Damn Small SQLi Scanner (DSSS): A Fully Functional SQL Injection Vulnerability Scanner

Damn Small SQLi Scanner (DSSS): A Fully Functional SQL Injection Vulnerability Scanner 

As of optional settings it supports HTTP proxy together with HTTP header values User-Agent, Referer and Cookie.

Sample runs

$ python dsss.py -h
Damn Small SQLi Scanner (DSSS) < 100 LoC (Lines of Code) #v0.2o
by: Miroslav Stampar (@stamparm)

Usage: 

dsss.py [options]

Options:

  --version          show program's version number and exit
  -h, --help         show this help message and exit
  -u URL, --url=URL  Target URL (e.g. "http://www.target.com/page.php?id=1")


--data=DATA        POST data (e.g. "query=test")
  --cookie=COOKIE    HTTP Cookie header value
  --user-agent=UA    HTTP User-Agent header value
  --referer=REFERER  HTTP Referer header value
  --proxy=PROXY      HTTP proxy address (e.g. "http://127.0.0.1:8080")
$ python dsss.py -u "http://testphp.vulnweb.com/artists.php?artist=1"
Damn Small SQLi Scanner (DSSS) < 100 LoC (Lines of Code) #v0.2o
 by: Miroslav Stampar (@stamparm)

* scanning GET parameter 'artist'
 (i) GET parameter 'artist' could be error SQLi vulnerable (MySQL)
 (i) GET parameter 'artist' appears to be blind SQLi vulnerable (e.g.: 'http://t
estphp.vulnweb.com/artists.php?artist=1%20AND%2061%3E60')

scan results: possible vulnerabilities found

Requirements

Python version 2.6.x or 2.7.x is required for running this program.

Download DSSS

NILI: A Tool For Network Scan, Man in the Middle, Protocol Reverse Engineering And Fuzzing

NILI: A Tool For Network Scan, Man in the Middle, Protocol Reverse Engineering And Fuzzing

Installing

Here is some Instructions for Installing Prerequisites, Select Proper Instructions for your Operating System.

Unix-like

1- Install Python3 and pip:

$ sudo apt-get install python3
$ sudo apt-get install python3-pip

2- Install Scapy:

$ cd /tmp
$ git clone https://github.com/phaethon/scapy

$ cd scapy
$ sudo python3 setup.py install

3- Install Netzob:

$ git clone https://dev.netzob.org/git/netzob
$ cd ./netzob/
$ sudo apt-get install python3 python3-dev python3-setuptools build-essential
$ python3 setup.py install
$ python3 -m pip install bintrees --upgrade

Windows

1- Install python3

2- Install Scapy:

2-1- Install Winpcap
2-2- Install Scapy3k

python -m pip install scapy-python3

3- Install Netzob

Download

SweetSecurity - Network Security Monitoring on Raspberry Pi Type Devices

SweetSecurity - Network Security Monitoring on Raspberry Pi Type Devices

Scripts to setup and install Bro IDS, Elasticsearch, Logstash, Kibana, and Critical Stack on any device.

Installation:

sudo python setup.py

Follow prompts to enter appropriate information for chosen installation type

Installation Types

• Full Install: This will install Bro IDS, Critical Stack (optional), Logstash, Elasticsearch, Kibana, Apache, and Sweet Security Client/Server. Choose this option ONLY if you have 2GB of memory or more.
• Sensor Only: This will install Bro IDS, Critical Stack (optional), Logstash, and Sweet Security Client
• Web Server Only: This will install Elasticsearch, Kibana, Apache, and Sweet Security Server

New Functionality:

• Modularized Installation - Choose to deploy all the tools on one device, or split among multiple for better performance.

1. Full Install - Deploy Bro IDS, Critical Stack, Elasticsearch, Logstash, Kibana, Apache, and Sweet Security
2. Sensor Install - Deploy Bro IDS, Critical Stack, Logstash, and Sweet Security
3. Web Admin Install - Deploy Elasticsearch, Kibana, and Apache

• ARP Spoofing - Full code to monitor all network traffic out of the box without network changes.
• Complete Bro Log Support - All Bro log files are now normalized by Logstash
• Kibana Content - Searches, Visualizations, and Dashboards are now included
• Architecture Support - Now supports installing on non ARM architectures
• Custom NMAP Pre-Fix - updated NMAP pre-fixes based on the IEEE OUI list
• Web Administration - apache/flask based web administration to manage known devices and system health

Prerequisites

Most of the dependencies will be installed during installation. However you will need to make sure these are followed before trying to install the code.

