Mac OS

Apple Mac OS X

FS-NyarL

A network takeover & forensic analysis tool - useful to advanced PenTest tasks & for fun and profit - but use it at your own risk!

Features:
Interactive Console
Real Time Passwords Found
Real Time Hosts Enumeration
Tuned Injections & Client Side Attacks
ARP Poisoning & SSL Hijacking
Automated HTTP Report Generator

ATTACKS IMPLEMENTED:
MITM (Arp Poisoning)
Sniffing (With & Without Arp Poisoning)
SSL Hijacking (Full SSL/TLS Control)
HTTP Session Hijaking (Take & Use Session Cookies)
Client Browser Takeover (with Filter Injection in data stream)
Browser AutoPwn (with Filter Injection in data steam)
Evil Java Applet (with Filter Injection in data stream)
DNS Spoofing
Port Scanning

POST ATTACKS DATA OBTAINED:
Passwords extracted from data stream
Pcap file with whole data stream for deep analysis
Session flows extracted from data stream (Xplico & Chaosreader)
Files extracted from data stream
Hosts enumeration (IP,MAC,OS)
URLs extracted from data stream
Cookies extracted from data stream
Images extracted from data stream
List of HTTP files downloaded extracted from URLs

DEPENDENCIES (aka USED TOOLS):
Chaosreader (already in bin folder)
Xplico
Ettercap
Arpspoof
Arp-scan
Mitmproxy
Nmap
Tcpdump
Beef
SET
Metasploit
Dsniff
Macchanger
Hamster
Ferret
P0f
Foremost
SSLStrip
SSLSplit

FantaGhost, FGscanner

# FantaGhost URL Scanner 1.0
Advanced web directory scanner with proxy and TOR support

#### About
This is an opensource advanced web directory scanner to find hidden contents on a web server using dictionary-like attack. FantaGhost URL scanner support proxy and TOR.

All options explained here are also available from `fgdev.pl --help`)

Usage: ./fgscan.pl --host=hostname [--proxy=filepath] [--sec=n] [--dump] [--dirlist=filepath] [--wordlist=filepath] [--tor] [--tordns] [--debug] [--help]

--debug : Print debug information
--dirs : Specify the directory list file
--pages : Specify the wordlist file
--host : Specify hostname to scan (without http:// or https://)
--proxy : Specify a proxy list
--sec : Seconds between requests. Value 999 will randomize delay between requests from 1 to 30 seconds
--dump : Save found pages on disk
--tor : Use TOR as proxy for each request
--tordns : Use TOR to resolve hostname. Without this options DNS queries will be directed to default DNS server outside TOR network.
--help : What you're reading now

Routerpwn

== ROUTERPWN.com ==
Routerpwn.com is a web application that helps you in the exploitation of vulnerabilities in residential routers.

It is a compilation of ready to run local and remote web exploits.
Programmed in Javascript and HTML in order to run in all "smart phones" and mobile internet devices.
It is only one page, so you can store it offline for local exploitation without internet connection.

== Exploits ==
# 154 Total (11 Modules) 08/09/2012 #

Sagem Fast Telnet Root Password Generator
A1/Telekom PRG EAV4202N Default WPA Key Generator
Discus DRG A225 WiFi router Default WPA2-PSK Key Generator
Thomson BBox BBKeys TG787 Default Wireless Key Generator
EasyBox Standard WPA2 Key Generator
ZynOS (Huawei) Configuration Decompressor
Thomson SpeedTouch STKeys Default Wireless Key Generator
Huawei HG5XX Mac2wepkey Default Wireless Key Generator
Backdoor password in Accton-based switches (3com, Dell, SMC, Foundry and EdgeCore)
Arris Password of The Day Generator

20x 27x authentication bypass (xss + info disclosure)
17x 18x 20x 27x CRLF denial of service remote MDC
17x 18x 20x 27x CRLF denial of service
17x 18x 20x 27x password_required.html authentication bypass
17x 18x 20x 27x CD35_SETUP_01 authentication bypass
17x 18x 20x 27x CD35_SETUP_01 password reset
17x 18x 20x 27x DSL denial of service
17x 18x 20x 27x mgmt_data configuration disclosure
17x 18x 20x 27x H04 authentication bypass
17x 18x 20x 27x 38x Add domain to hosts table CSRF
Backdoor password in Accton-based switches (3com, Dell, SMC, Foundry and EdgeCore)
iMC Intelligent Management Center configuration disclosure
iMC Intelligent Management Center traversal
OfficeConnect command execution
AP 8760 auhentication bypass
OfficeConnect configuration disclosure
OfficeConnect 3CRWE454G72 configuration disclosure
3cradsl72 configuration disclosure
3cradsl72 information disclosure & authenication bypass
812 denial of service
812 denial of service 2

