REC Studio 4 is a complete rewrite of the original REC decompiler. It uses more powerful analysis techniques such as partial Single Static Assignment (SSA), allows loading Mac OS X files and supports 32 and 64 bit binaries.

Although still under development, it has reached a stage that makes it more useful than the old Rec Studio 2.

Features

• Multihost: Rec Studio runs on Windows XP/Vista/7, Ubuntu Linux, Mac OS X.
• Symbolic information support using Dwarf 2 and partial recognition of Microsoft’s PDB format.
• C++ is partially recognized: mangled names generated by gcc are demangled, as well as inheritance described in dwarf2 is honored. However, C++ is a very broad and difficult language, so some features like templates won’t likely be ever supported.
• Types and function prototype definitions can be specified in text files. Some standard Posix and Windows APIs are already provided in the Rec Studio package.
• Interactivity is supported, limited to definition of sections, labels and function entry points. Will need to improve it to support in-program definition of types and function parameters.

Although REC can read Win32 executable (aka PE) files produced by Visual C++ or Visual Basic 5, there are limitations on the output produced. REC will try to use whatever information is present in the .EXE symbol table. If the .EXE file was compiled without debugging information, if a program data base file (.PDB) or Codeview (C7) format was used, or if the optimization option of the compiler was enabled, the output produced will not be very good. Moreover, Visual Basic 5 executable files are a mix of Subroutine code and Form data. It is almost impossible for REC to determine which is which. The only option is to use a .cmd file and manually specify which area is code and which area is data.

You can download Rec Studio 4 here:

Windows – RecStudioWin.zip
Ubuntu – RecStudioLinux.tgz
Mac – RecStudioMac.tgz

Or read more here.

The author notified me of a new version that was recently released with quite a few additions. For those not familiar with it, Agnitio is a tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the adhoc nature of manual security code review documentation, create an audit trail and reporting.

Changes in V2.0

The major changes in v2.0 is the addition of a code analysis module which comes with Android and iOS rules, an editor for the checklist questions and the ability to create/edit/remove code analysis rules.

• Fixed verify report button bug. It used to make the app crash if the report path field was empty because it didn’t check if it was empty before trying to use the field value.
• Delete profile functionality added on the “view profiles” tab. Some users requested this functionality.
• Removed hard coded filesystem paths and database names/locations from the code and make them configuration items.
• Data editor for both principles and checklist guidance sections. This allows users to customise the guidance using their own languages, guidance text etc.
• Increase the max size value of the text boxes on the principles guidance tab to allow more information to be entered by users.
• More accurate error on the profile creation tab – specify exactly what fields have been missed rather than listing all.
• Added “About” form with info, license, credits etc
• Regular expressions expanded to include a wider range of characters including non English characters.
• Turn the “other” language box red if the user clicks save with the other check box ticked but not language entered on the create and view profile tabs.
• Metrics tab now “returns” if only one app is available rather than trying to load all graphs and throwing a separate error for each one.

The author is always interested in feedback and has integrated a lot of it into v2.0 of Agnitio, if you want to give some suggestions/bug reports or whatever after using the tool you can do so via the Security Ninja blog here, or on Twitter @securityninja.

You can download Agnitio v2.0 here:

Agnitio v2.zip

Or read more here.

It’s not exactly new, but I guess a lot of people still don’t know about it. Basically if you don’t know what to do next, this is where Metasploitable comes in! One of the questions that the Metasploit developers often hear is “What systems can I use to test against?” Based on this, they thought it would be a good idea throw together an exploitable VM that you can use for testing purposes.

Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older MySQL.

You can use most VMware products to run it, and you’ll want to make sure it’s configured for Host-only networking unless it’s in your lab – no need to throw another vulnerable machine on the corporate network. It’s configured in non-persistent-disk mode, so you can simply reset it if you accidentally ‘rm -rf’ it.

There are various other similar setups you can test out your hacking kung-fu on like:

• Bodgeit Store
• Jarlsberg
• WackoPicko
• Damn Vulnerable Web Application (DVWA)
• Vicnum

You can download Metasploitable here:

Torrent – Metasploitable.zip.torrent
(Be careful opening the readme.txt as there are spoilers in it).

Or read more here.

Examples:

$ ./ksymhunter prepare_kernel_cred
[+] trying to resolve prepare_kernel_cred...
[+] resolved prepare_kernel_cred using /boot/System.map-2.6.38-gentoo
[+] resolved prepare_kernel_cred to 0xffffffff81061060

And..

$ ./ksymhunter commit_creds
[+] trying to resolve commit_creds...
[+] resolved commit_creds using /boot/System.map-2.6.38-gentoo
[+] resolved commit_creds to 0xffffffff81060dc0

You can download ksymhunter v1.0 here:

ksymhunter.tar.gz

Or read more here.

This is a stepping release since for the first time the Dynamic Analysis has been included for file creations (will be improved for other network/registry indicators sooner) along with process dumping feature.

