This poc: The KMPlayer 3.0.0.1440 .mp3 Buffer Overflow Exploit (Win7 + ASLR bypass mod)

There are currently 202 users browsing this thread. (16 members and 186 guests)

Déjà vu.

Many times in penetration testing engagements you will discover authentication forms that you will need to bypass in order to gain access to an application or to a remote system.Having a big and a good wordlists always help but as a penetration tester you must be able to create your own custom wordlists depending on the situation.There are a variety of tools that can assist you on this but here we will focus on Crunch. Create a Sample Wordlist The first thing that you need to do is to open terminal and write cd /pentest/passwords/crunch Next we execute the following command [COLOR=#ff0000] ./crunch 5 5 admin -o wubi.txt [/COLOR] This will instruct crunch to create a wordlist that will have minimum length of characters 5,maximum length of characters 5 with the characters of admin and it will save it on a .txt file called wubi as you can see it and in the image below. Of course instead of just letters we can create a wordlist that will include only numbers with the command: [COLOR=#ff0000] ./crunch 5 5 12345 -o numbers.txt [/COLOR] The same method applies and if we want to create a wordlist mixed with letters and numbers. [COLOR=#ff0000]./crunch 5 5 wubi123 -o numbersletters.txt[/COLOR] Special Characters For special characters like !$% you will need to execute something like the following: [COLOR=#ff0000] ./crunch 5 5 wubi\%\@\![/COLOR] This is because some special characters need escaping and the \ is used before the character. String Permutations Here there are two options.First options is when we will want to generate something based on the characters of a word.For example ./crunch 1 1 -p abc will produce the following list: The second option is when we will want to create a list based on different words.For example the words blue and red can be bluered or redblue.We can achieve this with the command ./crunch 1 1 -p rst cen ter Splitting Wordlists If we use the -b option we will instruct crunch to create a wordlist which will be divided into multiple files.Another option that we can combine with that command is to choose the size of our wordlist.For example: [COLOR=#ff0000]./crunch 6 6 0123456789 -b 1mb -o START[/COLOR] This will generate wordlists which will be 1Mb each and with 6 characters size and it will include the characters 0123456789. Specify the number of words Crunch allows us to specify the number of words in each wordlist.This will create a wordlists that it will contain 20 words maximum by taken a specific charset of lalpha which is [abcdefghijklmnopqrstuvwxyz]. [COLOR=#ff0000]./crunch 3 3 -f charset.lst lalpha -o START -c 20[/COLOR] Alternatively you can use any other charset from the list that comes with crunch if you don’t want to use a custom charset. Prefix Wordlists Now lets say that we want to create a wordlist that will contains the word wubi followed by 3 random characters.The command for that will be: [COLOR=#ff0000]./crunch 7 7 -f charset.lst lalpha -t wubi@@@[/COLOR] which will produce the following output: Alternatively if we want the word admin to be in the middle we can modify the command like this: [COLOR=#ff0000] ./crunch 9 9 -f charset.lst -t @@admin@@[/COLOR] Compression You can compress your wordlist with the -z option using either bzip,gzip or lzma. Example: ./crunch 4 4 -f charset.lst lalpha -o wordlist -z gzip Conclusion Creating wordlists can facilitate your needs when performing a penetration test.Crunch of course offers a variety of options and combinations that a user can play with.Trying to brute force of course an application or a system with a wordlist can of course lock you out depending on the account lockout policy but it always helps if you can have your own custom wordlists that may be help you to obtain access. Sursa: Creating Wordlists With Crunch ? Penetration Testing Lab

