Argus v3.0.6 - Real Time Auditing Network Activity

Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, loss, delay, and jitter on a per transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, as well as application/protocol specific information.

Argus is composed of an advanced comprehensive network flow data generator, the Argus sensor, which processes packets (either capture files or live packet data) and generates detailed network flow status reports of all the flows in the packet stream. Argus captures much of the packet dynamics and semantics of each flow, with a great deal of data reduction, so you can store, process, inspect and analyze large amounts of network data efficiently. Argus provides reachability, availability, connectivity, duration, rate, load, good-put, loss, jitter, retransmission, and delay metrics for all network flows, and captures most attributes that are available from the packet contents, such as L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc…), protocol ids, SAP’s, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indications, etc.

Argus is used by many sites to generate network activity reports for every network transaction on their networks. The network audit data that Argus generates is great for security, operations and performance management. The data is used for network forensics, non-repudiation, network asset and service inventory, behavioral baselining of server and client relationships, detecting covert channels, and analyzing Zero day events.

Argus is an Open Source project, currently running on Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt, and has been ported to many hardware accelerated platforms, such as Bivio, Pluribus, Arista, and Tilera. The software should be portable to many other environments with littleor no modifications. Performance is such that auditing an entire enterprise’s Internet activity can be accomplished using modest computing resources.

Download Argus v3.0.6

Read more

MagicTree - Penetration Tester Productivity Tool

Have you ever spent ages trying to find the results of a particular portscan you were sure you did? Or grepping through a bunch of files looking for data for a particular host or service? Or copy-pasting bits of output from a bunch of typescripts into a report? We certainly did, and that's why we wrote MagicTree - so that it does such mind-numbing stuff for us, while we spend our time hacking.

MagicTree is a penetration tester productivity tool. It is designed to allow easy and straightforward data consolidation, querying, external command execution and (yeah!) report generation. In case you wonder, "Tree" is because all the data is stored in a tree structure, and "Magic" is because it is designed to magically do the most cumbersome and boring part of penetration testing - data management and reporting.

Installation
No installation is required for MagicTree. The application is distrubuted as a single JAR file which has to be executed with JRE. Just save the file on your desktop. Double-click on it to execute it or, for less user-friendly OSes, issue “java -jar MagicTree.jar’ command.

Download MagicTree

Read more

YaCy - The Peer to Peer Search Engine

YaCy is a free search engine that anyone can use to build a search portal for their intranet or to help search the public internet. When contributing to the world-wide peer network, the scale of YaCy is limited only by the number of users in the world and can index billions of web pages. It is fully decentralized, all users of the search engine network are equal, the network does not store user search requests and it is not possible for anyone to censor the content of the shared index. We want to achieve freedom of information through a free, distributed web search which is powered by the world's users.

Decentralization
Imagine if, rather than relying on the proprietary software of a large professional search engine operator, your search engine was run by many private computers which aren't under the control of any one company or individual. Well, that's what YaCy does! The resulting decentralized web search currently has about 1.4 billion documents in its index (and growing - download and install YaCy to help out!) and more than 600 peer operators contribute each month. About 130,000 search queries are performed with this network each day.
Live image of the 'freeworld' network

Installation is easy!

The installation takes only three minutes. Just download the release, decompress the package and run the start script. On linux you need OpenJDK7. You don't need to install external databases or a web server, everything is already included in YaCy.

Download YaCy

Read more

Moscrack - Cluster Cracking Tool For WPA Keys

Moscrack is a PERL application designed to facilitate cracking WPA keys in parallel on a group of computers. This is accomplished by use of either Mosix clustering software, SSH or RSH access to a number of nodes. With Moscrack’s new plugin framework, hash cracking has become possible. SHA256/512, DES, MD5 and *Blowfish Unix password hashes can all be processed with the Dehasher Moscrack plugin.

Features

• Basic API allows remote monitoring
• Automatic and dynamic configuration of nodes
• Live CD/USB enables boot and forget dynamic node configuration
• Uses aircrack-ng (including 1.2 Beta) by default
• CUDA/OpenCL support via Pyrit plugin
• CUDA support via aircrack-ng-cuda (untested)
• Does not require an agent/daemon on nodes
• Can crack/compare SHA256/512, DES, MD5 and blowfish hashes via Dehasher plugin
• Supports mixed OS/protocol configurations
• Supports SSH, RSH, Mosix for node connectivity
• Effectively handles mixed fast and slow nodes or links
• Supports Mosix clustering software
• Nodes can be added/removed/modified while Moscrack is running
• Failed/bad node throttling
• Hung node detection
• Reprocessing of data on error

Download Moscrack

Read more

oclHashcat v1.2 - GPGPU-based Multi-hash Cracker

oclHashcat is a GPGPU-based multi-hash cracker using a brute-force attack (implemented as mask attack), combinator attack, dictionary attack, hybrid attack, mask attack, and rule-based attack.

This GPU cracker is a fusioned version of oclHashcat-plus and oclHashcat-lite.

GPU Driver requirements:

• NV users require ForceWare 331.67 or later
• AMD users require Catalyst 14.4 or later

Changelog v1.21
This release is focused on performance increase / bugfixes.

