Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

28 July 2015 | 1,338 views

Mimikatz – Gather Windows Credentials

Cyber Raptors Hunting Your Data?

Mimikatz is a tool to gather Windows credentials, basically a swiss-army knife of Windows credential gathering that bundles together many of the most useful tasks that you would perform on a Windows machine you have SYSTEM privileges on. It supports both Windows 32-bit and 64-bit and allows you to gather various credential types.

Techniques such as Pass the Hash, Pass the Ticket, Over-Pass The Hash (AKA Pass the Key), Kerberos Golden Ticket, Kerberos Silver Ticket, Pass the Cache & Attacking the Kerberos Session Ticket (TGS).

mimikatz - Gather Windows Credentials

Many people refer to it as a post-exploitation tool, something you would use to take a stronger hold of a network already compromised.

Features

  • Dump credentials from LSASS (Windows Local Security Account database)
    • MSV1.0: hashes & keys (dpapi)
    • Kerberos password, ekeys, tickets, & PIN
    • TsPkg (password)
    • WDigest (clear-text password)
    • LiveSSP (clear-text password)
    • SSP (clear-text password)
  • Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
  • Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
  • Export certificates and keys (even those not normally exportable).
  • Dump cached credentials
  • Stop event monitoring.
  • Bypass Microsoft AppLocker / Software Restriction Polcies
  • Patch Terminal Server
  • Basic GPO bypass

Commands

The primary command components are sekurlsa, kerberos, crypto, vault, and lsadump.

Sekurlsa interacts with the LSASS process in memory to gather credential data and provides enhanced capability over kerberos.

The Mimikatz kerberos command set enables modification of Kerberos tickets and interacts with the official Microsoft Kerberos API. This is the command that creates Golden Tickets. Pass the ticket is also possible with this command since it can inject Kerberos ticket(s) (TGT or TGS) into the current session. External Kerberos tools may be used for session injection, but they must follow the Kerberos credential format (KRB_CRED). Mimikatz kerberos also enables the creation of Silver Tickets which are Kerberos tickets (TGT or TGS) with arbitrary data enabling AD user/ group

Crypto enables export of certificates on the system that are not marked exportable since it bypasses the standard export process.

Vault enables dumping data from the Windows vault.

Lsadump enables dumping credential data from the Security Account Manager (SAM) database which contains the NTLM (sometimes LM hash) and supports online and offline mode as well as dumping credential data from the LSASS process in memory. Lsadump can also be used to dump cached credentials. In a Windows domain, credentials are cached (up to 10) in case a Domain Controller is unavailable for authentication. However, these credentials are stored on the computer.

OS Support

Mimikatz works on:

  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows Server 2003
  • Windows Server 2008 / 2008 R2
  • Windows Server 2012 / 2012 R2
  • Windows 10 (beta support)

You can download mimikatz most recent release here:

Latest Release

Or read more here.

Advertisements



23 July 2015 | 1,508 views

The Jeep HACK – What You Need To Know

So yah, the big news this week everyone is shouting about is about the Fiat Chrysler Automobiles (FCA) owned Jeep Hack involving the new Cherokee which has remote control software which allows access to the engine, aircon, audio system and brakes – basically the whole car can be controlled remotely as long as you know the IP Address.

Jeep HACKED - Anyone Driving A Cherokee Is In Danger

Pretty scary? To prove a point Wired even did a story with a live hack while the journalist was riding in the car at 70mph on the freeway – it sounds pretty terrifying:

Hackers Remotely Kill a Jeep on the Highway—With Me in It

The Wired article is a good read with some details about how the exploit hops between systems and how it was developed. It also highlights just how dangerous this can be as cars get more and more connected.

Anyone driving about in a new Jeep Cherokee should update its software: at the moment the car’s brakes and engine can be remotely controlled by anyone with an internet connection.

At next month’s Black Hat hacking conference in Las Vegas, Charlie Miller and Chris Valasek – a duo who have hacked more cars than Mad Max – will show off an attack on a Jeep Cherokee that enables the remote control of the car’s engine, brakes, and minor systems from miles away simply by knowing the car’s public IP address.

