Jump to content
Versus71

OWTF 0.14 “London”

Recommended Posts

Posted

ibanCbjEgIDPUd.png

The Offensive (Web, etc) Testing Framework (aka OWTF) is an OWASP+PTES-focused try to unite great tools and make penetration testing more efficient. The purpose of this tool is to automate the manual, uncreative part of penetration testing.

ChangeLog:

+ Inclusion of fuzzdb -allowed by licence- thanks!
+ Inclusion of HashCollision-DOS-POC by Christian Mehlmauer (@_FireFart_) thanks!
Location: owtf_dir/tools/dos/web/HashCollision-DOS-POC
More info: [url]https://github.com/FireFart/HashCollision-DOS-POC[/url]
+ Installation script cleanup: tools/bt5_install.sh courtesy of Michael Kohl (@citizen428), thanks!
+ Minor fixes to scripts/setrubyenv.sh also courtesy of Michael Kohl @citizen428), thanks!
+ "set fuzzFormComboValues all" removed from scripts/run_w3af.sh because it may make w3af scans slow, thanks to Adi Mutu (am06) and Andrés Riancho (@w3af)!
More info: [url=http://sourceforge.net/mailarchive/forum.php?thread_name=CA%2B1Rt67bN3-2OpB%2B7SOGO7%3D92KWXBMdbaztpa885f%3Du2GzjcFg%40mail.gmail.com&forum_name=w3af-users]SourceForge.net: w3af-users[/url]
+ Created an initial basic targeted phising plugin to send anything via SMTP: aux/se/Targeted_Phishing@OWTF-ASEP-002.py
+ Created the concept of "OWTF Agents": Small listeners that establish communication channels that allow to perform actions remotely (i.e. in a victim machine)
- Added sbd-based shared-password OWTF Agent for persistent shell access to other machines to be used during a test (i.e. victim emulation)
- Added ssh-based trusted-public-key OWTF Agent for an alternative to shared passwords (basic instructions to set this up with ssh)
- Added initial auxiliary plugins to communicate with OWTF agents:
SBD_CommandChainer is working, the others in rce are WIP (see plugins/aux/rce)
- Added imapd OWTF agent: This checks email with a predefined account and loads the configured plugin to process the message.
Example:
1) OWTF sends a targeted phising attack via aux/se/Targeted_Phishing@OWTF-ASEP-002.py
2) An OWTF imapd Agent processes any new email that arrives and emulates a user click for all links found in the message
+ Added initial SMB handler to the framework and a related plugin: aux/smb/SMB_Handler@OWTF-SMB-001.py
+ Added an Interactive Shell handler useful to interact with remote and local shells run in a subprocess
+ Significant SET integration improvements: new OWTF SET handler + spear_phising modules and plugin/configurability tweaks
+ Added hopefully better comments in several places
+ Started to use Eclipse and Fixed indentation on many framework files
+ Bug fix: Commented out goohost shell one liners in profiles/general/default.cfg: When goohost is not installed cat hangs (Thanks to Sandro Gauci)
+ Bug fix: Grep plugins were no longer showing links to Text, HTML, etc findings
+ Added CAPTCHA breaker tool links to external plugin to assist manual exploitation: PWNtcha - captcha decoder, Captcha Breaker
+ Added vulnerability search box to the CAPTCHA external plugin
+ Added links to the "Session managament schema" external plugin: Gareth Hayes' HackVertor, Raul Siles' (Taddong) F5 BIG IP Cookie Decoder
+ Added link to the "SSI Injection" external plugin: webappsec.org SSI Injection info
+ Moved HTTP-Traceroute back into rev_proxy to avoid config changes

Download:

https://github.com/7a/owtf/tree/master/releases

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...