• Added support for algorithm -m 2612 = PHPS
• Added support for algorithm -m 8600 = Lotus Notes/Domino 5
• Added support for algorithm -m 8700 = Lotus Notes/Domino 6
• Fixed performance drop on descrypt, LM and oracle-old initiated by AMD drivers
• Fixed problem with restoring ADL performance state when the clock size reported by the AMD driver didn’t respect the clock step size
• Fixed problem with setting ADL powertune value for r9 295×2 GPUs
• Added support for writing logfiles
• Added parameter –logfile-disable which should be self-explaining
• Dictstat is now no longer session dependent and will always be based on oclHashcat installation directory
• Use AMD custom profile settings instead of basing the AMD powertune/clock settings on maximum supported clock values
• Fixed VLIW size calculated by compute capability was broken for sm_50 -> cuModuleLoad() 301
• Make –runtime count relative to real attack start not program start
• Fixed bug with fan speed handling, if fan speed is manually set to a high enought value (e.g. 100%) oclHashcat shouldn’t change it
• Problem with username parsing (–username) was fixed
• Fixed problem where IKE-PSK sha1/md5 (-m 5300/-m 5400) were wrongly recognized as shadow file formats
• Fixed problem where the ‘delete range’ rule (xNM) did not allow to remove charaters at the very end of the word

Full Changelog: here

Features

• Worlds fastest password cracker
• Worlds first and only GPGPU based rule engine
• Free
• Multi-GPU (up to 128 gpus)
• Multi-Hash (up to 100 million hashes)
• Multi-OS (Linux & Windows native binaries)
• Multi-Platform (OpenCL & CUDA support)
• Multi-Algo (see below)
• Low resource utilization, you can still watch movies or play games while cracking
• Focuses highly iterated modern hashes
• Focuses dictionary based attacks
• Supports distributed cracking
• Supports pause / resume while cracking
• Supports sessions
• Supports restore
• Supports reading words from file
• Supports reading words from stdin
• Supports hex-salt
• Supports hex-charset
• Built-in benchmarking system
• Integrated thermal watchdog
• 100+ Algorithms implemented with performance in mind

Attack-Modes

• Straight (accept Rules)
• Combination
• Brute-force
• Hybrid dict + mask
• Hybrid mask + dict

Algorithms

• MD4
• MD5
• SHA1
• SHA-256
• SHA-512
• SHA-3 (Keccak)
• RipeMD160
• Whirlpool
• GOST R 34.11-94
• HMAC-MD5 (key = $pass)
• HMAC-MD5 (key = $salt)
• HMAC-SHA1 (key = $pass)
• HMAC-SHA1 (key = $salt)
• HMAC-SHA256 (key = $pass)
• HMAC-SHA256 (key = $salt)
• HMAC-SHA512 (key = $pass)
• HMAC-SHA512 (key = $salt)
• LM
• NTLM
• DCC
• DCC2
• NetNTLMv1
• NetNTLMv1 + ESS
• NetNTLMv2
• Kerberos 5 AS-REQ Pre-Auth etype 23
• AIX {smd5}
• AIX {ssha1}
• AIX {ssha256}
• AIX {ssha512}
• FreeBSD MD5
• OpenBSD Blowfish
• descrypt
• md5crypt
• bcrypt
• sha256crypt
• sha512crypt
• DES(Unix)
• MD5(Unix)
• SHA256(Unix)
• SHA512(Unix)
• OSX v10.4
• OSX v10.5
• OSX v10.6
• OSX v10.7
• OSX v10.8
• OSX v10.9
• Cisco-ASA
• Cisco-IOS
• Cisco-PIX
• GRUB 2
• Juniper Netscreen/SSG (ScreenOS)
• RACF
• Samsung Android Password/PIN
• MSSQL
• MySQL
• Oracle
• Postgres
• Sybase
• DNSSEC (NSEC3)
• IKE-PSK
• IPMI2 RAKP
• iSCSI CHAP
• WPA
• WPA2
• 1Password, cloudkeychain
• 1Password, agilekeychain
• Lastpass
• Password Safe SHA-256
• TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES
• TrueCrypt 5.0+ PBKDF2 HMAC-SHA512 + AES
• TrueCrypt 5.0+ PBKDF2 HMAC-Whirlpool + AES
• TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES + boot-mode
• TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES + hidden-volume
• TrueCrypt 5.0+ PBKDF2 HMAC-SHA512 + AES + hidden-volume
• TrueCrypt 5.0+ PBKDF2 HMAC-Whirlpool + AES + hidden-volume
• TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES + hidden-volume + boot-mode
• SAP CODVN B (BCODE)
• SAP CODVN F/G (PASSCODE)
• Citrix Netscaler
• Netscape LDAP SHA/SSHA
• Apache MD5-APR
• hMailServer
• EPiServer
• Drupal
• IPB
• Joomla
• MyBB
• osCommerce
• Redmine
• SMF
• vBulletin
• Woltlab Burning Board
• xt:Commerce
• WordPress
• phpBB3
• Half MD5 (left, mid, right)
• Double MD5
• Double SHA1
• md5($pass.$salt)
• md5($salt.$pass)
• md5(unicode($pass).$salt)
• md5($salt.unicode($pass))
• md5(sha1($pass))
• sha1($pass.$salt)
• sha1($salt.$pass)
• sha1(unicode($pass).$salt)
• sha1($salt.unicode($pass))
• sha1(md5($pass))
• sha256($pass.$salt)
• sha256($salt.$pass)
• sha256(unicode($pass).$salt)
• sha256($salt.unicode($pass))
• sha512($pass.$salt)
• sha512($salt.$pass)
• sha512(unicode($pass).$salt)
• sha512($salt.unicode($pass))

