The tool is supplied with a file containing a list of usernames and requests a TGT for each user and then waits for the response. If the KDC responds with a valid TGT or with an error message stating that pre-authentication is required, a valid username has been discovered. Several guesses can be run in parallel (currently only against a single KDC) in order to improve performance.

Be careful not to run with to many threads and low timeouts as it will bring the KDC to its knees during the time of the test. The default values have been tuned against a virtual machine, and currently eat somewhere around 80% CPU which gives me roughly 700 guesses per second. In most cases the network throughput won’t be the performance bottleneck. So far I’m seeing that 2-3MBit of queries is generating a sustained 100% CPU load against both Heimdal on Ubuntu and Windows 2003.

The tool is written in Java and does not rely on any Kerberos libraries to perform the guessing. In order to successfully run the tool against a system it needs at least the realm, dictionary and a server parameters to be set. eg.

java -jar krbguess.jar -s 192.168.56.11 -r HEMMA \ -o report.txt -d ./dic.txt

You can download KrbGuess here:

krbguess-0.21-bin.tar.gz

Or read more here.

We will creating JavaScript and Flash objects that are able to be delivered via XSS attacks. These code payloads will contain the fingerprinting information used to map out a network and the devices and software it contains.

In basic terms Yokoso! is a collection of infrastructure fingerprints. These fingerprints are useful during penetration tests to determine both what infrastructure is in use and to determine who are the admins of that infrastructure. It is built using the URIs of the web administration interfaces.

You can download Yokoso! v0.1 here:

yokoso.0.1.tar.gz

Or read more here.

For those that don’t know, Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Changes

This version has gone through significant rewrites under the hood to how Nikto works, to make it more expandable and usable.

• Rewrite to the plugin engine allowing more control of the plugin structure and making it easier to add plugins
• Rewrite to the reporting engine allowing reporting plugins to cover more and also ensuring that output is written if Nikto is quit before finishing
• Large overhaul of documentation to document built-in methods and variables
• Addition of caching to reduce amount of calls made to the web servers, as well as a facility to disable smart 404 guessing.
• Addition of simple guessing for whether a system is an embedded device and to report what it is
• Plugin to use OWASPs dictionary lists to attempt to brute force directories on the remote web server (as mutate 6)
• Plugin to attempt to brute force domains (as mutate 5)
• Allow username guessing (mutate 3 and 4) to use a dictionary file as well as brute forcing
• Support for NTLM authentication
• Lots of bug fixes and new security checks

You can download Nikon 2.1.0 here:

nikto-current.tar.gz

Plugins and DB can be found here.

Or read more here.

Features

• Create PDF documents from scratch.
• Parse existing documents, modify them and recompile them.
• Explore documents at the object level, going deep into the document structure, uncompressing PDF object streams and desobfuscating names and strings.
• High-level operations, such as encryption/decryption, signature, file attachments…
• A GTK interface to quickly browse into the document contents.

Full Scripts

Some scripts are provided to help in performing common actions on PDF files. You can contribute more by sending your own scripts to origami(at)security-labs.org.

• detectjs.rb: search for all JavaScript objects.
• embed.rb: add an attachment to a PDF file.
• create-jspdf.rb: add a JavaScript to a PDF file, executed when the document is opened.
• moebius.rb: transform a PDF to a moebius strip.
• encrypt.rb: encrypt a PDF file.

You can download Origami here:

origami-1.0.0-beta1.tar.gz

Or read more here.

The following links provide more information about the Naptha denial-of-service vulnerabilities:

• The original BindView advisory is archived here.
• The advisory that CERT/CC published for the Naptha vulnerabilities is here.

The Tool

To study and show the Naptha vulnerabilities, Bob Keyes wrote the Naptha tool. The tool was written in C and used libpcap to read packets from the network and libdnet to craft packets.

The Naptha tool actually consists of two programs: a program called synsend whose only function is to send TCP SYN packets to the target system, and a program called srvr whose function is to respond to specific traffic received from the target system with TCP packets with specific TCP flags set. Both what traffic to respond to and how to respond to it are specified by the user via command-line arguments.

You can download Naptha here:

naptha-1.1.tgz

Or read more here.

I hope a new project can spawn from this, it has many interesting applications. I think it’d be a good addition to Wireshark and IDS projects like Snort.

http://opendpi.org/

Deep packet inspection (DPI) hardware can identify an astonishing array of protocols passing across the Internet—up to and including protocols that are rare even to us in the Orbiting HQ (Gadu-Gadu? Manolito? Feidian?). But if you’ve ever wondered just how this can be done, and done at wire speed, wonder no more: Europe’s leading DPI vendor has open-sourced a version of its traffic detection engine.

OpenDPI.org is the new home for ipoque’s open source project; anyone interested can take a look at the code or contribute patches. The goal in this case, though, isn’t so much about crowdsourcing product development but about easing consumer fears about DPI technology.

Klaus Mochalski, CEO of ipoque, explains that “transparency was important for us from the beginning. The lack of transparency from the vendors’ side is widespread in the DPI business. Our thoughts are a bit different and that is why we decided to push this project.”