Vicnum (Hacking Game)

This is the vicnum project ("vicnum")

This project was registered on SourceForge.net on Jan 27, 2009, and is described by the project team as follows:

A flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. Helpful to IT auditors honing web security skills and setting up 'capture the flag' . Play the game at http://vicnum.ciphertechs.com

Vicnum (1.5) is an OWASP project consisting of multiple vulnerable web applications based on games commonly used to kill time. These applications demonstrate common web security problems such as cross site scripting, sql injections, and session management issues. The goal of this project is to strengthen security of web applications by educating different groups (students, management, users, developers, auditors) as to what might go wrong in a web app. And of course it's OK to have a little fun. There are currrently three applications (or challenges) in this version of Vicnum. Guessnum, a game to guess a number the computer has picked. Jotto, a game to guess a word the computer has picked. And the Union Challenge which is new to version 1.5 Besides untarring the tar into the right folder and some Apache webserver tweaking, three MySQL tables will need to be created.

WATOBO

WATOBO is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits. We (watobo team) are convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities.
WATOBO has no attack capabilities and is provided for legal vulnerability audit purposes only.

„Ok, how does it work?“
WATOBO works like a local proxy, similar to Webscarab, Paros or BurpSuite.
Additionally, WATOBO supports passive and active checks. Passive checks are more like filter functions. They are used to collect useful information, e.g. email or IP addresses. Passive checks will be performed during normal browsing activities. No additional requests are sent to the (web) application.
Active checks instead will produce a high number of requests (depending on the check module) because they do the automatic part of vulnerability identification, e.g. during a scan.

„So why should I use WATOBO instead of other web application auditing tools?“
The most important advantages are:
WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
WATOB can act as an transparent proxy
WATOBO has anti-CSRF features
WATOBO can perform vulnerability checks out of the box.
WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
WATOBO is written in (FX)Ruby and enables you to define your own checks
WATOBO is free software ( licensed under the GNU General Public License Version 2)
It’s by siberas Wink

Supported operating systems

Smartphone Pentest Framework

The product of a DARPA Cyber Fast Track grant, the Smartphone Pentest Framework is an open source security tool, designed to aid in assessing the security posture of smartphones in an environment. SPF Version 0.1 contains remote attacks, client side attacks, social engineering attacks, and post exploitation, targeting smartphone devices. SPF Version 0.1 includes a text based management console, a web based GUI, and a management Android app. Additionally, a post exploitation “agent” for the Android platform is included. SPF is an on going project with plans in the works for support for additional devices, more modules in each attack vector category, integration with existing tools such as Metasploit and SET, etc.

sira

1. Enable network proxy
2. Snapshot file system
3. Install App
4. Decrypt app
5. Snapshot file system
6. Binary analysis:
a. PIE enabled?
b. Stack smashing protection enabled?
c. Reference counting enabled?
d. Class-dump or class-dump-z
e. XML processors installed?
f. Jailbreak Detection?
ii. (if yes, disable)
7. Runtime Analysis:
a. Use the app and record data
b. Certificate enforcement
i. if yes, bypass (import cert, hook cert functions)
c. Snapshot file system
d. Analyze shanpshot diffs
i. Locate storage of sensitive data
1. Was it stored securely?
ii. Protocol handlers installed?
e. Locate transmission of sensitive data
i. Was it transmitted securely?
ii. Privacy Analysis
1. Did the app transmit Contacts?
2. Did the app transmit Calendar?
3. Did the app transmit Location?
4. Did the app store a location log?
a. What was the granularity of the location?
5. Did the app transmit UDID?
f. Abuse the app and record data
i. If protocol handlers in use, can they be abused?
ii UIWebView in use?
1. Attempt XSS
a. Attempt to exploit objc bridge
iii. XML in use?
1. Attempt local XML attacks
iv. Attempt buffer overflows
v. Attempt format string attacks
vi. Attempt local file traversal
vii. Attempt local SQLi
viii. Logic flaw abuse
ix. (If in scope - Server side analysis)
g. Snapshot file system
h. Analyze snapshot diffs
i. As findings are discovered, repeat any steps in 7. as needed