Download oclHashcat v1.21

Read more

Kali Linux 1.0.7 Released

Kernel 3.14, Tool Updates, Package Improvements

Kali linux 1.0.7 has just been released, complete with a whole bunch of tool updates, a new kernel, and some cool new features. Check out our changelog for a full list of these items. As usual, you don’t need to re-download or re-install Kali to benefit from these updates – you can update to the latest and greatest using these simple commands:

apt-get update
apt-get dist-upgrade
# If you've just updated your kernel, then:
reboot

Kali Linux Encrypted USB Persistence
 One of the new sought out features introduced (which is also partially responsible for the kernel update) is the ability to create Kali Linux Live USB with LUKS Encrypted Persistence. This feature ushers in a new era of secure Kali Linux USB portability, allowing us to either boot to a “clean” Kali image or alternatively, overlay it with the contents of a persistent encrypted partition, all within the same USB drive.

Tool Developers Ahoy!
This release also marks the beginning of some co-ordinated efforts between Kali developers and tool developers to make sure their tools are represented correctly and are fully functional within Kali Linux. We would like to thank the metasploit, w3af, and wpscan dev teams for working with us to perfect their Kali packages and hope that more tool developers join in. Tool developers are welcome to send us an email to and we’ll be happy to work with you to better integrate your tool into Kali.

Kali Linux: Greater Than the Sum of its Parts
For quite some time now, we’ve been preaching that Kali Linux is more than a “Linux distribution with a collection of tools in it”. We invest a significant of time and resources developing and enabling features in the distribution which we think are useful for penetration testers and other security professionals. These features range from things like “live-build“, which allows our end users to easily customize their own Kali ISOs to features like Live USB persistence encryption, which provides paranoid users with an extra layer of security. Many of these features are unique to Kali and can be found nowhere else. We’ve started tallying these features and linking them from our Kali documentation page – check it out, it’s growing to be an impressive list!

Torrents, Virtual Machine & ARM images
In the next few days, Offensive Security will post Virtual Machine and custom ARM images for the 1.0.7 release. We will announce the availability of these images via our blogs and Twitter feeds, so stay tuned!.

Source

Read more

OWASP OWTF – Offensive (Web) Testing Framework

The purpose of this tool is to automate the manual, uncreative part of pen testing: For example, spending time trying to remember how to call "tool X", parsing results of "tool X" manually to feed "tool Y", etc.
By reducing this burden I hope pen testers will have more time to:

• See the big picture and think out of the box
• More efficiently find, verify and combine vulnerabilities
• Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions
• Perform more tactical/targeted fuzzing on seemingly risky areas
• Demonstrate true impact despite the short timeframes we are typically given to test.

Some features like the passive and semi_passive test separation may also assist pen testers wishing to go the extra mile to get a head start and maybe even legitimately start report writing or preparing attacks before they are given the green light to test.
The tool is highly configurable and anybody can trivially create simple plugins or add new tests in the configuration files without having any development experience. Please share your tests with the community! :)
This tool is however not a silverbullet and will only be as good as the person using it: Understanding and experience will be required to correctly interpret tool output and decide what to investigate further in order to demonstrate impact.

Features

• OWASP Testing Guide-oriented: owtf will try to classify the findings as closely as possible to the OWASP Testing Guide
• Report updated on the fly: As soon as each plugin finishes or sometimes before (i.e. after each vulnerability scanner finishes)
• "Scumbag spidering": Instead of implementing yet another spider (a hard job), owtf will scrub the output of all tools/plugins run to gather as many URLs as possible. This is somewhat "cheating" but tremendously effective since it combines the results of different tools, including several tools that perform brute forcing of files and directories.
• Resilience: If one tool crashes owtf will move on to the next tool/test, saving the partial output of the tool until it crashed
• Easy to configure: config files are easy to read and modify
• Easy to run: No strange parameters, DB setup requirements, libraries, complex dependencies, etc
• Full control of what tests to run, interactivity and hopefully easy to follow examples and help :)
• Easy to review transaction logs and plain text files with URLs, simple for scripting
• Basic Google Hacking without (annoying) API Key requirements via "blanket searches", trying a bunch of operators at once, you can then narrow the search down if you find something interesting.
• Easy to extract data from the database to parse or pass to other tools: They are all text files

Requirements

• Linux (any Ubuntu derivative should work just fine) and python 2.6.5 or greater
• Latest Kali version not required but helpful (almost 0 setup time)
• You do NOT have to have all tools installed: owtf will move on with an error for the missing tools

Download OWASP OWTF

Read more

Parsero v0.75 - Attacking Robots.txt Files

Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries tell the search engines what directories or files hosted on a web server mustn't be indexed. For example, "Disallow: /portal/login" means that the content on www.example.com/portal/login it's not allowed to be indexed by crawlers like Google, Bing, Yahoo... This is the way the administrator have to not share sensitive or private information with the search engines.
But sometimes these paths typed in the Disallows entries are directly accessible by the users without using a search engine, just visiting the URL and the Path, and sometimes they are not available to be visited by anybody... Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.

