Mac OS

Apple Mac OS X

SapCap

SapCap is a SAP packet sniffer and decompression tool for analysing SAP GUI (DIAG) traffic. Using a 3rd-party JNI interface for pCap, it is also able to load previously captured tcpdump files.
Details on running SapCap can be found in the README.txt file included in the zip file.

Author: Ian de Villiers
Cost: Free
Source Code: GitHub
Version: 0.1
License : GPL
Release Date : 2011-09-02

Requirements
Java runtime environment.
Jpcap
Custom JNI Library.

The custom JNI library is included in the download.

Binary builds of the JNI library are only available for the following platforms:
Mac OS/X
Windows (32-bit)
Linux (32-bit)

If you wish to use a different platform, please download the sources for SAPProx and SapCompress and build the library yourself.

SAPProx

SAPProx is a proof of concept tool for intercepting and modifying SAP GUI (DIAG protocol) traffic.
Details on running SAPProx can be found in the README.txt file included in the zip file.

Author: Ian de Villiers
Cost: Free
Source Code: GitHub
Version : 0.1
License : GPL
Release Date : 2011-09-02

Requirements
Java runtime environment.
Custom JNI Library.

The custom JNI library is included in the download.

Binary builds of the JNI library are only available for the following platforms:
Mac OS/X
Windows (32-bit)
Linux (32-bit)

If you wish to use a different platform, please download the sources for SAPProx and SapCompress and build the library yourself.

SAP Proxy

The analysis and reverse engineering of SAP GUI network traffic has been the subject of numerous research projects in the past, and several methods have been available in the past for decoding SAP DIAG traffic. Until the release of SensePost's freely available proof of concept SAP DIAG tools (SAPProx and SApCap) in 2011, most methods were complicated and convoluted, or not in the public domain.

SAP is widely used and normally stores information of great sensitivity to companies. However, by default the communication protocol can be described as telnet-meets-gzip and Secure Network Communication (SNC) is not enabled in most organizations where SAP GUI is used. Furthermore, the protocol can be abused with relatively devastating effect against both server and client side components.

SensePost's tools for decoding and analyzing SAP DIAG protocol has now been refined to a production ready, and offensive platform with scripting and fuzzing support. In addition, the tool set has been extended to include support for intercepting and decoding RFC-based communication.

kautilya

Kautilya is a toolkit which provides various payloads for a Human Interface Device which may help in breaking in a computer. Written in Ruby, the toolkit contains useful payloads and modules which could be used at different stages of a Penetration Test. Kautilya is tested with Teensy++ device but could be used with most of the HIDs. It has been successfully tested for breaking into Windows 7, Ubuntu11 and Mac OS X Lion.

- The Windows payloads and modules are written mostly in powershell (in combination with native commands) and are tested on Windows 7 and Windows 8.

- The Linux payloads are mostly shell scripts (those installed by default) in combination with commands. These are tested on Ubuntu 11.

- The OS X payloads are shell scripts (those installed by default) with usage of native commands. Tested on OS X Lion running on a VMWare

- To get the latest version of the toolkit you should checkout the svn repository using

"svn checkout http://kautilya.googlecode.com/svn/trunk/ kautilya"

In principle, Kautilya should work with any HID capable of acting as a keyboard. Kautilya has been tested on Teensy++2.0 and Teensy 3.0 from pjrc.com.

iSniff-GPS

iSniff GPS passively sniffs for SSID probes, ARPs and MDNS (Bonjour) packets broadcast by nearby iPhones, iPads and other wireless devices. The aim is to collect data which can be used to identify each device and determine previous geographical locations, based solely on information each device discloses about previously joined WiFi networks.

iOS devices transmit ARPs which sometimes contain MAC addresses (BSSIDs) of previously joined WiFi networks, as described in [1]. iSniff GPS captures these ARPs and submits MAC addresses to Apple's WiFi location service (masquerading as an iOS device) to obtain GPS coordinates for a given BSSID. If only SSID probes have been captured for a particular device, iSniff GPS can query network names on wigle.net and visualise possible locations.

By geo-locating multiple SSIDs and WiFi router MAC addresses, it is possible to determine where a device (and by implication its owner) is likely to have been.

Components:
iSniff GPS contains 2 major components and further python modules:

iSniff_import.py uses Scapy to extract data from a live capture or pcap file and inserts it into a database (iSniff_GPS.sqlite3 by default).

A Django web application provides a browser-based interface to view and analyse the data collected. This includes views of all detected devices and the SSIDs / BSSIDs each has probed for, a view by network, Google Maps views for visualising possible locations of a given BSSID or SSID, and a pie chart view showing a breakdown of the most popular device manufacturers based on client MAC address Ethernet OUIs.

wloc.py provides a QueryBSSID() function which looks up a given BSSID (AP MAC address) on Apple's WiFi location service. It will return the coordinates of the MAC queried for and usually an additional 400 nearby BSSIDs and their coordinates.

Backfuzz

Backfuzz is a fuzzing tool for different protocols (FTP, HTTP, IMAP, etc) written in Python. The general idea is that this script has several predefined functions, so whoever wants to write their own plugin's (for another protocol) can do that in few lines.