Supported Operating Systems

• Raspbian Jessie
• Debian Jessie
• Ubuntu 16.04

Supported Hardware

• RaspberryPi 3
• x86
• x86_64

System Requirements

• ARM, x86, or x86_64 CPU
• 2GB RAM
• 8GB Disk Storage
• 100 MB NIC (Recommended 1GB) Note: 2GB of storage is required while the Raspberry Pi 3 only has 1GB. The code can be split to run on two devices, such as two Raspberry Pi's or a Raspberry Pi and AWS.

Fixes:

• Optimized Logstash Config
• Updated Bro IDS to 2.5.1
• Updated Logstash to version 5.5.1
• Updated Elasticsearch to version 5.5.1
• Update kibana to version 5.5.1

Download SweetSecurity

DMitry A Deepmagic Information Gathering Tool

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU) Linux Command Line Application coded in C language.

DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more. The information are gathered with following methods:

• Perform an Internet Number whois lookup.
• Retrieve possible uptime data, system and server data.
• Perform a SubDomain search on a target host.
• Perform an E-Mail address search on a target host.
• Perform a TCP Portscan on the host target.
• A Modular program allowing user specified modules

Download and installation

DMitry can be downloaded by issuing following commands:

$ cd /data/src/
$ wget http://mor-pah.net/code/DMitry-1.3a.tar.gz


For installation, issue following commands:

$ tar xzvf DMitry-1.3a.tar.gz
$ cd DMitry-1.3a/
$ ./configure
$ make
$ sudo make install

Then optionally create a symbolic link to your /pentest/ directory:

$ mkdir -p /pentest/enumeration/dmitry/
$ ln -s /usr/local/bin/dmitry /pentest/enumeration/dmitry/dmitry

Use

help
DMitry help can be displayed by issuing:

$ dmitry --help

Download 

BARF: Binary Analysis And Reverse Engineering Framework

A Multi-platform open source Binary Analysis and Reverse engineering Framework.

The analysis of binary code is a crucial activity in many areas of the computer sciences and software engineering disciplines ranging from software security and program analysis to reverse engineering.

Manual binary analysis is a difficult and time-consuming task and there are software tools that seek to automate or assist human analysts. However, most of these tools have several technical and commercial restrictions that limit access and use by a large portion of the academic and practitioner communities.

BARF is an open source binary analysis framework that aims to support a wide range of binary code analysis tasks that are common in the information security discipline. It is a scriptable platform that supports instruction lifting from multiple architectures, binary translation to an intermediate representation, an extensible framework for code analysis plugins and inter operation with external tools such as debuggers, SMT solvers and instrumentation tools. The framework is designed primarily for human-assisted analysis but it can be fully automated.

The BARF project includes BARF and related tools and packages. So far the project is composed of the following items:

BARF : A multiplatform open source Binary Analysis and Reverse engineering Framework
PyAsmJIT : A JIT for the Intel x86_64 and ARM architecture.

Tools built upon BARF:

BARFgadgets : Lets you search, classify and verify ROP gadgets inside a binary program.

BARFcfg : Lets you recover the control-flow graph of the functions of a binary program.
BARFcg : Lets you recover the call graph of the functions of a binary program.

BARF

BARF is a Python package for binary analysis and reverse engineering. It can:

Load binary programs in different formats (ELF, PE, etc),
It supports the Intel x86 architecture for 32 and 64 bits,
It supports the ARM architecture for 32 bits,
It operates on an intermediate language (REIL) thus all analysis algorithm are architecture-agnostic,
It has integration with Z3 and CVC4 SMT solvers which means that you can express fragments of code as formulae and check restrictions on them.
It is currently under development.

Installation

 

BARF depends on the following SMT solvers:

Z3 : A high-performance theorem prover being developed at Microsoft Research.
CVC4 : An efficient open-source automatic theorem prover for satisfiability modulo theories (SMT) problems.

The following command installs BARF on your system:

$ sudo python setup.py install

You can also install it locally:

$ sudo python setup.py install --user

Notes

Only one SMT solver is needed in order to work. You may choose between Z3 and CVC4 or install both. You can use the barf-install-solver.sh script which downloads and install both solver.
To run some tests you need to install PyAsmJIT first.

Download

 

Damn Vulnerable Web Sockets (DVWS): Vulnerable Web Application Which Works On Web Sockets

Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication. 

The flow of the application is similar to DVWA. You will find more vulnerabilities than the ones listed in the application.