Also, the fact the administrator write a robots.txt, it doesn't mean that the files or directories typed in the Dissallow entries will not be indexed by Bing, Google, Yahoo... For this reason, Parsero is capable of searching in Bing to locate content indexed without the web administrator authorization. Parsero will check the HTTP status code in the same way for each Bing result.

When you execute Parsero, you can see the HTTP status codes. For example, the codes bellow:

200 OK          The request has succeeded.
403 Forbidden   The server understood the request, but is refusing to fulfill it.
404 Not Found   The server hasn't found anything matching the Request-URI.
302 Found       The requested resource resides temporarily under a different URI.
...

Usage

$ python3 parsero.py -h

usage: parsero.py [-h] [-u URL] [-o] [-sb]

optional arguments:
-h, --help  show this help message and exit
-u URL      Type the URL which will be analyzed
-o          Show only the "HTTP 200" status code
-sb         Search in Bing indexed Disallows

Download Parsero v0.75

Read more

OWASP ZAP v2.3.1 - An easy to use integrated penetration testing tool for finding vulnerabilities in web applications

OWASP Zed Attack Proxy (ZAP) An easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

Changelog v2.3.1

The following changes were made in this release:

• ZAP changes request data (while switching views) ( Issue 81 )
• Unfulfilled dependencies hang the active scan ( Issue 377 )
• Cant remove scripts marked as ‘load on start’ ( Issue 1073 )
• core.newSession doesn’t clear Sites ( Issue 1114 )
• Historical Request Tab Doesn’t allow formatting changes ( Issue 1155 )
• Proxy gzip decoder doesn’t update content length in response headers ( Issue 1156 )
• Unable to set a home directory with a space on the command line ( Issue 1163 )
• Redundant indexes in zapdb.script ( Issue 1166 )
• Add proxy support for “deflate” content encoding ( Issue 1168 )
• Spider Context/User pop up menus no longer shown ( Issue 1170 )
• Unable to select 2 requests in fuzz results (Ctrl + click) ( Issue 1179 )
• Vulnerable pages active scanned only once ( Issue 1181 )
• Alerts of same type for different parameters of same vulnerable page shown only once in “Alerts” tree ( Issue 1182 )
• NullPointerException while selecting a node in the “Alerts” tab after deleting a message ( Issue 1183 )
• Cmdline session params have no effect ( Issue 1191 )
• Scan URL path elements – turn off by default ( Issue 1193 )
• Command line arguments are not passed to extensions when starting ZAP in daemon mode ( Issue 1194 )
• AbstractPlugin.bingo incorrectly sets evidence to attack ( Issue 1196 )
• Issue with loading addons that did not initialize correctly ( Issue 1202 )
• WordPress Authentication Script ( Issue 1203 )
• ‘History’ tab is not cleared when a new session is created through the API with ZAP in GUI mode ( Issue 1206 )

Download OWASP ZAP v2.3.1

Read more

Inception - Attacking FireWire Devices

Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks in order to unlock live computers using FireWire SBP-2 DMA. It it primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn't pack encryption.

As of version 0.3.5, it is able to unlock the following x86 and x64 operating systems:

OS	Version	Unlock lock screen	Escalate privileges	Dump memory < 4 GiB
Windows 8	8.1	Yes	Yes	Yes
Windows 8	8.0	Yes	Yes	Yes
Windows 7	SP1	Yes	Yes	Yes
Windows 7	SP0	Yes	Yes	Yes
Windows Vista	SP2	Yes	Yes	Yes
Windows Vista	SP1	Yes	Yes	Yes
Windows Vista	SP0	Yes	Yes	Yes
Windows XP	SP3	Yes	Yes	Yes
Windows XP	SP2	Yes	Yes	Yes
Windows XP	SP1			Yes
Windows XP	SP0			Yes
Mac OS X	Mavericks	Yes (1)	Yes (1)	Yes (1)
Mac OS X	Mountain Lion	Yes (1)	Yes (1)	Yes (1)
Mac OS X	Lion	Yes (1)	Yes (1)	Yes (1)
Mac OS X	Snow Leopard	Yes	Yes	Yes
Mac OS X	Leopard			Yes
Ubuntu (2)	Saucy	Yes	Yes	Yes
Ubuntu	Raring	Yes	Yes	Yes
Ubuntu	Quantal	Yes	Yes	Yes
Ubuntu	Precise	Yes	Yes	Yes
Ubuntu	Oneiric	Yes	Yes	Yes
Ubuntu	Natty	Yes	Yes	Yes
Ubuntu	Maverick	Yes (3)	Yes (3)	Yes
Ubuntu	Lucid	Yes (3)	Yes (3)	Yes
Linux Mint	13	Yes	Yes	Yes
Linux Mint	12	Yes	Yes	Yes
Linux Mint	12	Yes	Yes	Yes

(1): If FileVault 2 is enabled, the tool will only work when the operating system is unlocked. (2): Other Linux distributions that use PAM-based authentication may also work using the Ubuntu signatures. (3): x86 only.