The full details of the hack are still private, but it relies on the uConnect cellular network; since 2009, Chrysler cars have included hardware to connect to this network to reach the internet. The two researchers have demonstrated that a canny hacker can use the uConnect system to get wireless access to major components of a car’s controls, and potentially physically crash it remotely with no one being any the wiser. The flaw has existed in the system since 2013.

This is the first time a car hack has gone fully wireless though and it works over the Internet, which makes it really scary for owners of the effected vehicles. I’d imagine other cars with similar features might be equally vulnerable too, just that no-one is focusing on them yet.

Or people are, but it’s in the underground – that’s impossible to know.

It’s an ugly part of the car industry though, car experts developing software and operating systems with old outdated technology and models when they could just adopt peer reviewed operating systems and software.

I for one welcome our Android Auto overlords.

Miller says the hack will work on recent Fiat Chrysler motors – such as Ram, Durango, and Jeep models. The pair disclosed the flaws to the manufacturer so that a patch could be prepared and distributed before their Black Hat tell-all. The fix is supposed to stop miscreants from accessing critical systems via the cellular network, a protection mechanism you would have expected in place on day one, week one.

In short, make sure your car’s software is up to date; check your manual for details on obtaining the latest firmware.

Miller and Valasek have spent years investigating car computer security, sometimes funded by the US Defense Advanced Research Projects Agency. Last year at Black Hat, the two showed off similar hacks, and they have now persuaded politicians of the need for action.

On Tuesday, Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) introduced the Security and Privacy in Your Car (SPY Car) Act, which will require motor manufacturers to get their acts together on car operating systems.

“Drivers shouldn’t have to choose between being connected and being protected,” said Senator Markey.

There’s an updates available for it, so yah please don’t pass it up – it’s kinda important. It’s only available to install via a USB stick or an authorised mechanic though, no push OTA updates like BMW did for the door-lock flaw earlier this year so it’s likely a lot of cars are going to remain vulnerable.

Jeep Cherokee Remote Access Fix

The software update is available here: uConnect Software Update Site.

So if you have one of these cars, ya – please update and secondly..perhaps reconsider your choice of vehicles.

Source: The Register


21 July 2015 | 558 views

Dharma – Generation-based Context-free Grammar Fuzzing Tool

Dharma is a tool used to create test cases for fuzzing of structured text inputs, such as markup and script. It takes a custom high-level grammar format as input, and produces random well-formed test cases as output – it can be used as a grammar fuzzing tool.

API programming is complex and subtle programming mistakes in new code can introduce annoying crashes and even serious security vulnerabilities that can be triggered by malformed input which can lead to headaches for the user and security exposure.

Dharma - Generation-based Context-free Grammar Fuzzing Tool

WebAPIs start life as a specification in the form of an Interface Description Language, or IDL. Since this is essentially a grammar, a grammar-based fuzzer becomes a valuable tool in finding security issues in new WebAPIs because it ensures that expected semantics are followed most of the time, while still exploring enough undefined behaviour to produce interesting results.

Features

  • Persistent variable tracking and cross-reference support
  • Intuitive cross-referencing and meta function syntax
  • Automatic leaf node bias after deep graph recursions
  • Internal constant overriding for greater configurability
  • Templated prefix and suffix outputs

Apart from the original features listed above the guys from Mozilla dragged Dharma out of 2012 and gave it a good working over. They improved the way it parses grammars and optimized the speed of parsing and the generating of fuzzed output, added new grammar features to the grammar specification, added support for serving testcases over a WebSocket server, and made it Python 3 ready.

Usage

Generate a single test-case.

Generate a single test case with multiple grammars.

Generating test-cases as files.

You can download Dharma here:

Dharma-v1.1.zip

Or read more here.


16 July 2015 | 1,277 views

Telegram DDoS Attack – Messaging App Suffers 200GBps Pounding

For those not familiar before we get to the Telegram DDoS attack, Telegram is an instant messaging system focusing on privacy and multi-platform availability. It was launched by the founders of VK, the largest social network in Russia and is run as an independent non-profit company in Germany.

The client code is open-source and audited and various implementations can be found by various individuals based on the API.

Telegram DDoS Attack - Messaging App Suffers 200GBps Pounding

Just a few days ago, users in South East Asia were having difficulty accessing the service and Telegram announced they were suffering a huge DDoS attack.