DNSenum is a tool that it was designed with the purpose of enumerating DNS information about a domain.Then information that you can obtain from this tool is useful for the phase of information gathering when you are conducting especially a penetration test. So lets say that you want to obtain information about a specific domain.In this article we will use different domains as an example in order to see the different responses that we can get.First you will need to go to the directory that the DNSenum is located.In backtrack 5 this in the /pentest/enumeration/dns/dnsenum and in order to run it you can use the command: perl dnsenum.pl [host] The DNSenum will start querying the DNS servers of scanme.org.The first information that we will get is the host address which for scanme.org is the 74.207.244.221.Next we will see the name servers which will give us an idea of the hosting provider that the scanme.org is using and after that is the MX record where we can see the mail server of our target host. After that the DNSenum will start the DNS Zone Transfer.Performing a Zone Transfer you can discover more information about a domain like any sub-domains that are included in the same zone, SOA records etc.In the screenshot below you can see the results after performing a zone transfer for the domain sport-fm.gr. By reviewing the results we can see that the SOA record is the www.sport-fm.gr.This means that this DNS name server is the best source of information for the data within this domain.Also we have a list with all the sub-domains and the interesting thing is that we have located the administration panel which is on the sub-domain admin.sport-fm.gr. Another option that DNSenum offers is the Google Scraping which it queries google search pages to discover various domain names of the target domain.This can be particular helpful when the zone transfer is disabled.Basically what it does is trying to get results from google by using the following command: allinurl: -www site:target.com Conclusion DNSenum is a great tool to be used in the information gathering stage of a penetration testing.As we saw in this article we obtained a lot of information about our targets and we even discovered an administration panel from the early stage of our penetration test which can help us to perform further attacks on the target. Sursa: Penetration Testing Lab

One of the services that you can discover in Unix environments is the rlogin.This service runs on port 513 and it allows users to login to the host remotely.This service was mostly used in the old days for remote administration but now because of security issues this service has been replaced by the slogin and the ssh.However if you find a system that is not properly configured and is using this service then you should try to exploit it. Lets say that you discover the following system which the rlogin is running on port 513. Now the next step is to check whether the rsh-client is installed in our system.If not then we have to type the command apt-get install rsh-client.The rsh-client is a remote login utility that it will allow users to connect to remote machines. The last step is to use the command rlogin -l root IP.This command will try to login to the remote host by using the login name root.As we can see from the next image we have successfully logged in remotely without asking us for any authentication as a root user.Of course if we know that there are other usernames on the remote host we can try them as well. Conclusion The reason that we were able to connect remotely without any authentication is because that the rlogin as a service is insecure by design and it can potentially allow anyone to login without providing a password.However it is very difficult in nowadays to find a system with that service running but it will worth the try if you discover it to try to exploit it. Sursa: Penetration Testing Lab

One of the first post exploitation activities when we have compromised a target is to obtain the passwords hashes in order to crack them offline.If we managed to crack the hashes then we might be able to escalate our privileges and to gain administrative access especially if we have cracked the administrator’s hash.In this tutorial we will see how to obtain and crack password hashes from a Unix box. Lets say that we have exploited a vulnerability and we have gained a remote shell to our target.The next step is to see the directories and files that exist on the remote system with the command ls. The next step is to read the /etc/passwd file which contains all the accounts of the remote system.The next image is showing the list of the local accounts of the machine that we have compromised.Lets analyse the information that we can obtain from the first account which is root.The first field indicates the username,the field x means that the password is encrypted and it is stored on the /etc/shadow file.The number 0 means that this the userID which for root accounts is always zero and the next 0 is the groupID.Next we can see the root where we can find any extra information about the user (in this case there is no other extra information) and the last two fields /root and /bin/bash are the user home directory and the command shell. Now that we have the list with the accounts of the remote system we can save that list in a file for later use which it will be called passwords.txt.The next step is to obtain the passwords hashes.As we know in unix systems the password hashes are stored in the /etc/shadow location so we will run the command cat /etc/shadow in order to see them. So we will save the hashes as well in a file called shadow.txt and we will use the famous password cracker john the ripper in order to crack those hashes.In backtrack john the ripper is located in the following path: /pentest/passwords/john. From the above image we can see all the files that the directory john contains.In that list there is a utility called unshadow.We will run this utility in order to be able to read the shadow file before we try to crack it.So we will need to execute the command ./unshadow /root/Desktop/Cracking/passwords.txt /root/Desktop/Cracking/shadow.txt > /root/Desktop/Cracking/cracked.txt This command will combine the two files that we have created before into a single file called cracked.txt.Now we are ready to crack those hashes with the command ./john /root/Desktop/Cracking/cracked.txt.As we can see john the ripper cracked easily those password hashes so now we have all the usernames and passwords from our target. f we want to see the passwords that we cracked we can run the show command from john.For example ./john –show /root/Desktop/Cracking/cracked.txt Now that we have all the passwords we can use them in order to connect remotely to our target.For example if our target is running an SSH server then we use that service.In this specific example we will connect under the username sys.The password for the sys account is batman as we have discovered it previously. Conclusion In this article we saw how to obtain and crack the password hashes of the remote system.In penetration testing engagements if we manage to crack a password hash from the target then we have a valid account which will allow us to have permanent access to the box.So obtaining and cracking the hashes it should be one of the first post exploitation activities as penetration testers. Sursa: Penetration Testing Lab

