Web

Anything related to websites

Nimbostratus

Tools for fingerprinting and exploiting Amazon cloud infrastructures. These tools are a PoC which I developed for my "Pivoting in Amazon clouds" talk, developed using the great boto library for accessing Amazon's API.

The nimbostratus toolset is usually used together with nimbostratus-target, which helps you setup a legal environment where this tool can be tested.

Installation
git clone git@github.com:andresriancho/nimbostratus.git
cd nimbostratus
pip install -r requirements.txt

Usage
Providing AWS credentials
Some nimbostratus sub-commands require you to provide AWS credentials. They are provided using the following command line arguments:
--access-key
--secret-key
--token , which is only used when the credentials were extracted from the instance profile.

Dump credentials
Identify the credentials available in this host and prints them out to the console. This is usually the first command to run after gaining access to an EC2 instance.
$ nimbostratus dump-credentials
Found credentials
Access key: ...
Secret key: ...

Once you've got the credentials from an EC2 instance you've exploited, you can continue to work from any other host with internet access (remember: EC2 instances are in many cases spawned for a specific task and then terminated).

IMPORTANT: This will extract information from boto's credential configuration sources and from the instance meta-data. If the system uses other libraries to connect to AWS the credentials won't be dumped.

Dump permissions
This tool will dump all permissions for the provided credentials. This tool is commonly used right after dump-credentials to know which permissions are available for you.
$ nimbostratus dump-permissions --access-key=... --secret-key=...
Starting dump-permissions
These credentials belong to low_privileged_user, not to the root account
Getting access keys for user low_privileged_user
User for key AKIAIV...J6KVA is low_privileged_user

LFI ExplOiter

LFI ExplOiter is an open source penetration testing tool that automates the process of detecting and exploiting Local FIle Inclusion.

Web-Spa

Web-Spa is a Java web knocking tool for sending a single HTTP/S request to your web server, in order to authorize the execution of a premeditated Operating System (O/S) command on it.

This is equivalent to port-knocking on the web layer, but with much more control: All O/S commands must be pre-defined and have a time-window of execution. Also, all users have to be registered and authorized to run any given action.

In running the standalone jar file (i.e.
webspa-{xx}.jar, you have to select one of the
following four (4) options:

-client : Run the client, generate requests
-help : Print this usage message
-server : Run the server
-version : 0.6

If no option is selected, the help message
detailing the above options will be displayed.

With each download of the standalone jar file
(i.e. webspa-{xx}.zip, see section above)
there is a rather basic shell script available,
named 'web-spa.sh'.

This script performs a `which java` and sets
the initial and maximum Java heap size.

This script needs to be chmod-ed to have execute
permissions. If you have followed the
instructions above and placed web-spa in /opt
issue the following:

bash-3.00# chmod 744 /opt/web-spa-0.6/web-spa.sh

You can test the web-spa script, by issuing:
bash-3.00# ./web-spa.sh -version
0.6
bash-3.00#

You will be required to have a java 1.6 JRE or
JDK installed. For more information see the
INSTALL file.

Zed Attack Proxy (ZAP)

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Ip phone Scanning Made Easy (ISME)

Ip phone Scanning Made Easy (ISME) scans a VOIP environment, adapts to enterprise VOIP, and exploits the possibilities of being connected directly to an IP Phone VLAN. It seeks to get the phone's configuration file directly from a TFTP server, enable SIP/SIPS (TCP/UDP), communicate with an embedded Web server and Web server banner, identify the editor by MAC address, and identify potential default login/password combinations which should be changed.