Popular messaging platform Telegram has been hit with a 200Gbps distributed denial of service (DDoS) attack.

The Tsunami TCP SYN flood kicked off on Friday and hurt users in Asia, Australia, and Oceania, knocking out the service for some five percent of the company’s 60 million active users it has gained in 18 months.

It is a new form of DDoS attack discovered October by Radware security folk who say it is different from regular SYN floods in that it transmits large 100 byte packet sizes about double the regular 40 to 60 byte size.

That Radware says defeats many defense algorithms and quickly consumes bandwidth making even a modest attack clock some four to five gigabits per second.

It seems to be a slight variation of the regular SYN flood with a larger packet size that quickly consumes network resources.

With a 100,000 nodes involved the attack generating over 200GBps of bandwidth – it’s a fairly substantial attack.

The garbage traffic came from about a hundred thousand infected servers, most noticeably, in LeaseWeb B.V., Hetzner Online AG, PlusServer AG, NFOrce Entertainment BV, Amazon and Comcast networks,” Telegram says.

“That said, the attack was distributed evenly across thousands of hosts and none contributed more than five percent of the total volume … by now we know that the attack is being coordinated from East Asia.

“Attacks on the scale of the one we‘re facing today have become possible only recently and it’s the first time we‘ve met anything like this.”

The company says it did not want to discuss its mitigation measures in the event that it could give pointers to attackers unknown.

“Our sysadmin cyborgs are working on this 24 hours a day.”

The attack follows a bizarre smaller DDoS that followed a move by the company to introduce free custom stickers over the service.

It seems like no clear reason why Telegram is the target of this attack, some conspiracy theories claim it to be because of the free custom stickers – which other similar messaging apps make money from.

That seems a little far fetched though, we’ll keep an eye out and see if any more information emerges.

Source: The Register


14 July 2015 | 1,148 views

Egress-Assess – Test Network Egress Data Detection

Egress-Assess is a tool used to test network egress data detection capabilities, it works over FTP, HTTP and HTTPS. It can generate various data-types to test detection, credit card details, social security numbers (SSN) and name/address combos.

Egress-Assess - Test Network Egress Data Detection

This tool is designed to be an easy way to test exfiltrating data from the network you are currently plugged into. Used for red or blue teams that want to test network boundary egress detection capabilities.

Typical use case for Egress-Assess is to copy this tool in two locations. One location will act as the server, the other will act as the client.

Usage


To extract data over FTP, you would first start Egress-Assess’s FTP server by selecting “–server ftp” and providing a username and password to use:

Now, to have the client connect and send data to the ftp server, you could run…

Also, you can setup Egress-Assess to act as a web server by running….

Then, to send data to the FTP server, and to specifically send 15 megs of credit card data, run the following command…

You can download Egress-Assess here:

v1.0.zip

Or read more here.


11 July 2015 | 1,999 views

Passgen – Random Character Generator For WPA/WPA2 Key Cracking

Passgen is an simple Python alternative for the random character generator Crunch which attempts to solve cracking WPA/WPA2 keys by randomizing the output as opposed to generating a list like so (aaaaaaaa, aaaaaaab, aaaaaac, etc).

Passgen - Random Character Generator For Password Cracking

Example usage with aircrack-ng:

Some other options are:

Of course John the Ripper (JTR) has some built in options for creating permutations from Wordlists.

You can download Passgen v0.3 here:

passgen.py

Or read more here.


09 July 2015 | 4,704 views

Hacking Team Hacked – What You Need To Know

So the Internet has been blowing up for the last few days about an Italian information security company called Hacking Team getting pwned – they were already pretty famous for their software RCS (Remote Control Software) also known as Galileo.

In modern digital communications, encryption is widely employed to protect users from eavesdropping. Unfortunately, encryption also prevents law enforcement and intelligence agencies from being able to monitor and prevent crimes and threats to the country security. Remote Control System (RCS) is a solution designed to evade encryption by means of an agent directly installed on the device to monitor. Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable.

