Web

Anything related to websites

Routerpwn

== ROUTERPWN.com ==
Routerpwn.com is a web application that helps you in the exploitation of vulnerabilities in residential routers.

It is a compilation of ready to run local and remote web exploits.
Programmed in Javascript and HTML in order to run in all "smart phones" and mobile internet devices.
It is only one page, so you can store it offline for local exploitation without internet connection.

== Exploits ==
# 154 Total (11 Modules) 08/09/2012 #

Sagem Fast Telnet Root Password Generator
A1/Telekom PRG EAV4202N Default WPA Key Generator
Discus DRG A225 WiFi router Default WPA2-PSK Key Generator
Thomson BBox BBKeys TG787 Default Wireless Key Generator
EasyBox Standard WPA2 Key Generator
ZynOS (Huawei) Configuration Decompressor
Thomson SpeedTouch STKeys Default Wireless Key Generator
Huawei HG5XX Mac2wepkey Default Wireless Key Generator
Backdoor password in Accton-based switches (3com, Dell, SMC, Foundry and EdgeCore)
Arris Password of The Day Generator

20x 27x authentication bypass (xss + info disclosure)
17x 18x 20x 27x CRLF denial of service remote MDC
17x 18x 20x 27x CRLF denial of service
17x 18x 20x 27x password_required.html authentication bypass
17x 18x 20x 27x CD35_SETUP_01 authentication bypass
17x 18x 20x 27x CD35_SETUP_01 password reset
17x 18x 20x 27x DSL denial of service
17x 18x 20x 27x mgmt_data configuration disclosure
17x 18x 20x 27x H04 authentication bypass
17x 18x 20x 27x 38x Add domain to hosts table CSRF
Backdoor password in Accton-based switches (3com, Dell, SMC, Foundry and EdgeCore)
iMC Intelligent Management Center configuration disclosure
iMC Intelligent Management Center traversal
OfficeConnect command execution
AP 8760 auhentication bypass
OfficeConnect configuration disclosure
OfficeConnect 3CRWE454G72 configuration disclosure
3cradsl72 configuration disclosure
3cradsl72 information disclosure & authenication bypass
812 denial of service
812 denial of service 2

Vicnum (Hacking Game)

This is the vicnum project ("vicnum")

This project was registered on SourceForge.net on Jan 27, 2009, and is described by the project team as follows:

A flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. Helpful to IT auditors honing web security skills and setting up 'capture the flag' . Play the game at http://vicnum.ciphertechs.com

Vicnum (1.5) is an OWASP project consisting of multiple vulnerable web applications based on games commonly used to kill time. These applications demonstrate common web security problems such as cross site scripting, sql injections, and session management issues. The goal of this project is to strengthen security of web applications by educating different groups (students, management, users, developers, auditors) as to what might go wrong in a web app. And of course it's OK to have a little fun. There are currrently three applications (or challenges) in this version of Vicnum. Guessnum, a game to guess a number the computer has picked. Jotto, a game to guess a word the computer has picked. And the Union Challenge which is new to version 1.5 Besides untarring the tar into the right folder and some Apache webserver tweaking, three MySQL tables will need to be created.

Grabber

Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website.
Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.

Contact
-------
author: Romain Gaucher
website: http://rgaucher.info/beta/grabber
email: r@rgaucher.info

Current features
Because it's a small tool, the set of vulnerabilities is small...
- Cross-Site Scripting
- SQL Injection (there is also a special Blind SQL Injection module)
- File Inclusion
- Backup files check
- Simple AJAX check (parse every JavaScript and get the URL and try to get the parameters)
- Hybrid analysis/Crystal ball testing for PHP application using PHP-SAT
- JavaScript source code analyzer: Evaluation of the quality/correctness of the JavaScript with JavaScript Lint
- Generation of a file [session_id, time(t)] for next stats analysis.

How do I use Grabber ?

You have a main script grabber.py which execute the modules (xss.py, sql.py, etc.).
Download Grabber
Download Grabber
The executable version produced by py2exe
Source code
Installation
For using Grabber you only need Python 2.4, BeautifulSoup and PyXML. You can download the packages on the websites given above.
Configuration
You can configure the run with a configuration file like this:

http://127.0.0.1/bank
1

Then launch the grabber.py script.
Or you can use the command line parameters:
$ python grabber.py --spider 1 --sql --xss --url http://127.0.0.1/bank

The two configuration are equivalents.
What you need to know ?