The tool also effectively enables escalation of privileges, for instance via the runas or sudo -s commands, respectively. More signatures will be added. The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.

Download Inception

Read more

w3af - Open Source Web Application Security Scanner

w3af, is a Web Application Attack and Audit Framework. The w3af core and it’s plugins are fully written in python, it identifies more than 200 vulnerabilities and reduce your site’s overall risk exposure. Identify vulnerabilities like SQL Injection, Cross-Site Scripting, Guessable credentials, Unhandled application errors and PHP misconfigurations.

Changelog v1.6

• Improved performance: your scans will run faster
• Improved quality: 1300+ unittests are run after each change to make sure we don’t add any regressions
• Now you’ll be able to easily integrate w3af into other projects with a simple import w3af
• Better documentation

Download w3af

Read more

WPScan - WordPress Security Scanner

WPScan is a black box WordPress vulnerability scanner.
Features

• Username enumeration (from author querystring and location header)
• Weak password cracking (multithreaded)
• Version enumeration (from generator meta tag and from client side files)
• Vulnerability enumeration (based on version)
• Plugin enumeration (2220 most popular by default)
• Plugin vulnerability enumeration (based on plugin name)
• Plugin enumeration list generation
• Other misc WordPress checks (theme name, dir listing, …)

Prerequisites:

• Windows not supported
• Ruby >= 1.9.2 – Recommended: 1.9.3
• Curl >= 7.21 – Recommended: latest – FYI the 7.29 has a segfault
• RubyGems – Recommended: latest
• Git

Changelog v2.4

New

• ‘–batch’ switch option added – Fix #454
• Add random-agent
• Added more CLI options
• Switch over to nist – Fix #301
• New choice added when a redirection is detected – Fix #438

Removed

• Removed ‘Total WordPress Sites in the World’ counter from stats
• Old wpscan repo links removed – Fix #440
• Fingerprinting Dev script removed
• Useless code removed

General core

• Rspecs update
• Forcing Travis notify the team
• Ruby 2.1.1 added to Travis
• Equal output layout for interaction questions
• Only output error trace if verbose if enabled
• Memory improvements during wp-items enumerations
• Fixed broken link checker, fixed some broken links
• Couple more 404s fixed
• Themes & Plugins list updated

WordPress Fingerprints

• WP 3.8.2 & 3.7.2 Fingerprints added – Fix #448
• WP 3.8.3 & 3.7.3 fingerprints
• WP 3.9 fingerprints

Fixed issues

• Fix #380 – Redirects in WP 3.6-3.0
• Fix #413 – Check the version of the Timthumbs files found
• Fix #429 – Error WpScan Cache Browser
• Fix #431 – Version number comparison between ’2.3.3′ and ’0.42b’
• Fix #439 – Detect if the target goes down during the scan
• Fix #451 – Do not rely only on files in wp-content for fingerprinting
• Fix #453 – Documentation or inplemention of option parameters
• Fix #455 – Fails with a message if the target returns a 403 during the wordpress check

Vulnerabilities

• Update WordPress Vulnerabilities
• Fixed some duplicate vulnerabilities
• WPScan Database Statistics:
• Total vulnerable versions: 79; 1 is new
• Total vulnerable plugins: 748; 55 are new
• Total vulnerable themes: 292; 41 are new
• Total version vulnerabilities: 617; 326 are new
• Total plugin vulnerabilities: 1162; 146 are new
• Total theme vulnerabilities: 330; 47 are new

Download WPScan

Read more

Tor Browser v3.6 - Anonymity Online and defend yourself against network surveillance and traffic analysis

The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.

Changelog v3.6

Here is the complete changelog since TBB 3.5.4:

• All Platforms
  • Update Firefox to 24.5.0esr
  • Include Pluggable Transports by default:
    • Obfsproxy3 0.2.4, Flashproxy 1.6, and FTE 0.2.13 are now included
  • Bug 11586: Include license files for component software in Docs directory.
  • Bug 9010: Add Turkish language support.
  • Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
  • Update NoScript to 2.6.8.20
  • Update Tor Launcher to 0.2.5.4
    • Bug 9665: Localize Tor’s unreachable bridges bootstrap error
    • Bug 10418: Provide UI configuration for Pluggable Transports
    • Bug 10604: Allow Tor status & error messages to be translated
    • Bug 10894: Make bridge UI clear that helpdesk is a last resort for bridges
    • Bug 10610: Clarify wizard UI text describing obstacles/blocking
    • Bug 11074: Support Tails use case (XULRunner and optional customizations)
    • Bug 11482: Hide bridge settings prompt if no default bridges.
    • Bug 11484: Show help button even if no default bridges.
  • Update Torbutton to 1.6.9.0:
    • Bug 11242: Fix improper “update needed” message after in-place upgrade.
    • Bug 10398: Ease translation of about:tor page elements
    • Bug 9901: Fix browser freeze due to content type sniffing
    • Bug 10611: Add Swedish (sv) to extra locales to update
    • Bug 7439: Improve download warning dialog text.
    • Bug 11384: Completely remove hidden toggle menu item.
  • Backport Pending Tor Patches:
    • Bug 9665: Report a bootstrap error if all bridges are unreachable
    • Bug 11200: Prevent spurious error message prior to enabling network.
    • Bug 5018: Don’t launch Pluggable Transport helpers if not in use
    • Bug 9229: Eliminate 60 second stall during bootstrap with some PTs
    • Bug 11069: Detect and report Pluggable Transport bootstrap failures
    • Bug 11156: Prevent spurious warning about missing pluggable transports
• Mac:
  • Bug 4261: Use DMG instead of ZIP for Mac packages
  • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows
• Linux:
  • Bug 11190: Switch linux PT build process to python2
  • Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
• Windows:
  • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows

Here is the changelog since the 3.6-beta-2:

• All Platforms
  • Update Firefox to 24.5.0esr
  • Update Tor Launcher to 0.2.5.4
    • Bug 11482: Hide bridge settings prompt if no default bridges.
    • Bug 11484: Show help button even if no default bridges.
  • Update Torbutton to 1.6.9.0
    • Bug 7439: Improve download warning dialog text.
    • Bug 11384: Completely remove hidden toggle menu item.
  • Update NoScript to 2.6.8.20
  • Update fte transport to 0.2.13
  • Backport Pending Tor Patches:
    • Bug 11156: Additional obfsproxy startup error message fixes
  • Bug 11586: Include license files for component software in Docs directory.
• Windows and Mac:
• Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows builds

Download Tor Browser v3.6

Read more

Cuckoo Sandbox v1.1 - Automated Malware Analysis

Cuckoo Sandbox is a malware analysis system. It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Cuckoo generates a handful of different raw data which include:

• Native functions and Windows API calls traces
• Copies of files created and deleted from the filesystem
• Dump of the memory of the selected process
• Full memory dump of the analysis machine
• Screenshots of the desktop during the execution of the malware analysis
• Network dump generated by the machine used for the analysis

In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:

• JSON report
• HTML report
• MAEC report
• MongoDB interface
• HPFeeds interface

Even more interestingly, thanks to Cuckoo’s extensive modular design, you are able to customize both the processing and the reporting stages. Cuckoo provides you all the requirements to easily integrate the sandbox into your existing frameworks and storages with the data you want, in the way you want, with the format you want.

Changelog v1.1

• Added imphash to static PE analysis
• Added search for URLs in the web interface
• Added search for PE Imphash in the web interface
• Added possibility in web interface to queue to all machines
• Added filtering by behavior category in Django web interface
• Added analyzer log to Django web interface
• Added REST API to retrieve screenshots associated with a task
• Added REST API to retrieve the PCAP associated with a task
• Added database migration utility
• Added remote submission to submit.py utility
• Added small stats utility (utils/stats.py)
• Added analysis package for PowerShell scripts
• Added overlay configuration for signatures (data/signatures_overlay.json)
• Fixed bug in MAEC report
• Fixed package selection for Office documents and CPL scripts
• Fixed issue with tcpdump filters
• Fixed unhandled exception when uploading files to the analysis machines
• Fixed issues in CuckooMon that resulted in Internet Explorer crashes
• Fixed bug in CuckooMon that caused mutexes to be resolved as file paths
• Fixed bug in behavior processing module that resulted in a trailing backslash in summary’s registry keys

Download  Cuckoo Sandbox v1.1

Read more

Host-Extract - Enumerate All IP/Host Patterns In A Web Page

This little ruby script tries to extract all IP/Host patterns in page response of a given URL and JavaScript/CSS files of that URL.

With it, you can quickly identify internal IPs/Hostnames, development IPs/ports, cdn, load balancers, additional attack entries related to your target that are revealed in inline js, css, html comment areas and js/css files.

This is unlike web crawler which looks for new links only in anchor tags (<a) or the like.

(you might miss many additional targets if you ever use such web crawler or other GUI-based tools that shows you your main target and its relationship with its linked sub/off-site domains)
In some cases, host-extract may give you false positives when there are some words like - main-site_ver_10.2.1.3.swf.

With -v option, you can ask the tool to output html view-source snippets for each IP/Domain extracted. This will shorten your manual analysis time.

Download Host-Extract

USAGE:

ruby host-extract.rb URL [option]

Usage: host-extract [options]
        -a               find all ip/host patterns
        -j               scan all js files
        -c               scan all css files
        -v               append view-source html snippet for manual verification

Read more

Tilt - Terminal Ip Lookup Tool

Tilt: Terminal ip lookup tool, is an easy and simple open source tool implemented in Python for ip/host passive reconnaissance. It's very handy for first reconnaissance approach and for host data retrieval.