Requirements

In the hosts file of your attacker machine create an entry for dvws.local to point at the IP address hosting the DVWS application.

Location of hosts file:

Windows: C:\windows\System32\drivers\etc\hosts
Linux: /etc/hosts

 

 

Sample entry for hosts file:

192.168.100.199         dvws.local

The application requires the following:

Apache + PHP + MySQL

PHP with MySQLi support

Ratchet

ReactPHP-MySQL

Setting up DVWS

Set the MySQL hostname, username, password and an existing database name in the includes/connect-db.php file then go to Setup to finish setting up DVWS.

Running DVWS

On the host running this application, run the following command from DVWS directory: php ws-socket.php

 

 

Important Note

DVWS has been developed with limited knowledge of Web Sockets. Feel free to contribute and enhance this project.

Download DVWS 

MongoDB-HoneyProxy: A Honeypot Proxy For MongoDB Server

MongoDB-HoneyProxy: A Honeypot Proxy For MongoDB Server

When run, this will proxy and log all traffic to a dummy mongodb server. MongoDB-HoneyProxy was created in response to the 'MongoDB Apocolypse'

Pre-requisites:

• sudo apt-get install nodejs npm gcc g++
• You'll also need to install MongoDB for this to function, as this project works as a logging proxy.

Cyber Criminals Attacking On Web Databases And Asking To Pay For Ransom

Setup

• Create a MongoDB database. Some good dummy data can be found here. Another good tool is JSON Generator, which generates fake json that can then be converted to bson.
• Then, install the project

git clone https://github.com/Plazmaz/MongoDB-HoneyProxy.git

cd MongoDB-HoneyProxy
sudo npm install

To run the project, simply use node index.js

Download

Vulners: Software Vulnerability Scanner Plugin For Burp Suite Professional

Vulners scanner Plugin Released  For Automatic Vulnerability Detection In Passive Scan mode

vulnersCom/burp-vulners-scanner Vulnerability scanner based on vulners.com search API

Burp Suite scanner plugin based on Vulners.com vulnerability database API

• Search fingerprints in http response (inspired by plugin "Software Version Reporter") and check found version in vulners.com vulnerability database
• [Experemental] Check unique URLs in vulners.com finding exploits for such pathsIf Vulners Plugin detects vulnerable software it will show you CVE, advisoroies and even applicable exploits!
  
  
   

  Requirements

  • Burp Suite - Professional Edition
  • Java 1.7
  • Maven

   

  Installation

  • Clone repository
  • From command line run
  • mvn package
  • find burp-vulners-scanner.jar in /target folder
  • open Burp Suite -> Extender -> Add -> path to plugin.jar

  
  

  Build

  Ready to install build burp-vulners-scanner.jar
  
  Software Vulnerability scanner plugin for Burp Suite Professional
  Main functionality:
  

  • Detect vulnerable software by discovered fingerprints in HTTP responses
  • Check unique urls finding exploits with such paths

  Download Burp Suite Plugin

   

How Cyber Attackers Hack Your Wi-Fi Through Evil Twin Method

How Cyber Attackers Hack Your Wi-Fi Through Evil Twin Method

Evil Twin is a kind of Wi-Fi attack which is almost similar to Website spoofing and E-mail phishing attacks. 

Cyber Attackers can get all information without a user knowledge. Evil Twin looks like a Hotspot but with a strong signal.

How an Evil Twin Attack works:

The attacker snoops on Internet traffic using a Fake wireless access point. Unaware web users may be invited to log into the attacker's server, prompting them to enter sensitive information such as usernames and passwords. Often, users are unaware they have been duped until the incident has occurred.

A hacker configures its service identifier (SSID) to be same as an access point at the local hotspot or corporate wireless network. The hacker disrupts or disables the legitimate AP by disconnecting it, directing a denial of service against it, or creating RF interference around it. Users lose their connections to the legitimate AP and re-connect to the "evil twin," allowing the hacker to intercept all the traffic to that device.

When users log into unsecured (non-HTTPS) bank or e-mail accounts, the attacker intercepts the transaction. In this case, the attacker would also be able to connect to other networks.

Fake access points are set up by configuring a wireless card to act as an access point (known as HostAP). They are hard to trace since they can be shut off instantly. The counterfeit access point may be given the same SSID and BSSID as a nearby Wi-Fi network. The evil twin can be configured to pass Internet traffic through the legitimate access point while monitoring the victim's connection, or it can simply say the system is temporarily unavailable after obtaining a username and password.

Video Tutorial:

Video source: Chris Haralson

How To Protect?