WATOBO

WATOBO is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits. We (watobo team) are convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities.
WATOBO has no attack capabilities and is provided for legal vulnerability audit purposes only.

„Ok, how does it work?“
WATOBO works like a local proxy, similar to Webscarab, Paros or BurpSuite.
Additionally, WATOBO supports passive and active checks. Passive checks are more like filter functions. They are used to collect useful information, e.g. email or IP addresses. Passive checks will be performed during normal browsing activities. No additional requests are sent to the (web) application.
Active checks instead will produce a high number of requests (depending on the check module) because they do the automatic part of vulnerability identification, e.g. during a scan.

„So why should I use WATOBO instead of other web application auditing tools?“
The most important advantages are:
WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
WATOB can act as an transparent proxy
WATOBO has anti-CSRF features
WATOBO can perform vulnerability checks out of the box.
WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
WATOBO is written in (FX)Ruby and enables you to define your own checks
WATOBO is free software ( licensed under the GNU General Public License Version 2)
It’s by siberas Wink

Supported operating systems

SearchDiggity

SearchDiggity 3.1 is the primary attack tool of the Google Hacking Diggity Project. It is Stach & Liu’s MS Windows GUI application that serves as a front-end to the most recent versions of our Diggity tools: GoogleDiggity, BingDiggity, Bing LinkFromDomainDiggity, CodeSearchDiggity, DLPDiggity, FlashDiggity, MalwareDiggity, PortScanDiggity, SHODANDiggity, BingBinaryMalwareSearch, and NotInMyBackYard Diggity.

squeeza

1. Name
Squeeza - SQL Injection without the pain of syringes

2. Authors
Marco Slaviero < marco(at)sensepost(dot)com >
Haroon Meer

3. License, version & release date
License : GPLv2
Version : v0.22
Release Date : 2008/08/24

4. Description
squeeza is a tool helps exploits SQL injection vulnerabilities in broken web applications. Its functionality is split into creating data on the database (by executing commands, copying in files, issuing new SQL queries) and extracting that data through various channels (dns, timing, http error messages)

Currently, it supports the following databases:

Microsoft SQL Server
MySQL (only when multi-queries are enable, which is not too common)
squeeza is not a tool for finding injection points. That recipe generally starts with 1 x analyst. #

5. Usage

5.1 Installation is easy. Untar the archive into an appropriate spot. > $tar xvzf squeeza-0.21.tar.gz
Thereafter, edit the configuration file. By default, this is called 'squeeza.config' and resides in the same directory as the rest of the scripts.
Off the bat, you'll want to edit at least the following configuration items:

host
url
querystring
method
sql_prefix
sql_postfix
dns_domain
The default mode is command mode, and the default channel is dns. ##

5.2 Data Flow Model As already mentioned, squeeza splits the creation of data at the server away from the extraction of that data off the server (within certain constraints). Data is created by a /mode/, and extracted via a /channel/. By doing so, it is possible to mix 'n match modes with channels, which we think is pretty nifty/flexible.

Currently supported modes:
command mode : supports commands execution on the database server
copy mode : supports copying of files from the database server to the local machine
sql mode : supports the execution of arbitrary sql queries

Currently supported channels:

Oyedata

Oyedata is a new tool to perform black-box OData security testing and help secure OData deployments. Gursev Singh Kalra wrote Oyedata from a penetration testing perspective and its the major features are summarized below:

Intuitive GUI based tool written in C#.
Ability to create attack templates from local and remote Service Documents and Service Metadata Documents.
Support for XML and JSON data formats.
Ability to export attack templates in JSON and XML formats that can be fed to custom Fuzzing code.
Ability to engage the OData services for manual testing.
Data generator for EDMSimpleType test data generation.
Ability to generate “Read URIs” for Entities, Entity Properties and Entity Property Values.
Ability to generate attack templates for Creation of new Entries, updating existing Entries, Service Operation invocation, Entry deletion etc…
Ability to identify Keys, Nullable and Non-Nullable Properties and indicate the same in the attack templates.
Web proxy, HTTP and HTTPS support and Error logging.