Features

• Host to IP conversion
• IP to Host conversion
• DNS to IPs
• GeoIP Translation
• Extensive information gathering trough Host-name
  • Whois with:
    • Registrar info
    • Dates
    • Name Server
    • SiteStatus
    • Owner information
    • Additional data
  • Sub domains
    • Percentage of access
  • Extensive Name Server
  • SOA Records
  • DNS Records with extensive data
• Reverse IP Lookup
• Extensive reverse IP lookup, looking for host with different IP on the same machine

Download Tilt

Read more

Kautilya v0.4.5 - Pwnage with Human Interface Devices

Kautilya is a toolkit which provides various payloads for Teensy device which may help in breaking in a computer. The toolkit is written in Ruby.

• The Windows payloads and modules are written mostly in powershell (in combination with native commands) and are tested on Windows 7.
• The Linux payloads are mostly commands in combination with little Bash scripting. These are tested on Ubuntu 11.
• The OS X payloads are shell scripts (those installed by default) with usage of native commands. Tested on OS X Lion running on a VMWare.

Changelog v0.4.5

• Bug fixes and improvements in Time Based Exec. It now supports exfiltration and could be stopped remotely.
• Less lines of code for HTTP Backdoor and Download Execute PS.
• HTTP Backdoor, Download Execute PS, Hashdump and Exfiltrate and Dump LSA Secrets now execute the downloaded script in memory.
• Shortened parameters passed to powershell.exe when the scripts are called. Thus, saving the time in “typing” by HID.
• Added two new exfiltration options, POST requests and DNS TXT records.
• Username and password for exfiltration would be asked only if you select gmail or pastebin.
• Tinypaste as an option for exfiltration has been removed.
• Payloads have been made more modular which results in smaller size.
• Reboot Persistence has been added to HTTP Backdoor and DNS TXT Backdoor.
• Menu redesign.
• Bug fix in Dump LSA Secrets payload.
• Added ./extras/Decode.ps1. Use this to decode data exfiltrated by HTTP Backdoor and DNS TXT Backdoor.
• Added ./extras/Remove-Persistence.ps1. Use this to remove persistence by Keylogger, HTTP Backdoor and DNS TXT Backdoor.
• Kautilya could be run on Windows if win32console gem is installed.

Download Kautilya

Read more

ModSecurity v2.8.0 - Open Source Web Application Firewall

ModSecurity™ is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure.

Changelog v2.8.0
Bug fix

• Build issue: Now using autotools to identify if sys/utsname.h is present.
• Changed configure.ac version to 2.8

Changelog v2.8.0-rc1:
New features

• JSON Parser is no longer under tests. Now it is part of our mainline.
• Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list.
• New variables: FULL_REQUEST and FULL_REQUEST_LENGTH were added, allowing the rules to access the full content of a request.
• ModSecurity status is now part of our mainline.
• New operator: @detectXSS was added. It makes usage of the newest libinjection XSS detection functionality.
• Append and prepend are now supported on nginx (Ref: #635);
• SecServerSignature is now available on nginx (Ref: #637);

Improvements

• Regression tests are not able to expect different values according to the platform;
• Visual C++ 12/10 runtime dependencies are now part of the IIS installer, no need to have it installed prior ModSecurity installation (Ref: #627);
• New script was added to the IIS versions to identify whenever there is a missing dependency (available through the Application Menu);
• Memory usage improvement: using correct memory pools according to the context (Ref: #618, #620,#619);
• Independent API call to free the connection allocations, independently from the request objects, improvements on Nginx performance, vide issue for more information (Ref: #620, #648);
• IIS installer is now using the correct 32/64bits folders to install;
• IIS Installer 32bits now refuses to install on 64bits environments;
• IIS: Using new WiX options to build the package in the correct architecture;
• While installing IIS version the installer will remove old ModSecurityIIS configuration or files before proceed with the installation, avoiding further errors;
• CRS from IIS version was upgraded to 2.2.9;
• IIS installer does not support repair anymore, in fact it was not working already and it is now disabled;
• ModSecurity now warns the user who tries to use “proxy” in IIS or Nginx. Proxy is Apache only;
• Remove warnings from the build process (Ref: #617);
• Apache configuration in regression tests was changed making it more platform independent;
• Reduced the amount of warnings during the compilation (Ref: #385a2828e87897bd611bd2a519727ef88dc6d632, #1e63e49db4a592d28e08a33fc60750c37a3886fe);
• Regression tests were refactored to be more Nginx friendly;
• Fixed some regression tests that were not being flexible to handle multiple platforms: (Ref #636);
  • Fixed config/00-load-modsec.t test case. Now it expects for Nginx loaded message as it does for Apache. (Ref: #643);
  • Fixed mixed/10-misc-directives.t. Now it does not expect for SecServerSignature on the logs, just in the headers as the Nginx does in silence;
  • Fixed tnf/10-tfn-cache.t, action/10-logging.t, config/10-misc-directives.t, config/10-request-directives.t, misc/00-multipart-parser.t , misc/10-tfn-cache.t, rule/20-exceptions.t, rule/00-basics.t, rule/10-xml.t;
  • Increased the timeout while reading the auditlog;
  • SecAuditLogType Concurrent was removed from the regression test case, not compatible with all ports yet;
  • Regression tests were speeded up, as the number of tests are growing it is impossible to have it slow;
  • Fixed regression tests scripts paths, to make it MacOS friendly;
  • Avoiding dead locks on Nginx regression tests by enforcing a timeout whenever a request appears to fail;
• Updates to fix errors found by Parfait static code analysis (Ref: #612);
• Cleaning up on the repository, by removing unused files;
• IIS installer now supports to perform the installation without register the DLL on the system. It means that the user can download our MSI installer as it was a tarball archive (Ref #629, #624);
• IIS now support 32bits and 64bits pools, both are registered on IIS (Ref #628).