One of the first tasks when conducting a web application penetration test is to try to identify the version of the web server and the web application.The reason for that is that it allows us to discover all the well-known vulnerabilities that are affecting the web server and the application.This process is called web application fingerprinting and in this article we will see how to perform it. The web application fingerprinting can be done with the use of a variety of tools or manually. Manual Fingerprinting This can be done with the use of different utilities such as the telnet or the netcat.For example we can try to connect with netcat to the remote webserver that is running on port 80.We will send an HTTP request by using the HEAD method and we will wait for the response of the web server. As we can see from the HTTP response header the type of the web server is Apache.Also we have managed to identify the technology from the X-Powered-By field name along with the version that supports the application which is PHP/5.3.5 and also the web application that is running on the web server which is a ZendServer.Alternatively if we don’t want to use the netcat utility we can use the telnet in order to obtain the header information from the web server.The image below is showing the usage of telnet in obtaining the HTTP Response Header from the same web server. Another way is while we are performing our port scan with Nmap on the remote host to use the command -sV which will obtain as well the type and the version of the web server that is running.For example in the image below we can see from the output that Nmap discovered that the web server is IIS version 6.0. Another method is to send a malformed request to the web server that will cause the web server to produce an error page which will contain in the response header the version of the web server. In some cases the version of the application can be discovered through source code inspection.So it is always a good practice to look there as well.You can see in the following example that we have discovered that the application is WordPress 3.3.2 version by looking at the meta tag. Automated Fingerprinting Web application fingerprinting can be done as well with the use of automated tools that have been designed for that purpose.One of the most famous tools is of course the httprint.This tool comes with Backtrack but there is a version as well for windows.In the example below we will use a .txt file that contains signatures of different versions of web servers.So the httprint will try to match the signature of the target web server with the list of known signatures that the signature file contains in order to produce an accurate result. Another tool that performs pretty much the same job with the httprint is the httprecon.This tool is for windows platforms and it basically sends different kind of request to the target web server in order to identify its version.The image below is showing that we have a match 100% that host that we have scanned is running Apache 2.2.3 version Also if we are performing an external web application penetration test then might also want to use an online tool which is called netcraft.This tool can retrieve also the headers of the web server and it can provide us with much more information including the operating system,the nameserver and the netblock owner and much more. Conclusion As we saw the web application fingerprinting is an important task for web application penetration tests.It will help us to identify the well-known vulnerabilities that are affecting the web server and the vulnerabilities that are affecting the application that is installed.So we will know what kind of exploits we will need to use in order to start the exploitation.However many web administrators are choosing in nowadays to modify the headers in order to fool any malicious attackers.So as a penetration testers we cannot rely fully on the results that we will get and we will need to use different methods and tools and to execute different commands in order to be sure about the exact version. Sursa: Penetration Testing Lab

Our first post regarding NOWASP (Codename Mutillidae) can be found here. A few hours ago an update – NOWASP (Codename Mutillidae) version 2.3.1 – was released. [h=2]Official NOWASP (Mutillidae) change log:[/h] Updated vulnerabilities listing Added an entirely new attack on a new page: view-user-privilege-level.php Added view-user-privilege-level.php to main menu under broken session management NOWASP 2.3.1 (Codename: Mutillidae) was released in a quick succession to NOWASP 2.3.0. It’s change log is as follows: Updated project to work with newest XAMPP and LAMP stacks. Last update to stack compatibility was in 2010 for Apache 2.2.x Mutillidae now works on XAMPP 1.8: Apache 2.4.2, MySQL 5.5.25a, PHP 5.4.4 Corrected error on document viewer Added new page repeater.php with new vulnerability buffer overflow Added new bubble hint for buffer overflow Added new bubble hint HTMLandXSSInjectionPoint Added new vulnerability class for parameter addition Added new hints about parameters addition and buffer overflows Split the A1 menu into SQL injection and non-SQL injection because the section was too large to fit on screen. Updated vulnerabilities listing [h=3]Download NOWASP (Mutillidae)[/h] Mutillidae 2.3.1 – LATEST-mutillidae-2.3.1.zip Sursa: PenTestIT — Your source for Information Security Related information!