Hacking Team Hacked - What You Need To Know

They’ve been selling RCS, exploit kits and more shady darkweb tools exclusively to governments, and have done some pretty shady deals – including selling to Sudan who are basically committing genocide and Saudi Arabia. Reports Without Borders lists them as an enemy of the Internet – https://surveillance.rsf.org/en/

The other is a list of five “Corporate Enemies of the Internet,” five private-sector companies that are “digital era mercenaries.” The five companies chosen are Gamma, Trovicor, Hacking Team, Amesys and Blue Coat, but the list is not exhaustive and will be expanded in the coming months. They all sell products that are liable to be used by governments to violate human rights and freedom of information.

The countries it’s known to have sold to include Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan…and probably others as well.

There’s an in-depth report here from 2014 on the usage of RCS – Mapping Hacking Team’s “Untraceable” Spyware.

Remote Control System (RCS) is sophisticated computer spyware marketed and sold exclusively to governments by Milan-based Hacking Team. Hacking Team was first thrust into the public spotlight in 2012 when RCS was used against award-winning Moroccan media outlet Mamfakinch, and United Arab Emirates (UAE) human rights activist Ahmed Mansoor. Most recently, Citizen Lab research found that RCS was used to target Ethiopian journalists in the Washington DC area.

And more here including RCS manuals and analysis – Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide.

We’re publishing in full, for the first time, manuals explaining the prominent commercial implant software “Remote Control System,” manufactured by the Italian company Hacking Team. Despite FBI director James Comey’s dire warnings about the impact of widespread data scrambling — “criminals and terrorists would like nothing more,” he declared — Hacking Team explicitly promises on its website that its software can “defeat encryption.”

So they’ve been known about, and in the limelight for quite some time – but why this blew is up is they actually got hacked. From some initial analysis, it looks like they’ve been compromised since January or so but just this week whoever penetrated them released what they’d collected.

A mammoth 415GB cache of goodies including source code, customer lists, documents, confidential e-mails, password lists, private keys and MUCH more was unleashed and set the infosec community on fire. Mirror here – https://ht.transparencytoolkit.org/

It’s also causing some security fall-out panic as an Adobe Flash 0-day leaked during the dump has gone into the wild, already integrated into common exploit kits.

The vulnerability is cataloged as CVE-2015-5119 and is active in Flash versions 18.0.0.194 and earlier. According to security firm Rapid 7, it stems from a use-after-free bug that can be exploited while Flash is handling ByteArray objects. The update is available for Windows, Mac OS X, and Linux systems. Adobe has credited Google’s Project Zero and Morgan Marquis-Boire, director of security, First Look Media, for reporting the critical bug and working to protect Flash users.

Coined by many now as ‘Hacked Team’ there is a Github repo of the same name with all the source code from the leak: https://github.com/hackedteam

I don’t know if anyone else noticed, but some of the imported repos actually link to an active Github account called ‘alor‘ – which is Hacking Team employee Alberto Ornaghi (an active Software Architect at Hacking Team according to his LinkedIn).

Another fascinating part of the leak is the price list of their software, you view the full RCS price list here: Remote Control System – Price Scheme

And also the FULL RCS 9 admin guide here – RCS 9 Administrator’s Guide

There’s an almost non-stop stream of chatter about this on Twitter too, where you can see various people exploring various parts of the dump: #hackingteam

More from Wired: Hacking Team Breach Shows a Global Spying Firm Run Amok

Few news events can unleash more schadenfreude within the security community than watching a notorious firm of hackers-for-hire become a hack target themselves. In the case of the freshly disemboweled Italian surveillance firm Hacking Team, the company may also serve as a dark example of a global surveillance industry that often sells to any government willing to pay, with little regard for that regime’s human rights record.

The Guardian: Hacking Team hacked: firm sold spying tools to repressive regimes, documents claim

The cybersecurity firm Hacking Team appears to have itself been the victim of a hack, with documents that purport to show it sold software to repressive regimes being posted to the company’s own Twitter feed.

The Italy-based company offers security services to law enforcement and national security organisations. It offers legal offensive security services, using malware and vulnerabilities to gain access to target’s networks.

And well anywhere you search now basically will be shouting about Hacking Team Hacked, Google News for example – just search “Hacking Team”:

Hacking Team

Currently the front page + 192 more articles are available. So go read some more!