Bug fix

• Correctly handling inet_pton in IIS version;
• Nginx was missing a terminator while the charset string was mounted (Ref: #148);
• Added mod_extract_forwarded.c to run before mod_security2.c (Ref: #594);
• Added missing environment variables to regression tests;
• Build system is now more flexible by looking at liblua at: /usr/local/lib;
• Fixed typo in README file.
• Removed the non standard compliant HTTP response status code 44 from modsecurity recommended file (Ref: #665);
• Fixed segmentation fault if it fails to write on the audit log (Ref: #668);
• Not rejecting a larger request with ProcessPartial. Regression tests were also added (Ref: #597);
• Fixed UF8 to unicode conversion. Regression tests were also added(Ref: #672);
• Avoiding segmentation fault by checking if a structure is null before access its members;
• Removed double charset-header that used happen due a hardcoded charset in Nginx implementation (Ref: #650);
• Now alerting the users that there is no memory to proceed loading the configuration instead of just die;
• If SecRuleEngine is set to Off and SecRequestBodyAccess On Nginx returns error 500. Standalone is now capable to identify whenever ModSecurity is enabled or disabled, independently of ModSecurity core (Ref: #645);
• Fixed missing headers on Nginx whenever SecResponseBodyAccess was set to On and happens to be a filter on phase equals or over 3. (Ref #634);
• IIS is now picking the correct version of AppCmd while uninstalling or installing ModSecurityISS. (Ref#632).

Download ModSecurity v2.8.0

Read more

Wireshark v1.11.3 - The world’s foremost network protocol analyzer

Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Changelog v1.11.3

New and Updated Features

The following features are new (or have been significantly updated) since version 1.11.1:

• Qt port:
  • The About dialog has been added
  • The Capture Interfaces dialog has been added.
  • The Decode As dialog has been added. It managed to swallow up the User Specified Decodes dialog as well.
  • The Export PDU dialog has been added.
  • Several SCTP dialogs have been added.
  • The statistics tree (the backend for many Statistics and Telephony menu items) dialog has been added.
  • The I/O Graph dialog has been added.
  • French translation has updated.

The following features are new (or have been significantly updated) since version 1.11.1:

• Mac OS X packaging has been improved.

The following features are new (or have been significantly updated) since version 1.11.0:

• Dissector output may be encoded as UTF-8. This includes TShark output.
• Qt port:
  • The Follow Stream dialog now supports packet and TCP stream selection.
  • A Flow Graph (sequence diagram) dialog has been added.
  • The main window now respects geometry preferences.

The following features are new (or have been significantly updated) since version 1.10:

• Wireshark now uses the Qt application framework. The new UI should provide a significantly better user experience, particularly on Mac OS X and Windows.
• The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
• Expert information is now filterable when the new API is in use.
• The “Number” column shows related packets and protocol conversation spans (Qt only).
• When manipulating packets with editcap using the -C <choplen> and/or -s <snaplen> options, it is now possible to also adjust the original frame length using the -L option.
• You can now pass the -C <choplen> option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
• You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
• “malformed” display filter has been renamed to “_ws.malformed”. A handful of other filters have been given the “_ws.” prefix to note they are Wireshark application specific filters and not dissector filters.

Download Wireshark v1.11.3

Read more

RAWR - Rapid Assessment of Web Resources

Introducing RAWR (Rapid Assessment of Web Resources). There’s a lot packed in this tool that will help you get a better grasp of the threat landscape that is your client’s web resources. It has been tested from extremely large network environments, down to 5 node networks. It has been fine-tuned to promote fast, accurate, and applicable results in usable formats. RAWR will make the mapping phase of your next web assessment efficient and get you producing positive results faster!

Features

• A customizable CSV containing ordered information gathered for each host, with a field for making notes/etc.
• An elegant, searchable, JQuery-driven HTML report that shows screenshots, diagrams, and other information.
• a CSV Treat Matrix for an easy view of open ports across all provided hosts. (Use -a to show all ports.)
• Default password suggestions using a list compiled from several online sources.
• Supports the use of a proxy (Burp, Zap, W3aF)
• Captures/stores SSL Certificates, Cookies, and Cross-domain.xml
• Customizable crawl of links within the host’s domain.
• PNG Diagram of all pages found during crawl
• List of links crawled in tiered format.
• List of documents seen for each site.
• Automation-Friendly output (JSON strings)

Requirements

• nmap – at least 6.00 – required for SSL strength assessment
• graphviz – site diagram from crawl (optional)
• python-lxml – parsing xml & html
• python-pygraphviz – site layout from crawl (optional)
• phantomJS – tested with 1.9.1, can be downloaded/installed in local folder during –check-install

Download RAWR

Read more