Use EvilAP_Defender It is an application that helps a wireless network administrator to discover and prevent Evil Access Points (AP) from attacking wireless users.

The application can be run in regular intervals to protect your wireless network from Evil Twin like attacks. By configuring the tool, you can get notifications sent to your email whenever an evil access point is discovered.

The tool is able to discover Evil APs using one of the following characteristics:

• Evil AP with a different BSSID address
• Evil AP with the same BSSID as the legitimate AP but a different attribute (including: channel, cipher, privacy protocol, and authentication)
• Evil AP with the same BSSID and attributes as the legitimate AP but different tagged parameter - mainly different OUI (tagged parameters are additional values sent along with the beacon frame. Currently no software based AP gives the ability to change these values. Generally, software based APs are so poor in this area).

Whenever an Evil AP is discovered the tool will alert the admin through email (SMS will be supported soon). Additionally, the tool will enter into the preventive mode in which the tool will DoS, the users of the legitimate wireless network from connecting to the discovered Evil AP. The tool can be configured easily by starting in what we call “Learning Mode”. In this mode, you can whitelist your legitimate network.

• Do not use Public Wi-Fi
• Always connect to the Internet through a Private VPN.

How To Port Windows Dynamic Link Libraries to Linux

Porting Windows Dynamic Link Libraries to Linux.

Tavis Ormandy, who is the vulnerability researcher at Google have developed loadlibrary tool.

Introduction

This repository contains a library that allows native Linux programs to load and call functions from a Windows DLL.

As a demonstration, Ormandy ported Windows Defender to Linux.

$ ./mpclient eicar.com
main(): Scanning eicar.com...
EngineScanCallback(): Scanning input
EngineScanCallback(): Threat Virus:DOS/EICAR_Test_File identified.

How does it work?

The peloader directory contains a custom PE/COFF loader derived from ndiswrapper. The library will process the relocations and imports, then provide a dlopen-like API. The code supports debugging with gdb (including symbols), basic block coverage collection, and runtime hooking and patching.

What works?

The intention is to allow scalable and efficient fuzzing of self-contained Windows libraries on Linux. Good candidates might be video codecs, decompression libraries, virus scanners, image decoders, and so on.

• C++ exception dispatch and unwinding.
• Loading additional symbols from IDA.
• Debugging with gdb (including symbols), breakpoints, stack traces, etc.
• Runtime hooking and patching.
• Support for ASAN and Valgrind to detect subtle memory corruption bugs.

If you need to add support for any external imports, writing stubs is usually quick and easy.

Why?

Distributed, scalable fuzzing on Windows can be challenging and inefficient. This is especially true for endpoint security products, which use complex interconnected components that span across kernel and user space. This often requires spinning up an entire virtualized Windows environment to fuzz them or collect coverage data.

This is less of a problem on Linux, and Ormandy found that porting components of Windows Antivirus products to Linux is often possible. This allows to run the code testing in minimal containers with very little overhead, and easily scale up testing.

Windows Defender

MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2016, and so on. Additionally, Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products share the same core engine.

The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers, full system emulators for various architectures and interpreters for various languages. All of this code is accessible to remote attackers.

Building

To build the test client, simply type make.

$ make

Dependencies

Fedora / RedHat         Ubuntu / Debian               Comment
glibc-devel.i686          libc6-dev:i386
libgcc.i686                    gcc-multilib
readline-devel.i686  libreadline-dev:i386 Optional, used in mpscript.
cabextract                    cabextract                 Used to extract definitions.

You will need to download the 32-bit antimalware update file from this page:
https://www.microsoft.com/security/portal/definitions/adl.aspx#manual

This should be a direct link to the right file:
http://go.microsoft.com/fwlink/?LinkID=121721&arch=x86

This will download a file called mpam-fe.exe, which is a cabinet file that can be extracted with cabextract. Extract the files into the engine directory:

$ cabextract mpam-fe.exe
Extracting cabinet: mpam-fe.exe
  extracting MPSigStub.exe
  extracting mpavdlta.vdm
  extracting mpasdlta.vdm
  extracting mpavbase.vdm
  extracting mpasbase.vdm
  extracting mpengine.dll

All done, no errors.

If you want to know which version you got, try this:

$ exiftool mpengine.dll | grep 'Product Version Number'
Product Version Number          : 1.1.13701.0

Running

The main mpengine loader is called mpclient, it accepts filenames to scan as a parameter.

$ ./mpclient netsky.exe
main(): Scanning netsky.exe...
EngineScanCallback(): Scanning input
EngineScanCallback(): Threat Worm:Win32/Netsky.P@mm identified.