It’ll be interesting to see what else is uncovered from this treasure trove of illicit software and governmental communications. I’d personally be scared if I had some really pissed clients that have their own personal armies..


04 July 2015 | 1,228 views

AddressSanitizer – A Fast Memory Error Detector

AddressSanitizer (aka ASan) is a very fast memory error detector for C/C++, Tthe average slowdown of the instrumented program is ~2x. The tool works on x86 Linux and Mac, and ARM Android. AddressSanitizer is based on compiler instrumentation and directly-mapped shadow memory.

AddressSanitizer - A Fast Memory Error Detector

The tool consists of a compiler instrumentation module (currently, an LLVM pass) and a run-time library which replaces the malloc function.

Features

It finds:

  • Use after free (dangling pointer dereference)
  • Heap buffer overflow
  • Stack buffer overflow
  • Global buffer overflow
  • Use after return
  • Initialization order bugs

Using AddressSanitize

In order to use AddressSanitizer you will need to compile and link your program using clang with the -fsanitize=address switch. To get a reasonable performance add -O1 or higher, and to get nicer stack traces in error messages add -fno-omit-frame-pointer.

Limitations

AddressSanitizer does not prevent any uninitialized memory reads, and only prevents some use-after-return bugs. It is also not capable of preventing all arbitrary memory corruption bugs. Arbitrary write bugs due to integer underflow/overflows (when the integer with undefined behaviour is used to calculate memory address offsets). Adjacent buffers in structs and classes are not protected from overflow, in part to prevent breaking backwards compatibility

You can get AddressSanitizer as a part of LLVM starting with version 3.1 and a part of GCC starting with version 4.8.

Or read more here.


02 July 2015 | 931 views

Acunetix WVS 10 Released – Keeping Your Website Secure just got Easier

Acunetix WVS 10 Released

Acunetix, the pioneer in automated web application security software, has announced the release of version 10 of its Vulnerability Scanner. New features are designed to prevent the risk of hacking for all customers; from small businesses up to large enterprises, including WordPress users, web application developers and pen testers.

Acunetix WVS 10 Released - Keeping Your Website Secure just got Easier

With the number of cyber-attacks drastically up in the last year and the cost of breaches doubling, never has limiting this risk been such a high priority and a cost-effective investment. The 2015 Information Security Breaches Survey from PWC found 90% of large organisations had suffered a breach and average costs have escalated to over £3m per breach, at the higher end.

“It’s a sad fact that today the odds are that your business has already been breached, perhaps multiple times. Don’t let cyber-criminals drive your web app security strategy. Proactively identify security exploits before criminals do and take back control,” said Nick Galea, CEO, Acunetix.

The areas of a website which are most likely to be attacked and are prone to vulnerabilities are those areas that require a user to login. Therefore the latest version of Acunetix vastly improves on its ‘Login Sequence Recorder’ which can now navigate multi-step authenticated areas automatically and with ease. It crawls at lightning speed with its ‘DeepScan’ crawling engine now analyzing web applications developed using both Java Frameworks and Ruby on Rails. Version 10 also improves the automated scanning of RESTful and SOAP-based web services and can now detect over 1200 vulnerabilities in WordPress core and plugins.

“Acunetix maintains its lead in cutting-edge web application technologies. By re-engineering the ‘Login Sequence Recorder’ from the ground up and baking-in support for external tools, we have extended the scanner’s reach into web applications, further bridging the gap between manual and automated security testing,” added Nick Galea.

New in WVS 10

  • ‘Login Sequence Recorder’ has been re-engineered from the ground-up to allow restricted areas to be scanned entirely automatically.
  • Now tests for over 1200 WordPress-specific vulnerabilities in the WordPress core and plugins.
  • Acunetix WVS Crawl data can be augmented using the output of: Fiddler .saz files, Burp Suite saved items, Burp Suite state files, HTTP Archive (.har) files, Acunetix HTTP Sniffer logs, Selenium IDE Scripts.
  • Improved support for Java Frameworks (Java Server Faces [JSF], Spring and Struts) and Ruby on Rails.
  • Increased web services support for web applications which make use of WSDL based web-services, Microsoft WCF-based web services and RESTful web services.
  • Ships with a malware URL detection service, which is used to analyse all the external links found during a scan against a constantly updated database of Malware and Phishing URLs.