SiRA is able to automate or semi-automate many of the steps involved in an application
assessment. SiRA includes some assistance for all 7 of the major methodology steps outlined
above. Not all automatable substeps are currently implemented, but work is ongoing. In
addition, SiRA provides a convenient single location for a variety of manual and semi-automated
functionalities. Finally, SiRA can automate your automation by providing a step-by-step guided

peepdf

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides Javascript and shellcode analysis wrappers too. Apart of this it's able to create new PDF files and to modify/obfuscate existent ones.

The main functionalities of peepdf are the following:

Analysis:
Decodings: hexadecimal, octal, name objects
More used filters
References in objects and where an object is referenced
Strings search (including streams)
Physical structure (offsets)
Logical tree structure
Metadata
Modifications between versions (changelog)
Compressed objects (object streams)
Analysis and modification of Javascript (Spidermonkey): unescape, replace, join
Shellcode analysis (Libemu python wrapper, pylibemu)
Variables (set command)
Extraction of old versions of the document
Easy extraction of objects, Javascript code, shellcodes (>, >>, $>, $>>)
Checking hashes on VirusTotal

Creation/Modification:
Basic PDF creation
Creation of PDF with Javascript executed wen the document is opened
Creation of object streams to compress objects
Embedded PDFs
Strings and names obfuscation
Malformed PDF output: without endobj, garbage in the header, bad header...
Filters modification
Objects modification

Execution modes:
Simple command line execution
Powerful interactive console (colorized or not)
Batch mode

TODO:
Embedded PDFs analysis
Improving automatic Javascript analysis

squeeza

1. Name
Squeeza - SQL Injection without the pain of syringes

2. Authors
Marco Slaviero < marco(at)sensepost(dot)com >
Haroon Meer

3. License, version & release date
License : GPLv2
Version : v0.22
Release Date : 2008/08/24

4. Description
squeeza is a tool helps exploits SQL injection vulnerabilities in broken web applications. Its functionality is split into creating data on the database (by executing commands, copying in files, issuing new SQL queries) and extracting that data through various channels (dns, timing, http error messages)

Currently, it supports the following databases:

Microsoft SQL Server
MySQL (only when multi-queries are enable, which is not too common)
squeeza is not a tool for finding injection points. That recipe generally starts with 1 x analyst. #

5. Usage

5.1 Installation is easy. Untar the archive into an appropriate spot. > $tar xvzf squeeza-0.21.tar.gz
Thereafter, edit the configuration file. By default, this is called 'squeeza.config' and resides in the same directory as the rest of the scripts.
Off the bat, you'll want to edit at least the following configuration items:

host
url
querystring
method
sql_prefix
sql_postfix
dns_domain
The default mode is command mode, and the default channel is dns. ##

5.2 Data Flow Model As already mentioned, squeeza splits the creation of data at the server away from the extraction of that data off the server (within certain constraints). Data is created by a /mode/, and extracted via a /channel/. By doing so, it is possible to mix 'n match modes with channels, which we think is pretty nifty/flexible.

Currently supported modes:
command mode : supports commands execution on the database server
copy mode : supports copying of files from the database server to the local machine
sql mode : supports the execution of arbitrary sql queries

Currently supported channels:

SapCap

SapCap is a SAP packet sniffer and decompression tool for analysing SAP GUI (DIAG) traffic. Using a 3rd-party JNI interface for pCap, it is also able to load previously captured tcpdump files.
Details on running SapCap can be found in the README.txt file included in the zip file.

Author: Ian de Villiers
Cost: Free
Source Code: GitHub
Version: 0.1
License : GPL
Release Date : 2011-09-02

Requirements
Java runtime environment.
Jpcap
Custom JNI Library.

The custom JNI library is included in the download.

Binary builds of the JNI library are only available for the following platforms:
Mac OS/X
Windows (32-bit)
Linux (32-bit)

If you wish to use a different platform, please download the sources for SAPProx and SapCompress and build the library yourself.

Syndicate content