In this episode of TekTip we go over basic static malware analysis. In this episode you will learn about hashes, packers, strings, and PE Headers. TekDefense.com

In metasploit framework there is an extension which is called incognito which allows us to perform activities such as token stealing and manipulation.These kind of activities are important in the privilege escalation stage of a penetration test because if we can steal the token of an administrator for example we can perform higher privilege operations on the target. So lets say that we have successfully exploited a remote system and we have a meterpreter session.The first thing that we have to do is to load the incognito extension in metasploit which allows us to get commands that the incognito extension supports. Then we can use the command list_tokens -u in order to obtain the list of tokens that are available of the remote system. if we would like to impersonate a token from the above list we can use the command impersonate_token and one of the delegation tokens that are available.The image below is showing the use of this command. We can see from the above image that the session has changed from System to Administrator.So now we can perform various tasks such as modifying files or to break other computers that exist in the same network as the administrator of this system.If we want to return back to our original token we can use the rev2self command. Incognito has some other options as well like the add_group user which will try to add a user to global group with all tokens.Except of the token impersonation we can try to steal the token as well.The way that this method works is that it tries to steal the token from an existing process.So in order to achieve that we need first to know the PID’s of the processes of the remote system.We can use the command ps in meterpreter in order to obtain the list of the processes of our target. In this example we will try to steal the token of the user Administrator.So we will use the command steal_token and the PID of one of the processes that this user owns.For example the 1864 is the PID of the cmd process.The image below is showing that we have successfully managed to steal the token from the administrator. Conclusion In this article we saw how we can impersonate users and steal tokens by using the meterpreter after we have exploited the remote system.We can also try to break other systems in the domain with a stolen token.The usage of token stealing and impersonation will help a penetration tester to escalate privileges on the local machine or even to be a domain administrator which is always one of the ultimate goals. Sursa: Penetration Testing Lab

SophosLabs has intercepted a major malware campaign, spread via spam email and compromised self-hosted WordPress blogs, which attempts to infect computers using the notorious Blackhole exploit kit. Be on your guard if you have received an email entitled "Verify your order", as links contained within the email could take you to a poisoned webpage, designed to install malware onto your PC. Here's what a typical email looks like: Subject: Verify your order Message body: Dear [name], please verify your order #[random number] at [LINK] We hope to see you again soon! The websites that are being linked to aren't ones that have been created by the malicious hackers. They are legitimate websites that are running a self-hosted installation of the popular WordPress blogging platform. (Note, this does not include the many millions of bloggers who use the WordPress.com service - the vulnerable sites are those where people have installed their own WordPress software). Unfortunately, some people haven't properly secured their sites - which has allowed malicious hackers to plant malicious code from the Blackhole exploit kit, and means that malware is now downloading onto innocent users' computers. Sophos products detect the malware as Troj/PDFEx-GD, Troj/SWFExp-AI, Mal/ExpJS-N and Troj/Agent-XDM. More and more of the attacks that we are intercepting involve the Blackhole exploit kit - recent examples include emails posing as traffic tickets from NYC, rejected wire transfer notifications and fake Facebook photo tag notifications. Remember to not just keep your anti-virus software up-to-date, but also to ensure that any software you run on your web server is also properly secured, and kept patched and current (that includes blogging software like WordPress and any plugins that it might use). Sursa: Insecure WordPress blogs unwittingly host Blackhole malware attack | Naked Security