# Installation: git clone https://github.com/localh0t/backfuzz
# Contact: mattdch0@gmail.com (suggerences, ideas, reviews)
# Follow: @mattdch
# Blog: www.localh0t.com.ar

AWS Scout

Scout is a security tool that lets Amazon Web Servers (AWS) administrators asses their environments security posture. Using the AWS API, Scout gathers configuration data for manual inspection or highlights high-risk areas automatically. Rather than pouring through dozens of pages on the web, Scout supplies a clear view of the attack surface automatically.

Running:
Scout is packaged as an executable jar. To run it, type

$ java -jar scout-0.9.5-standalone.jar

This will print a short message describing the commands Scout supports.

Usage:
java -jar scout-0.9.5-standalone.jar ACTION [OPTIONS]

The action argument will be explained in detail for each action below. The -c arguments specifies the credentials the tool will use to make requests to the AWS API.

Actions:
list-instances
Output a list of every instance in your EC2 account, grouped by security group, along with selected attributes of the instance.

list-groups
Output a list of every security group, broken down permission by permission.

audit-groups
Output a list of notable or dangerous security group permissions. Permissions are rated as critical, warning, or info depending on the service exposed and how much of the internet the service is exposed to (a /8 is more "critical" than a /24). For more information regarding this rating algorithm, consult the wiki.

compare-groups
Output the difference between what is configured in EC2 and the supplied ruleset file. Permissions marked "+" are configured in EC2 but missing from the ruleset, while permissions marked "-" are missing from EC2 but defined in the ruleset.

compare-groups requires that you specify a ruleset file for it to compare against. Here's an example ruleset:

(ruleset
(group :websrv
(permission :tcp [80] "0.0.0.0/0")
(permission :tcp [443] "0.0.0.0/0")
(permission :tcp [22] "134.82.0.0/16"))
(group :appsrv
(permission :tcp [8080 8083] :websrv)

..cantor.dust..

..cantor.dust.. is an interactive binary visualization tool, a radical evolution of the traditional hex editor. By translating binary information to a visual abstraction, reverse engineers and forensic analysts can sift through mountains of arbitrary data in seconds. Even previously unseen instruction sets and data formats can be easily located and understood through their visual fingerprint. ..cantor.dust.. dramatically accelerates the analysis process, and, for the experienced user, forms an indispensable tool in the reverser's arsenal.

SSLNuke

The purpose of sslnuke is to write a tool geared towards decrypting and intercepting "secured" IRC traffic. There are plenty of existing tools that intercept SSL traffic already, but most of these are geared towards HTTP traffic. sslnuke targets IRC directly in order to demonstrate how easy it is to intercept "secured" communications. sslnuke usage is simple.

Usage:

First, add a user account for sslnuke to run as and add iptables rules to redirect traffic to it:

# useradd -s /bin/bash -m sslnuke
# grep sslnuke /etc/passwd
sslnuke:x:1000:1000::/home/sslnuke:/bin/bash
# iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner 1000 -m tcp \
--dport 6697 --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 4444

Finally, login as sslnuke, build, and run sslnuke:

# su -l sslnuke
# cd sslnuke
# make
# ./sslnuke

Run an IRC client and login to your favorite IRC network using SSL, IRC messages will be printed to stdout on sslnuke.

[*] Received connection from: 192.168.0.5:58007
[*] Opening connection to: 1.1.1.1:6697
[*] Connection Using SSL!
[*] irc.com -> AUTH (1.1.1.1): *** Looking up your hostname...
[*] irc.com -> AUTH (1.1.1.1): *** Found your hostname
[*] irc.com -> victim (1.1.1.1): *** You are connected to irc.com with TLSv1.2-AES256-GCM-SHA384-256bits
[*] 192.168.0.5 -> nickserv (192.168.0.5): id hello
[*] NickServ!services@irc.com -> victim (1.1.1.1): Password accepted - you are now recognized.

sslnuke will automatically detect a client using SSL and determine whether or not to use SSL. The code could also be easily modified to show web site passwords or FTP data, anything using SSL. To attack users on a network, sslnuke can be used in conjunction with an ARP poisoning tool, such as the one found at Blackhat Library or it can be deployed on a gateway.
Mitigation

Vanguard

Vanguard is an extensible utility with module support built for testing different types of web exploitation on a given domain.
Features

Main application features:
Fully Configurable
WebCrawlers crawl all open HTTP and HTTPS ports output from nmap
LibWhisker2 For HTTP IDS Evasion (Same options as nikto)
Tests via GET,POST, and COOKIE

Web penetration tests:
SQL injection (This test is signature free!)
LDAP Injection
XSS
File inclusion
Command Injection

Usage:
perl scan.pl -h [hostname] -e [evasion option]

Application Dependencies:

Notice: You must run this application as root.
You must have nmap from http://nmap.org installed to run this application correctly.
Protip: You can undo the root requirement by removing the check for root and modifying the nmap configuration.

Perl Dependencies:
LibWhisker2 requires Net::SSLeay. You may need to get this from cpan, compile it in, or install it from your distribution's package manager.
YAML
Clone
Notice: You can install these libraries with cpan.

Syndicate content