The files are:
Oyedata User Guide Oyedata for OData Assessments.pdf - Oyedata user guide.
setup.exe and OyedataSetup.msi - Oyedata setup files.

System Requirements:
Microsoft .Net 4.0

AWS Scout

Scout is a security tool that lets Amazon Web Servers (AWS) administrators asses their environments security posture. Using the AWS API, Scout gathers configuration data for manual inspection or highlights high-risk areas automatically. Rather than pouring through dozens of pages on the web, Scout supplies a clear view of the attack surface automatically.

Running:
Scout is packaged as an executable jar. To run it, type

$ java -jar scout-0.9.5-standalone.jar

This will print a short message describing the commands Scout supports.

Usage:
java -jar scout-0.9.5-standalone.jar ACTION [OPTIONS]

The action argument will be explained in detail for each action below. The -c arguments specifies the credentials the tool will use to make requests to the AWS API.

Actions:
list-instances
Output a list of every instance in your EC2 account, grouped by security group, along with selected attributes of the instance.

list-groups
Output a list of every security group, broken down permission by permission.

audit-groups
Output a list of notable or dangerous security group permissions. Permissions are rated as critical, warning, or info depending on the service exposed and how much of the internet the service is exposed to (a /8 is more "critical" than a /24). For more information regarding this rating algorithm, consult the wiki.

compare-groups
Output the difference between what is configured in EC2 and the supplied ruleset file. Permissions marked "+" are configured in EC2 but missing from the ruleset, while permissions marked "-" are missing from EC2 but defined in the ruleset.

compare-groups requires that you specify a ruleset file for it to compare against. Here's an example ruleset:

(ruleset
(group :websrv
(permission :tcp [80] "0.0.0.0/0")
(permission :tcp [443] "0.0.0.0/0")
(permission :tcp [22] "134.82.0.0/16"))
(group :appsrv
(permission :tcp [8080 8083] :websrv)

SSLNuke

The purpose of sslnuke is to write a tool geared towards decrypting and intercepting "secured" IRC traffic. There are plenty of existing tools that intercept SSL traffic already, but most of these are geared towards HTTP traffic. sslnuke targets IRC directly in order to demonstrate how easy it is to intercept "secured" communications. sslnuke usage is simple.

Usage:

First, add a user account for sslnuke to run as and add iptables rules to redirect traffic to it:

# useradd -s /bin/bash -m sslnuke
# grep sslnuke /etc/passwd
sslnuke:x:1000:1000::/home/sslnuke:/bin/bash
# iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner 1000 -m tcp \
--dport 6697 --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 4444

Finally, login as sslnuke, build, and run sslnuke:

# su -l sslnuke
# cd sslnuke
# make
# ./sslnuke

Run an IRC client and login to your favorite IRC network using SSL, IRC messages will be printed to stdout on sslnuke.

[*] Received connection from: 192.168.0.5:58007
[*] Opening connection to: 1.1.1.1:6697
[*] Connection Using SSL!
[*] irc.com -> AUTH (1.1.1.1): *** Looking up your hostname...
[*] irc.com -> AUTH (1.1.1.1): *** Found your hostname
[*] irc.com -> victim (1.1.1.1): *** You are connected to irc.com with TLSv1.2-AES256-GCM-SHA384-256bits
[*] 192.168.0.5 -> nickserv (192.168.0.5): id hello
[*] NickServ!services@irc.com -> victim (1.1.1.1): Password accepted - you are now recognized.

sslnuke will automatically detect a client using SSL and determine whether or not to use SSL. The code could also be easily modified to show web site passwords or FTP data, anything using SSL. To attack users on a network, sslnuke can be used in conjunction with an ARP poisoning tool, such as the one found at Blackhat Library or it can be deployed on a gateway.
Mitigation

GScrape

GScrape is a small perl script that uses Google's Ajax API (Google::Search) to find vulnerable websites.

GScrape is a simple tool, it will look for a file specified by the user containing a list of search terms, query google with those search terms and retrieve an array of websites, which are then tested for Local File Inclusion and SQL injection vulnerabilities, if any are found they are logged to the output file specified by the user.

Example:
perl gscrape.pl -f dork.lst -o gscrape.log

Note:
GScrape will not return any results unless your input file actually contains a list of search terms.

Syndicate content