Not long after releasing v11 of their scanner, Acunetix has decided to deliver free manual pen-testing tools. Previously these tools were only available to paying Acunetix customers, now anyone can use them to make their manual web application testing easier.
Penetration testers can make use of an HTTP Editor to modify or craft HTTP requests and analyse responses; intercept and modify HTTP traffic on the fly using the integrated HTTP Sniffer; fuzz test HTTP requests using the HTTP Fuzzer and test Blind SQL Injection vulnerabilities further using the Blind SQL Injector, among others.
- HTTP Editor: Allows you to create, analyze and edit client HTTP requests; as well as inspect server responses. It also includes an encoding and decoding tool to encode/decode text and URL’s to MD5 hashes, UTF-7 and other formats.
- HTTP Sniffer: A proxy that allows you to analyse HTTP requests and responses, and edit these while they are in transit. The HTTP sniffer can also be used to manually crawl a site, and use the manual crawl to seed an Acunetix scan.
- HTTP Fuzzer: A tool which allows you to automatically send a large number of HTTP requests including invalid, unexpected and random data to a website, to test input validation and handling of invalid data by the web application.
- Blind SQL Injector: An automated database data exfiltration tool. By using Blind SQL injection vulnerabilities discovered when scanning a website, it is possible to demonstrate the serious impact a Blind SQL injection vulnerability can have on the website. Used to enumerate databases, tables, fields and dump data from the vulnerable web application.
- Subdomain Scanner: Scans a top-level domain to discover subdomains configured in its hierarchy, by using the target domain’s DNS server, or any other DNS server specified by the user. While scanning, this tool will also automatically identify and inform the user if the domain being scanned is using some kind of wildcard characters, such as *.domain.com.
- Target Finder: An IP range / port scanner which can be used to discover running web servers on a given IP or within a specified range of IPs. The list of ports on which the web servers are listening can also be configured. The default ports the scanner will scan are port 80 for HTTP and port 443 for SSL.
- Authentication Tester: Used to test the strength of both usernames and passwords within HTTP and web forms authentication environments via a dictionary attack.
There are also detailed documents with examples for:
You can download the tools here:
You can read more here:
ZGrab is a Go-based application layer scanner that operates with ZMap and supports multiple protocols and services including TLS, IMAP, SMTP, POP3 etc.
It also stores TLS version and can detect Heartbleed.
You will need to have a valid
$GOPATH set up, for more information about
$GOPATH, see https://golang.org/doc/code.html.
Once you have a working
go get github.com/zmap/zgrab
This will install zgrab under
$ cd $GOPATH/src/github.com/zmap/zgrab
$ go build
zgrab [-banners] [-ca-file file ] [-cbc-only] [-data message ] [-ehlo]
domain ] [-encoding encoding ] [-heartbleed] [-imap] [-input-file file
] [-interface interface ] [-log-file file ] [-metadata-file file ]
[-modbus] [-output-file file ] [-pop3] [-port port ] [-senders senders
] [-smtp] [-smtp-help] [-starttls] [-timeout timeout ] [-tls] [-tls-
version version ] [-udp]
# zmap -p 443 --output-fields=* | ztee results.csv | zgrab --port 443 --tls --http="/" --output-file=banners.json
You can download ZGrab here:
Or read more here.
p0wnedShell is an offensive PowerShell Runspace Post Exploitation host application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a PowerShell run space environment (.NET). It has a lot of offensive PowerShell modules and binaries included making the process of Post Exploitation easier.
What the author tried was to build an “all in one” Post Exploitation tool which could be used to bypass all mitigations solutions (or at least some of), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defence strategies.
The following PowerShell tools/functions are included:
- PowerSploit Invoke-Shellcode
- PowerSploit Invoke-ReflectivePEInjection
- PowerSploit Invoke-Mimikatz
- PowerSploit Invoke-TokenManipulation
- PowerSploit PowerUp
- PowerSploit PowerView
- HarmJ0y’s Invoke-Psexec
- Besimorhino’s PowerCat
- Nishang Invoke-PsUACme
- Nishang Invoke-Encode
- Nishang Get-PassHashes
- Nishang Invoke-CredentialsPhish
- Nishang Port-Scan
- Nishang Copy-VSS
- Kevin Robertson Invoke-Inveigh
- Kevin Robertson Tater
- FuzzySecurity Invoke-MS16-032
Powershell functions within the Runspace are loaded in memory from Base64 encode strings.
The following Binaries/tools are included:
- Benjamin DELPY’s Mimikatz
- Benjamin DELPY’s MS14-068 kekeo Exploit
- Didier Stevens modification of ReactOS Command Prompt
- MS14-058 Local SYSTEM Exploit
- hfiref0x MS15-051 Local SYSTEM Exploit
To compile p0wnedShell you need to import this project into Microsoft Visual Studio or if you don’t have access to a Visual Studio installation, you can compile it as follows:
To Compile as x86 binary:
csc.exe /unsafe /reference:"C:\p0wnedShell\System.Management.Automation.dll" /reference:System.IO.Compression.dll /win32icon:C:\p0wnedShell\p0wnedShell.ico /out:C:\p0wnedShell\p0wnedShellx86.exe /platform:x86 "C:\p0wnedShell\*.cs"
To Compile as x64 binary:
csc.exe /unsafe /reference:"C:\p0wnedShell\System.Management.Automation.dll" /reference:System.IO.Compression.dll /win32icon:C:\p0wnedShell\p0wnedShell.ico /out:C:\p0wnedShell\p0wnedShellx64.exe /platform:x64 "C:\p0wnedShell\*.cs"
p0wnedShell uses the System.Management.Automation namespace, so make sure you have the System.Management.Automation.dll within your source path when compiling outside of Visual Studio.