It can identify a whole range of weird and wonderful protocols including those you’ve never heard of.

The free version is basically a watered down of the commercial product, it’s slow, doesn’t come bundled with some fancy supercomputer grade hardware and can’t handle encrypted transmissions.

I think it will be useful too for people building open source router systems to manage traffic, do traffic shaping and general QoS with much more accuracy (rather than relying on port classification).

The OpenDPI engine, released under the LGPL license, differs from ipoque’s commercial scanning engine in its high-priced DPI hardware. The open-source version is much slower and (more importantly) doesn’t reveal ipoque’s methods for identifying encrypted transmissions. DPI vendors all claim high levels of success at identifying such traffic based on the flow patterns and handshake signatures common to protocols like BitTorrent and Skype, even if they cannot crack the encryption and examine the content of those transmissions.

ipoque apparently wants to convince people that its detection code doesn’t store or examine the actual content being transmitted. The company made the same point in a white paper released last week. “DPI as such has no negative impact on online privacy,” it says. “It is, again, only the applications that may have this impact. Prohibiting DPI as a technology would be just as naive as prohibiting automatic speech recognition because it can be used to eavesdrop on conversations based on content.

Although DPI can be used as a base technology to look at and evaluate the actual content of a network communication, this goes beyond what we understand as DPI as it is used by Internet bandwidth management—the classification of network protocols and applications.”

I hope they keep developing the project, or some other folks in the Open Source community step up and turn it into a full blown development fork.

That would be great, harness the existing technology and improve on it.

Because let’s face it, any commercial company releasing an Open Source branch of their software has no incentive to make it that great lest it get better than the stuff they are selling.

Source: Ars Technica

This distribution is a work in progress. If you would like to see a tool or package included please feel free to suggest them to the author.

VAST also has built into synaptic package manager a third party repository link for the VIPER tools, so when you update a tool it’s as easy as “apt-get”.

Specs

• Size 900MB
• Built on Ubuntu 9.04
• Full language pack
• git,apt-get,svn
• Includes custom repository for VIPER tools

Tool List

• UCsniff
• VideoSnarf
• Videojak
• Metasploit
• SecurLogix Tools
• Hydra
• Nmap
• tshark
• Sipvicious
• SIPp
• Netcat
• Warvox
• Hping2

You can download VAST here:

VIPER_VASTbetav2.71.iso

Or read more here.

Explanation

When we use a Gateway, we send the packets with IP destination of the target, but the destination MAC on the ethernet is the MAC at the Gateway. If we send a packet to the different MACs in the LAN, we can know who is the gateway when we receive an response from this MAC.

Some times we can discover more than one box configured to be an gateway, generally, this is an wrong configuration, and the box will response with an ICMP-Redirect. This is the same, because the script only verify if the mac response.

NatProbe is develop in Python with the Scapy library.

You can download Nat Probe here:

natprobe.1.0.tar.gz

Or read more here.

This means it’s a fully fledged linux pen-testing/security environment.

Some included tools & Updates

• gcc-4.2
• sun-java6-jre sun-java6-plugin
• spoonwep-wpa-rc3.deb
• airsnort-0.2.7e.tar.gz
• wepbuster-1.0_beta_0.6
• jbrofuzz-jar-15
• wfuzz-1.4
• tor-0.2.1.19
• privoxy-3.0.8-stable-src
• ophcrack-3.3.1
• vncrack_src-1.21
• fuzzgrind_090622

A new version (coming with bug fixes, included rainbow tables, wordlists, extras etc.) will be available for FRHACK 01, so you’ll be able to use it for the FRHACK Wargame.

You can download FRHACK OS v1 alpha1 (1.4GB) here:

frhack-os.iso

Key Features

1. JavaScript – Websecurify Security Testing Framework is the first tool of its kind to be written entirely in JavaScript using only standard technologies adopted by the leading browsers.
2. Multiple Environments – The core technology can run in normal browsers, xulrunner, xpcshell (command line), inside Java or as part of a custom V8 (Chrome’s JavaScript Engine) build. The core is written with extensibility in mind so that more environments can be supported without changing even a single line of code.
3. Multi-platform – The tool is available and successfully runs on Windows, Mac OS, Linux and other operating systems.
4. Automatic Updates – Every single piece of the tool is subjected to automatic updates. This means that newer and more advanced versions of the tool can be shipped to your front door without you lifting your finger. This however is completely optional. The automatic update can be turned off if needed.
5. Extensions – Because the tool comes wrapped in xulrunner by default (keep in mind that we can support any other JavaScript environment) we benefit from all cool features that Firefox has, such as extensions. Extensions are easy to write and maintain and can customize every single aspect of the tool and there are already tones of resources and documentation, including books and what not, out there to teach you exactly how to do that. We will be providing documentation as well.

You can download Websecurify 0.3 here:

Windows – Websecurify 0.3.exe
Linux – Websecurify 0.3.tgz
Mac – Websecurify 0.3.dmg

Or read more here.