The following libraries are needed:
· LWP::UserAgent; # http://search.cpan.org/~gaas/libwww-perl-
6.03/lib/LWP/UserAgent.pm
· HTML::Parser; # http://search.cpan.org/dist/HTML-Parser/Parser.pm
· Net::Ping; # http://search.cpan.org/~smpeters/Net-Ping-2.36/lib/Net/Ping.pm
· Net::Netmask; # http://search.cpan.org/dist/Net-Netmask/
· Net::Subnets;
· Net::TFTP; # http://search.cpan.org/~gbarr/Net-TFTP-0.16/TFTP.pm
· Net::DHCP::Packet; # http://search.cpan.org/~djzort/Net-DHCP-
0.69/lib/Net/DHCP/Packet.pm
· Net::DHCP::Constants; # http://search.cpan.org/~djzort/Net-DHCP-
0.69/lib/Net/DHCP/Constants.pm
· Net::Libdnet::Arp;
· Crypt::SSLeay; #http://search.cpan.org/~nanis/Crypt-SSLeay/SSLeay.pm
· LWP::Protocol::https ; #http://search.cpan.org/~gaas/LWP-Protocol-https-
6.02/lib/LWP/Protocol/https.pm
· Mozilla ::CA;#s http://search.cpan.org/~abh/Mozilla-CA-
20111025/lib/Mozilla/CA.pm
· HTTP::Request::Common; # http://search.cpan.org/~gaas/HTTP-Message-
6.02/lib/HTTP/Request/Common.pm
· Net::Subnets
· Tk; #http://search.cpan.org/~ni-s/Tk-804.027/pod/UserGuide.pod
· Net::RawIP; #http://search.cpan.org/~saper/Net-RawIP-0.25/lib/Net/RawIP.pm
· Net::SSH
· SIP/Digest
Take care, even if libraries are not explicitly declared in the script, there are needed
nonetheless.
Java must be installed on the computer if you intend to use Fuzzing SIP – Protos.

MorxCrack

MorxCrack is a cracking tool written in Perl to perform a dictionary-based attack on various hashing algorithm and CMS salted-passwords.

As of version 1.2 MorXCrack supports the following algorithms:
MD5
MD5 (Twice)
MD5 (PasswordSalt)
MD5 (SaltPassword)
SHA1
SHA1 (Twice)
SHA1 (PasswordSalt)
SHA1 (SaltPassword)
SHA2 (256 Bits)
SHA2 (512 Bits)
MySQL (4.1+)
Crypt UNIX (Shadow)

And the following CMS:
Joomla
Wordpress (PHPass)
vBulletin
InvisionPowerBoard

Author:
Simo Ben youssef

Requirements:
Tested on Perl 5 (Might work on older versions).

Required modules:
Digest::MD5
Digest::SHA

Install if missing:
perl -MCPAN -e ‘install Digest::SHA’
perl -MCPAN -e ‘install Digest::MD5?

Usage:
Usage for non-salted passwords:
perl morxcrack.pl <’hash’>
perl morxploit md5 ’83583d2b5ea4078b9b83f82254e5d564? wordlist.txt

Usage for salted passwords:
perl morxcrack.pl <’hash’>
perl morxploit.pl joomla ‘a87248e5fc69972804f5bb93c873ee9d’ wordlist.txt 9W11uZafPxbe9xpL

Example:
Test on a Pentium(R) Dual-Core CPU T4500 @ 2.30GHz * 2 processor using md5 and a 3917096 wordlist (43.4 MB):

perl morxcrack.pl md5 ’83583d2b5ea4078b9b83f82254e5d564? all.txt
[*] Hashed password set to 83583d2b5ea4078b9b83f82254e5d564
[*] Algorithm/CMS set to md5
[*] Wordlist set to all.txt
[+] Cracking …
############################################################
# [+] Your password is morxploit
# [+] found at line 3917096
# [+] Job took 16 seconds
############################################################

TODO:
Add support for more algorithms and CMS

ap-unlock

#!/usr/bin/env python
#
# ap-unlock-v1337.py - apache + php 5.* rem0te c0de execution exploit
#
# NOTE:
#   - quick'n'dirty VERY UGLYY C=000DEEE IZ N0T MY STYLE Sad((
#   - for connect back shell start netcat/nc and bind port on given host:port
#   - is ip-range scanner not is multithreaded, but iz multithreaded iz in
#   random scanner and is scanner from file (greets to MustLive)
#   - more php paths can be added
#   - adjust this shit for windows b0xes
#
# 2013
# by noptrix - http://nullsecurity.net/

FS-NyarL

A network takeover & forensic analysis tool - useful to advanced PenTest tasks & for fun and profit - but use it at your own risk!

