This is a tool for security researchers. It allows you to search for either an IP address or a DNS name and display all associated domain names known to Bing.

* If a specific IP address is searched, all domain records associated with that address are displayed
* If a DNS name is searched, all domain records associated with all addresses returned for that DNS name are displayed (this case is shown in the screenshot below)

Two separate self-contained versions of the tool are available: command-line-based and GUI-based. The GUI version can be spawned directly from the browser - no installation or additional files are required - just click on the link in Downloads and select Run.

Both versions require the .NET Framework 3.5.


The BiLE suite includes a number of PERL scripts that can be used by a Penetration Tester to aid in the enumeration phase of a test. BiLE itself stands for Bi-directional Link Extraction utilities. The suite of tools essentially can be used in the footprinting process to find both obvious and non-obvious relationships between disparate. With this information a Pen Tester may then decide to try and access sites with close realtionships to the target as a means of a stepping stone into the target network.
Note: - This process depends on the fact that the linked sites you plan to attack to get thru to your target are actually owned by the target company and are in the scope of the test.

Passive Recon

Based on Gina Trapani's About This Site Firefox Plugin (https://addons.mozilla.org/en-US/firefox/addon/3673), Passive Recon allows Information Security professionals the ability to perform "packetless" discovery of target resources utilising publicly available information. In addition multiple googlehacks can be performed. Selecting the ShowAll option at the bottom opens each search in a separate tab (Better have broadband, that's a lot of tabs and your browser will get very clouded).

Recommended to be included in FireCat, (available from Security-database.com)

Need to register with Firefox plug-ins site
Download and select install within Firefox

Right click, select passive recon


w3af is a Web Application Attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

The project uses a number of disparate plugins to carry out an audit against a target website, the main ones being:

* Discovery plugins have only one responsibility, finding new URLs, forms, and other “injection points”. A classic example of a discovery plugin is a web spider. This plugin takes a URL as input and returns one or more injection points. When a user enables more than one plugin of this type, they work recursively: If plugin A finds a new URL in the first run, the w3af core will send that URL to plugin B. If plugin B then finds a new URL, it will be sent to plugin A. This will go on until all plugins are run and no more knowledge about the application can be found using the enabled discovery plugins.

* Audit plugins take the injection points found by discovery plugins and send specially crafted data to all of them in order to find vulnerabilities. A classic example of an audit plugin is one that searches for SQL injection.

* Attack plugins objective is to exploit vulnerabilities found by audit plugins. They usually return a shell on the remote server, or a dump of remote databases in case of SQL injections.

The plugins find the URLs, discover the bugs and exploit them. The complete list of plugins types is:

* audit
* bruteforce
* discovery
* evasion
* exploit
* grep
* mangle
* output


SQLIer takes an SQL Injection vulnerable URL and attempts to determine all the necessary information to build and exploit an SQL Injection hole by itself, requiring no user interaction at all (unless it can't guess the table/field names correctly). By doing so, SQLIer can build a UNION SELECT query designed to brute force passwords out of the database. This script also does not use quotes in the exploit to operate, meaning it will work for a wider range of sites.

An 8 character password (containing any character from decimal ASCII code 1-127) takes approximately 1 minute to crack.

sqlier [OPTIONS] [url]

-c [host] Clear all exploit information stored for [host].
-o [file] Output cracked passwords to [file].
-s [seconds] Wait [seconds] between page requests.
-u [usernames] Usernames that will be brute forced from the database,
comma separated (Username1,Username2,Username3).
-w [options] Pass [options] to wget.

Passing Field Names:
--table-names [table_names] Comma separated list of table names to guess.
--user-fields [user_fields] Comma separated list of username fields to guess.
--pass-fields [pass_fields] Comma separated list of password fields to guess.


Web Server Assessment Tool
Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code.


fping is a ping(1) like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. Instead of trying one host until it timeouts or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable.
Unlike ping, fping is meant to be used in scripts and its output is easy to parse.


HTTP Hacking
Spike Proxy is an open source HTTP proxy for finding security flaws in web sites. It is part of the Spike Application Testing Suite and supports automated SQL injection detection, web site crawling, login form brute forcing, overflow detection, and directory traversal detection.


Foundstone's enhanced netstat
Fport reports all open TCP/IP and UDP ports on the machine you run it on and shows what application opened each port. So it can be used to quickly identify unknown open ports and their associated applications. It only runs on Windows, but many UNIX systems now provided this information via netstat (try 'netstat -pan' on Linux). Here is a PDF-Format SANS article on using Fport and analyzing the results.


Advanced traceroute
Firewalk employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. This classic tool was rewritten from scratch in October 2002.

Syndicate content