Guys! The Social Engineer Toolkit (SET) has been updated recently! We now have Social Engineer Toolkit version 3.6! We wrote about the Social Engineer’s Toolkit in our old post here. This release has a funny codename – “MMMMhhhhmmmmmmmmm.” This release incorporates the SCCM attack vectors demonstrated at Defcon. The automation piece is still under development and expected to be released soon. In addition, new exploits have been released as well as additional enhancements and bug fixes. Full change log can be found below. Official Social Engineer Toolkit change log: adds the new SCCM attack vector to the social-engineer toolkit – allows you to patch SCCM servers to deploy backdoors updated the web gui interface to add updates to exploits fixed a menu bug in the web interface that would repeater numbers added the MSCOMCTL ActiveX Buffer Overflow (ms12-027) exploit to the web interface added the shellcodeexec alphanumeric shellcode payload to the web interface added Java Applet Field Bytecode Verifier Cache Remote Code Execution to the web interface added MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption to the web interface added Microsoft XML Core Services MSXML Uninitialized Memory Corruption to the web interface added Adobe Flash Player Object Type Confusion to the web interface fixed a menu bug that would not allow you to return to the previous menu in the java applet fixed a bug that would cause the multi-attack Metasploit, java applet, and cred harvester to not work on the right ports and raise a exceptions added background listener to credential harvester and multi-attack — allows credential harvester to continue to run even if Metapsloit has been exited fixed a bug that would still flag any website as cloned successfully. The new code fixes that by checking to ensure the site was properly cloned. fixed a cloning web bug that would error out then continue with payload selection added a cleanup routine to the web cloner for post completion on the cloner, this fixes a repetitive issue when launching multiple attacks in the menu system Download Social Engineer Toolkit 3.6: svn co / - Revision 1467: /social_engineering_toolkit set/ Sursa: Social Engineer Toolkit version 3.6! — PenTestIT

Oink time guys! Snort was updated a few days ago! We now have the latest release - Snort version 2.9.3.1! Our old post regarding Snort can be found here. Had we not been busy and posted it today, it would have been TWO Snort releases in the last month! Official Snort 2.9.3.1 release notes: Corrected check for TCP RST flags to prevent sending resets to reset packets with inline and active response. Update hashing for internal storage of rule options for 64bit platforms when checking uniqueness to remove duplicate copies in memory. Address some small memory leaks from parsing snort.conf. src/build.h: Updated build number to 40 src/sfutil/acsmx2.c: Release memory during return. src/dynamic-preprocessors/sip/sip_config.c: Free method struct when method->methodName is NULL. src/: detection-plugins/detection_options.c, detection-plugins/sp_byte_check.c, detection-plugins/sp_byte_extract.c, detection-plugins/sp_byte_jump.c, dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_preprocopt.c: Fix constant expression in hashing routines for 64bit platforms. src/dynamic-preprocessors/dcerpc2/dce2_smb.c: Fix Samba chained OpenAndX -> Write command handling. src/active.c: Check for TCP RST flag regardless of other flags to block resetting resets. src/: active.c, decode.c, detection-plugins/sp_pcre.c, dynamic-plugins/sf_convert_dynamic.c, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-plugins/sp_dynamic.c, dynamic-preprocessors/dnp3/dnp3_map.c, dynamic-preprocessors/reputation/reputation_config.c, dynamic-preprocessors/sdf/spp_sdf.c, dynamic-preprocessors/sip/sip_config.c, dynamic-preprocessors/sip/sip_roptions.c, dynamic-preprocessors/smtp/spp_smtp.c, output-plugins/spo_alert_unixsock.c, preprocessors/spp_httpinspect.c, preprocessors/spp_perfmonitor.c, preprocessors/HttpInspect/client/hi_client.c, preprocessors/HttpInspect/server/hi_server.c, sfutil/bnfa_search.c, sfutil/sf_iph.c, target-based/sf_attribute_table_parser.l: Parse time memory cleanup src/dynamic-preprocessors/dcerpc2/dce2_utils.h: Fixed issue on big endian systems where behaviour was incorrect. Download Snort: Snort 2.9.3.1 - snort-2.9.3.1.tar.gz/Snort_2_9_3_1_Installer.exe Sursa: Snort version 2.9.3.1! — PenTestIT

Just as the name suggests, GCrack is yet another hash cracker that leverages the Google search engine to crack multiple hashes. Another tool that works similarly is – findmyhash, though GCrack was originally inspired by BozoCrack. Infact, it improves upon BozoCrack that cracks MD5 hashes by googling for hashes and using the resultant query as a wordlist. GCrack improvements over BozoCrack: Google’s for hash, uses only plain-text data for possible word list candidates and hashing Currently supports following hashes: md5, sha1, sha224, sha256, sha384, sha512, NTLM Input file with hashes can be mixed with any type of above supported hashes If the attack finds the hash, it will even ID the hash algorithm for you Uses the first page of Google search and first 3 results (the contents of the pages) as the word-list for cracking, well it’s slower then pure Google or pure [insert_cracking_service here] but as far as the author is concerned, it will give you more cracked hashes. Generates [file_with_hashes].run file that is a resume/report for all hashes that have been tested or found, if your session breaks, you encounter a CAPTCHA or error. Simply re-run the script and it will resume cracking. Nice for churning that 3 million hashes dump you found on Pastebin You can use [file_with_hashes].run file as a handy report. The tool is a bit probabilistic because of Google’s results, so rerunning the script can yield more results. A optional dependency is python-nltk(natural language toolkit), that speeds up the cracking process by using plain-text while cracking. If you don’t have it, the cracking will be slower because all the HTML will be used as possible words for wordlist. A mandatory dependency is python-lxml for scraping links in HTML for Google results. Download GCrack: GCrack 1.5 – gcrack.py Sursa: GCrack: Identify and Crack Passwords via Google! — PenTestIT