Features

• String based analysis for registry, API calls, IRC Commands, DLL’s called and VM Aware.
• Display detailed headers of PE with all its section details, import and export symbols etc.
• On Distro, can perform an ascii dump of the PE along with other options (check –help argument).
• For Windows, it can generate various section of a PE : DOS Header, DOS Stub, PE File Header, Image Optional Header, Section Table, Data Directories, Sections
• ASCII dump on windows machine
• Code Analysis (disassembling)
• Online malware checking (http://www.virustotal.com)
• Check for Packer from the Database.
• Tracer functionality
• Signature Creation: Allows to create signature of malware
• CRC and Timestamp verification.
• Entropy based scan to identify malicious sections.
• Dump a process memory
• Dynamic Analysis (Still in beginning stage) for file creations.

You can download Malware Analyser v3.0 here:

malware_analyser 3.0.zip

Or read more here.

Features

• Easy to install – just requires java and a servlet engine, e.g. Tomcat
• Self contained (no additional dependencies other than to 2 in the above line)
• Easy to change on the fly – all the functionality is implemented in JSPs, so no IDE required
• Cross platform
• Open source
• No separate db to install and configure – it uses an ‘in memory’ db that is automatically (re)initialized on start up

There is also a ‘scoring’ page where you can see various hacking challenges and whether you have completed them or not.

Install

All you need to do is download and open the zip file, and then extract the war file into the webapps directory of your favorite servlet engine.

Then point your browser at (for example) http://localhost:8080/bodgeit

The author recommends Zed Attack Proxy to get you started.

You can download BodgeIt Store here:

bodgeit.1.1.0.zip

Or read more here.

There are a number of differences between CAT and currently available web proxies. They include:

• CAT uses Internet Explorer’s rendering engine for accurate HTML representation
• It supports many different types of text conversions including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no quotes
• It offers integrated SQL Injection and XSS Detection
• Synchronised Proxies for Authentication and Authorisation checking
• Faster performance due to HTTP connection caching
• SSL Version and Cipher checker using OpenSSL
• Greater flexibility for importing/exporting logs and saving projects
• Tabbed Interface allows for multiple tools at once e.g. multiple repeaters & different logs
• The ability to repeat and modify a sequence of requests (particularly useful in SSO testing)
• It’s free!

Do bear in mind that this is a free tool, but it is NOT Open Source. Also take a good look at the EULA before using it (especially Section 6).

You can download CAT Beta 4 here:

CAT_Beta_4.msi

Or read more here. (Thanks to reader Simon for the heads-up on this.)

v1.2 of Agnitio includes a new application metrics section to give better visibility of the security code review process and allows you to monitor trends etc across multiple reviews of an application.

More details about the changes and plans for upcoming v2.0 here:

Agnitio v1.2 released today

You can download Agnitio v1.2 here:

Agnitiov1_2.zip

Or read more here.

The fuzzer owes much of its efficiency to dynamically generating extremely long-winding sequences of DOM operations across multiple documents, inspecting returned objects, recursing into them, and creating circular node references that stress-test garbage collection mechanisms.

The cross_fuzz fuzzing Algorithm

1. Open two windows with documents of any (DOM-enabled) type. Simple HTML, XHTML, and SVG documents are randomly selected as targets by default – although any other, possibly plugin-supported formats could be targeted instead.
2. Crawl DOM hierarchy of the first document, collecting encountered object references for later reuse. Visited objects and collected references are tagged using an injected property to avoid infinite recursion; a secondary blacklist is used to prevent navigating away or descending into the master window. Critically, random shuffling and recursion fanout control are used to ensure good coverage.
3. Repeat DOM crawl, randomly tweaking encountered object properties by setting them to a one of the previously recorded references (or, with some probability, to one of a handful of hardcoded “interesting” values).
4. Repeat DOM crawl, randomly calling encountered object methods. Call parameters are synthesized using collected references and “interesting” values, as noted above. If a method returns an object, its output is subsequently crawled and tweaked in a similar manner.
5. Randomly destroy first document using one of the several possible methods, toggle garbage collection.
6. Perform the same set of crawl & tweak operations for the second document, but use references collected from the first document for overwriting properties and calling methods in the second one.
7. Randomly destroy document windows, carry over a percentage of collected references to the next fuzzing cycle.

This design can make it unexpectedly difficult to get clean, deterministic repros; to that effect, in the current versions of all the affected browsers, we are still seeing a collection of elusive problems when running the tool – and some not-so-elusive ones. I believe that at this point, a broader community involvement may be instrumental to tracking down and resolving these bugs.

I also believe that at least one of the vulnerabilities discovered by cross_fuzz may be known to third parties – which makes getting this tool out a priority.

You can download cross_fuzz here:

http://lcamtuf.coredump.cx/cross_fuzz

Or read more here.

The fuzzer’s own driver hooks NtDeviceIoControlFile in order to take control of all IOCTL requests throughout the system.

While processing IOCTLs, the fuzzer will spoof those IOCTLs conforming to conditions specified in the configuration file. A spoofed IOCTL is identical to the original in all respects except the input data, which is changed to randomly generated fuzz.

IOCTL Fuzzer works on Windows XP, 2003 Server, Vista, Windows 7 and 2008 Server.

New in 1.2 version

• Windows 7 support
• Full support of 64-bit versions of Windows
• Exceptions monitoring
• “Fair Fuzzing” feature
• Different data generation modes
• Boot fuzzing (during OS initialization)

You can download IOCTL Fuzzer v1.2 here:

ioctl_fuzzer-1.2.zip

Or read more here.