Features:
Interactive Console
Real Time Passwords Found
Real Time Hosts Enumeration
Tuned Injections & Client Side Attacks
ARP Poisoning & SSL Hijacking
Automated HTTP Report Generator

ATTACKS IMPLEMENTED:
MITM (Arp Poisoning)
Sniffing (With & Without Arp Poisoning)
SSL Hijacking (Full SSL/TLS Control)
HTTP Session Hijaking (Take & Use Session Cookies)
Client Browser Takeover (with Filter Injection in data stream)
Browser AutoPwn (with Filter Injection in data steam)
Evil Java Applet (with Filter Injection in data stream)
DNS Spoofing
Port Scanning

POST ATTACKS DATA OBTAINED:
Passwords extracted from data stream
Pcap file with whole data stream for deep analysis
Session flows extracted from data stream (Xplico & Chaosreader)
Files extracted from data stream
Hosts enumeration (IP,MAC,OS)
URLs extracted from data stream
Cookies extracted from data stream
Images extracted from data stream
List of HTTP files downloaded extracted from URLs

DEPENDENCIES (aka USED TOOLS):
Chaosreader (already in bin folder)
Xplico
Ettercap
Arpspoof
Arp-scan
Mitmproxy
Nmap
Tcpdump
Beef
SET
Metasploit
Dsniff
Macchanger
Hamster
Ferret
P0f
Foremost
SSLStrip
SSLSplit

FantaGhost, FGscanner

# FantaGhost URL Scanner 1.0
Advanced web directory scanner with proxy and TOR support

#### About
This is an opensource advanced web directory scanner to find hidden contents on a web server using dictionary-like attack. FantaGhost URL scanner support proxy and TOR.

All options explained here are also available from `fgdev.pl --help`)

Usage: ./fgscan.pl --host=hostname [--proxy=filepath] [--sec=n] [--dump] [--dirlist=filepath] [--wordlist=filepath] [--tor] [--tordns] [--debug] [--help]

--debug : Print debug information
--dirs : Specify the directory list file
--pages : Specify the wordlist file
--host : Specify hostname to scan (without http:// or https://)
--proxy : Specify a proxy list
--sec : Seconds between requests. Value 999 will randomize delay between requests from 1 to 30 seconds
--dump : Save found pages on disk
--tor : Use TOR as proxy for each request
--tordns : Use TOR to resolve hostname. Without this options DNS queries will be directed to default DNS server outside TOR network.
--help : What you're reading now

OWASP Bricks

Bricks is a deliberately vulnerable web application built on PHP and MySQL.
The project focuses on variations of commonly seen application security vulnerabilities and exploits.
Each 'brick' has some sort of vulnerability which can be exploited using tools (Mantra and ZAP).
The mission is to 'break the bricks' and thus learn the various aspects of web application security.

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
who is working on this project?

Project Leader(s):
Abhi M Balakrishnan

Get UWAMP. There are three options:
Exe/Install: Around 20 MB and has an installer. It can be installed just like installing any other software.
Portable RAR: Around 30 MB, portable. No installation needed, just extract and run. 7-Zip is a good software for handling RAR files.
Portable ZIP: Around 55 MB, portable. No installation needed, just extract and run.

Download Bricks and extract it.
Copy the bricks folder into the UwAmp\www directory.
Run uWAMP.exe and Start running the server.
Create a new database for Bricks:
Click on the PHPMyAdmin button on the UWAMP interface, or go to http:///mysql/ on browser.
Any name can be used for database. For example: bricks. Fill up the name and click on Create button.
Click on the www Site button on the UWAMP interface, or go to http:///bricks/ on browser.
Bricks will redirect automatically to http:///bricks/config/.
Fill in the configuration details:
Database username: root
Database password: root in uWAMP. Keep it blank in the xase of XAMPP
Database name: bricks
Database host: localhost
Show executed commands: checked by default
Click on Submit button and a file, LocalSettings.php, will get downloaded. Place this file in the UwAmp\www directory.

Syndicate content