Grab your free copy of Anvi Smart Defender Pro which original value $24 Anvi Smart Defender delivers smart and powerful protection against malicious software, such as virus, Trojans, adware, spyware, bots and other threats. With the newly designed swordfish engine, it scans and detects Internet security threats fast and lightly. It adds system optimization function to speed up slow PC and provides cloud scan feature to give PC more effective and powerful protection. Key Features of Anvi Smart Defender Pro : Malware scanner prevents infection from virus, Trojans, adware, and spyware. Upload suspicious files for scanning and verification with large cloud database. Free system optimization function for speeding up PC and cleaning junk files. Privacy guard, startup guard, process guard, and files guard for PC basic protection. Guards your PC with behavior guard, USB & external drive guard in a proactive way. Stops you from landing on malicious sites. Blocks adware from displaying on sites you visit. More Useful Tools for PC Emergency Follow below steps to grab free copy of Anvi Smart Defender Pro : Click here to visit promo page for Anvi Smart Defender Pro . Enter enter your email address. And you will receive a confirmation link from donoreply@anvisoft.com. Click on that link to receive your free license. Sursa: http://www.pentestit.com/anvi-smart-defender-pro-free-download/

Our first post regarding the ZAProxy or the OWASP Zed Attack Proxy can be found here. Now, an updated ZAProxy version 1.4.1 was released! This is a bug fix release and doesn’t include any new functionality. ZAProxy 1.4.1 official change log: Bug fixes: Issue 297 : Exclusions not honored Issue 298 : Content-Length header is not properly update Issue 306 : Change zap.sh memory setting Issue 307 : ConcurrentModificationException when openning a big session Issue 308 : ZAP in daemon mode exits when you save a session Issue 309 : Client API cant cope with Informational risk Issue 312 : Increase the maximum number of scanning threads allowed Issue 314 : Handle very large results more cleanly Issue 315 : XSS false positive – injecting into an input src when the type is not ‘image’ Issue 319 : Spider progress not reported correctly via the API Issue 320 : AScan can miss subtrees if invoked via the API Issue 337 : Increase jvm permsize Download ZAProxy: ZAProxy 1.4.1 – ZAP_1.4.1_Windows.exe/ZAP_1.4.1_Linux.tar.gz Sursa: ZAProxy version 1.4.1! — PenTestIT

PHP Shell Detector is a php script that helps you find and identify php shells. It also has a “web shells” signature database that helps to identify “web shell” up to 99%. By using the latest javascript and css technologies, php shell detector has a light weight and friendly interface . The main features is that if you’re not sure about a suspicious file, you may send it to the websecure.co.il team. After submitting your file, it will be inspected and if there are any threats, it will be inserted into a “php shell detector” web shells signature database and the next time this file will be recognized positively We were planing to build similar kind of tool for internal testing process. PHP Shell Detector will help us to build it. Settings used in PHP Shell Detector: extension – extensions that should be scanned showlinenumbers – show line number where suspicious function used dateformat – used with access time & modified time langauge – if I want to use other language directory – scan specific directory task – perform different task report_format – used with is_cron(true) file format for report file is_cron – if true run like a cron(no output) filelimit – maximum files to scan (more then 30000 you should scan specific directory) useget – activate _GET variable for easy way to recive tasks authentication – protect script with user & password in case to disable simply set to NULL remotefingerprint – get shells signatures db by remote Number of shells in signature database is: 141 Download PHP Shell Detector: PHP Shell Detector – emposha-PHP-Shell-Detector-001fa28.tar.gz Sursa:PHP Shell Detector a new Tool for web shell detection — PenTestIT