Automated scanning of restricted areas

Latest automation functionality makes Acunetix not only even easier to use, but gives better peace of mind through ensuring the entire website is scanned. Restricted areas, especially user login pages, make it more difficult for a scanner to access and often required manual intervention. The Acunetix “Login Sequence Recorder” overcomes this, having been significantly improved to allow restricted areas to be scanned completely automatically. This includes the ability to scan web applications that use Single Sign-On (SSO) and OAuth-based authentication. With the recorder following user actions rather than HTTP requests, it drastically improves support for anti-CSRF tokens, nonces or other one-time tokens, which are often used in restricted areas.

Top dog in WordPress vulnerability detection

With WordPress sites having exceeded 74 million in number, a single vulnerability found in the WordPress core, or even in a plugin, can be used to attack millions of individual sites. The flexibility of being able to use externally developed plugins leads to the development of even more vulnerabilities. Acunetix v10 now tests for over 1200 WordPress-specific vulnerabilities, based on the most frequently downloaded plugins, while still retaining the ability to detect vulnerabilities in custom built plugins. No other scanner on the market can detect as many WordPress vulnerabilities.

Support for various development architectures and web services

Many enterprise-grade, mission critical applications are built using Java Frameworks and Ruby on Rails. Version 10 has been engineered to accurately crawl and scan web applications built using these technologies. With the increase in HTML5 Single Page Applications and mobile applications, web services have become a significant attack vector. The new version improves support  for SOAP-based web services with WSDL and WCF descriptions as well as automated scanning of RESTful web services using WADL definitions. Furthermore, version 10, introduces dynamic crawl pre-seeding by integrating with external, third-party tools including Fiddler, Burp Suite and the Selenium IDE to enhance Business Logic Testing and the workflow between Manual Testing and Automation.

Detection of Malware and Phishing URLs

Acunetix WVS 10 will ship with a malware URL detection service, which is used to analyse all the external links found during a scan against a constantly updated database of Malware and Phishing URLs. The Malware Detection Service makes use of the Google and Yandex Safe Browsing Database.

A trial version can be downloaded from:

http://www.acunetix.com/vulnerability-scanner/download/


30 June 2015 | 2,289 views

WATOBO – The Web Application Security Auditing Toolbox

WATOBO – The Web Application Security Auditing Toolbox – is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits.

It is capable of passive as well as active scanning and this latest is its real value added. It enables to automatize the discovery of common vulnerabilities (XSS, LFI, SQL injections etc) in web applications.

WATOBO - The Web Application Security Auditing Toolbox

WATOBO works like a local proxy, similar to ZAP, Paros or Burp Suite but in Ruby, when the rest are pretty much in JAVA.

Features

  • WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
  • WATOB can act as an transparent proxy
  • WATOBO has anti-CSRF features
  • WATOBO can perform vulnerability checks out of the box.
  • WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
  • WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
  • WATOBO is written in (FX)Ruby and enables you to easiely define your own checks
  • WATOBO is free software ( licensed under the GNU General Public License Version 2)

Scanning/Active Checks

During a scan all selected active modules will be used to test the one or more chats (chat = request/response pair). The total amount of resulting requests is hard to predict because in most cases it depends on the number of parameters and the module itself. Here’s the list of the currently available active checks:

  • Server-Status page
  • Directory Walker
  • FileExtensions
  • HTTP Methods
  • Lotus Domino DB Enumeration
  • .NET Custom Error
  • .NET Files
  • Local File Inclusion
  • Crossdomain Policy
  • Basic JBoss enumeration
  • SAP ITS: Default Commands
  • SAP ITS: Default Services
  • SAP ITS: Service Parameters
  • SAP ITS: XSS
  • Siebel Applications
  • Error-based SQL-Injection
  • Time-based SQL Injection
  • Boolean SQL-Injection
  • Numerical SQL-Injection
  • XML-XXE
  • NextGeneration Cross Site Scripting Checks
  • Simple Cross Site Scripting Checks

You can download WATOBO 0.9.20 gem here:

watobo-0.9.20.gem

Or read more here.