There are some other sample tools, mpstreamfuzz and mpscript.

Debugging

If you want to debug a crash, single step through a routine or set breakpoints, follow these examples. First, you need a map file from IDA.

Microsoft doesn't release public symbols for every build, and sometimes the symbols lag behind for a few months after release. Make sure you're using an mpengine version with public symbols available.

Use the following sample commandline to generate map and idb files.

> idaw -A -P+ -S"createmap.idc mpengine.map" mpengine.dll


If you generate the map files on Windows, you'll get CRLF line terminators, fix them like this:

$ dos2unix mpengine.map

When you run mpclient under gdb, it will detect a debugger and print the commands you need to enter to teach gdb about the symbols:

$ gdb -q ./mpclient
(gdb) r testfile.txt
Starting program: mpclient
main(): GDB: add-symbol-file engine/mpengine.dll 0xf6af4008+0x1000
main(): GDB: shell bash genmapsym.sh 0xf6af4008+0x1000 symbols_19009.o < mpengine.map
main(): GDB: add-symbol-file symbols_19009.o 0

Program received signal SIGTRAP, Trace/breakpoint trap.
0x0804d213 in main (argc=1, argv=0xffffcc64, envp=0xffffcc6c) at mpclient.c:156
156         __debugbreak();
(gdb)

If you enter the commands it shows into gdb, you will have symbols available.

(gdb) add-symbol-file engine/mpengine.dll 0xf6af4008+0x1000
add symbol table from file "engine/mpengine.dll" at
.text_addr = 0xf6af5008
Reading symbols from engine/mpengine.dll...done.
(gdb) shell bash genmapsym.sh 0xf6af4008+0x1000 symbols_19009.o < mpengine.map
(gdb) add-symbol-file symbols_19009.o 0
add symbol table from file "symbols_19009.o" at
.text_addr = 0x0
Reading symbols from symbols_19009.o...done.
(gdb) p as3_parsemetadata_swf_vars_t
$1 = {void (void)} 0xf6feb842 <as3_parsemetadata_swf_vars_t>

Then you can continue, and it will run as normal.

(gdb) c

Breakpoints, watchpoints and backtraces all work as normal, although it may be more reliable to use hardware breakpoints than software breakpoints.

To use hardware breakpoints in gdb, you just use hb or hbreak instead of break. Note that you only get a limited number of hardware breakpoints.

(gdb) b as3_parsemethodinfo_swf_vars_t
Breakpoint 1 at 0xf6feb8da
(gdb) c
Continuing.
main(): Scanning test/input.swf...
EngineScanCallback(): Scanning input
Breakpoint 1, 0xf6feb8da in as3_parsemethodinfo_swf_vars_t ()
(gdb) bt
#0  0xf6feb8da in as3_parsemethodinfo_swf_vars_t ()
#1  0xf6dbad7f in SwfScanFunc ()
#2  0xf6d73ec3 in UfsScannerWrapper__ScanFile_scanresult_t ()
#3  0xf6d6c9e3 in UfsClientRequest__fscan_SCAN_REPLY ()
#4  0xf6d6a818 in UfsNode__ScanLoopHelper_wchar_t ()
#5  0xf6d6a626 in UfsNode__Analyze_UfsAnalyzeSetup ()
#6  0xf6d71f7f in UfsClientRequest__AnalyzeLeaf_wchar_t ()
#7  0xf6d71bb9 in UfsClientRequest__AnalyzePath_wchar_t ()
#8  0xf6dbbd88 in std___String_alloc_std___String_base_types_char_std__allocator_char______Myptr_void_ ()
#9  0xf6d75e72 in UfsCmdBase__ExecuteCmd__lambda_c80a88e180c1f4524a759d69aa15f87e____lambda_c80a88e180c1f4524a759d69aa15f87e__ ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x/3i $pc
=> 0xf6feb8da <as3_parsemethodinfo_swf_vars_t+7>: lea    ebx,[edx+0x1c]
   0xf6feb8dd <as3_parsemethodinfo_swf_vars_t+10>: push   esi
   0xf6feb8de <as3_parsemethodinfo_swf_vars_t+11>: mov    edx,ebx

What about Wine and Winelib?

This project does not replace Wine or Winelib.

Winelib is used to port Windows C++ projects to Linux, and Wine is intended to run full Windows applications. This project is intended to allow native Linux code to load simple Windows DLLs.

The closest analogy would be ndiswrapper but for userspace.

Download