You can download p0wnedShell here:
Or read more here.
Tags: p0wnedshell, powershell, powershell hacking, powershell hacking tool, powershell invoke shellcode, powershell offensive host application, powershell post-exploitation, windows privilege escalation, windows-securityPosted in: Exploits/Vulnerabilities, Hacking Tools, Windows Hacking | Add a Comment
Ah our favourite database in the news again, being hailed as the MongoDB Ransack a whole bunch of people have turned the insecure MongoDB default configuration into a ransom opportunity. They are deleting/stealing databases and soliciting bitcoin payments to return the data.
With multiple actors doing the same stuff though it’s hard to know who is legit, and it seems some are just deleting the databases and asking for payment without even having the data.
MongoDB databases are being decimated in soaring ransomware attacks that have seen the number of compromised systems more than double to 27,000 in a day.
Criminals are accessing, copying and deleting data from unpatched or badly-configured databases.
Administrators are being charged ransoms to have data returned. Initial attacks saw ransoms of 0.2 bitcoins (US$184) to attacker harak1r1, of which 22 victims appeared to have paid, up from 16 on Wednesday when the attacks were first reported.
However, some payments could be benign transfers designed to make it appear victims are paying.
Norway-based security researcher and Microsoft developer Niall Merrigan says the attacks have soared from 12,000 earlier today to 27,633, over the course of about 12 hours.
Merrigan and his associates have now logged some 15 distinct attackers. One actor using the email handle kraken0 has compromised 15,482 MongoDB instances, demanding 1 bitcoin (US$921) to have files returned. No one appears to have paid. Merrigan says he is investigating “OSINT and finding different IOCs as well the actors involved”.
It’s not the first time we’ve talked about this too, back when BeautifulPeople.com was hacked it was due to MongoDB and it’s great defaults (listening on all interfaces, including public Internet-facing IP addresses) and not forcing any kind of authentication by default.
Yah you can say it’s the users’ problem, the features are there – but how hard is it to have secure defaults? Newer versions have fixed this, from what I know – but still, the mess caused by their dubious decisions is pretty widespread.
All told, a whopping 99,000 MongoDB installations are exposed, Gevers says.
MongoDB security is a known problem: up until recently, the software’s default configuration is insecure. Shodan founder John Matherly warned in 2015 that some 30,000 exposed MongoDB instances were open to the internet without access controls.
In the Antipodes, the Australian Communications and Media Authority has been reporting exposed MongoDB installations since July 2015 using intelligence provided by the ShadowServer nonprofit.
Bruce Matthews, manager of the agency’s cyber security and unsolicited communications enforcement section, told Vulture South it has insight into IP ranges covering 90 percent of Australia.
He says the number of exposed MongoDB databases in Australia appears to remain steady.
“We report open and vulnerable services to AISI who can pass on the information to the operator of the service,” Matthews says. “It is important that the information is passed on.”
It’s not terribly hard to fix either, assuming it installed on the same server as the web host (if not why else would a DB have a Public IP?), just bind it to localhost and enable authentication for all databases.
The problem now is all these ‘agile’ tools, DevOps deploying gists on Github and automated server creation means developers with no clue about security are rolling up database servers and just using them. I blame the MEAN stack.
Source: The Register
Fluxion is an automated EvilAP attack tool for carrying out MiTM attacks on WPA Wireless networks written in a mix of Bash and Python. Fluxion is heavily based off Linset the Evil Twin Attack Bash Script, with some improvements and bug-fixes. How it Works Scan the networks. Capture a handshake (can’t be used without a […]
Exitmap is a fast and modular Python-based Tor exit relay scanner. Exitmap modules implement tasks that are run over (a subset of) all exit relays. If you have a background in functional programming, think of exitmap as a map() interface for Tor exit relays. Modules can perform any TCP-based networking task; fetching a web page, […]
DAVScan is a quick and lightweight WebDAV security scanner designed to discover hidden files and folders on DAV enabled web servers. The scanner works by taking advantage of overly privileged/misconfigured WebDAV servers or servers vulnerable to various disclosure or authentication bypass vulnerabilities. The scanner attempts to fingerprint the target server and then spider the server […]
Project Wycheproof is a tool to test crypto libraries against known attacks. It is developed and maintained by members of Google Security Team, but it is not an official Google product. At Google, they rely on many third party cryptographic software libraries. Unfortunately, in cryptography, subtle mistakes can have catastrophic consequences, and they found that […]
It seems that 2016 has been the year of immense DDoS attacks, many coming from Mirai. This seems to be a newcomer though ending the year with a 650Gbps DDoS attack. The Dyn DNS DDoS attack that some speculated reached over 1Tbps was probably the biggest, but this isn’t that far behind and it’s bigger […]
Ettercap is a comprehensive suite for man-in-the-middle attacks (MiTM). It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It also supports active and passive dissection of many protocols and includes many features for network and host analysis. Ettercap works by putting the network interface into promiscuous mode and […]