This tools is intended to help Penetration testers in the early stages of the project It’s a really simple tool, but very effective.

The sources supported are:

• Google – emails,subdomains/hostnames
• Google profiles – Employee names
• Bing search – emails, subdomains/hostnames,virtual hosts
• Pgp servers – emails, subdomains/hostnames
• Linkedin – Employee names
• Exalead – emails,subdomain/hostnames

New Features

• Time delays between requests
• XML and HTML results export
• Search a domain in all sources
• Virtual host verifier
• Shodan computer database integration
• Active enumeration (DNS enumeration,DNS reverse lookups, DNS TLD expansion)
• Basic graph with stats

Examples

Searching emails accounts for the domain microsoft.com, it will work with the first 500 google results:

./theharvester.py -d microsoft.com -l 500 -b google

Searching emails accounts for the domain microsoft.com in a PGP server, here it’s not necessary to specify the limit.

./theharvester.py -d microsoft.com -b pgp

Searching for user names that works in the company microsoft, we use google as search engine, so we need to specify the limit of results we want to use:

./theharvester.py -d microsoft.com -l 200 -b linkedin

Searching in all sources at the same time, with a limit of 200 results:

./theHarvester.py -d microsoft.com -l 200 -b all

You can download theHarvester here:

theHarvester-2.1_BH2011_Arsenal.tar

Or read more here.

SearchDiggity is a new GUI application that serves as a front-end to both GoogleDiggity and BingDiggity.

GoogleDiggity

With the retirement of Google’s SOAP Search API on September 7, 2009, most of the security utilities available for Google Hacking cease to function, leaving the security industry with a need for new and innovative tools. GoogleDiggity is a new MS Windows command line utility designed to help fill that need. GoogleDiggity leverages the Google AJAX API, so it will not get you blocked by Google bot detection while scanning. Also, unlike other Google Hacking tools available, GoogleDiggity actually allows you to specify a Google Custom Search Engine (CSE) id to run Google Hacking vulnerability checks against a customized version of Google that will only return results tailored to your organization.

BingDiggity

BingDiggity is a new command line utility that leverages the new Bing 2.0 API and a newly developed Bing Hacking Database (BHDB) to find vulnerabilities and sensitive information disclosures related to your organization that are exposed via Microsoft’s Bing search engine. This utility also provides footprinting functionality that allows you to enumerate URLS, hosts, domains, IP-to-virtual host mappings, etc. for target companies.

You can download SearchDiggity v1.0 here:

MSI Installer – searchdiggity.msi
ZIP File – searchdiggity.zip

Or read more here.

FindDomains is a multithreaded search engine discovery tool that will be very useful for penetration testers dealing with discovering domain names/web sites/virtual hosts which are located on too many IP addresses. Provides a console interface so you can easily integrate this tool to your pentest automation system.

It retrieves domain names/web sites which are located on specified ip address/hostname.

In order to use FindDomains you need to:

1. Create an appid from “Bing Developers” at this link.
2. It’ll be like that : 32AFB589D1C8B4FEC73D4BCB6EA0AD810E0FA2C7
3. When you have registered an appid, enter it to the “appid.txt” which is in the program directory.

Features

• Uses Bing search engine. Works with first 1000 records.
• Multithreaded on crawling and DNS resolution.
• Performs DNS resolution for extracted domains to eleminate cached/old records.
• Has a console interface so it can be very useful with some command-line foo.
• Works with Mono. But running under Windows is more efficient.

Sample usage

FindDomains.exe 1.2.3.4

FindDomains.exe www.hotmail.com 

Requirements

• .NET Framework 3.5. Also working with Mono.

You can dowload FindDomains v.0.1.1 here:

FindDomainsv0.1.1.rar

Or read more here.

hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby, licensed under GNU General Public License version 3 (GPLv3). Its goal is to enumerate all hostnames and configured virtual hosts on an IP address. The primary users of hostmap are professionals performing vulnerability assessments and penetration tests.

hostmap helps you using several techniques to enumerate all the hostnames associated with an IP address.

Features

• DNS names and virtual hosts enumeration
• Multiple discovery techniques, to read more see documentation.
• Results correlation, aggregation and normalization
• Multithreaded and event based engine
• Platform independent

Changes/New Features in v0.2

• Fully refactored and rewritten in Ruby.
• User requested interrupt (CTRL+C) now is handled.
• Added Rakefile to automatize task. For example readme and API documentation rebuilding.
• Changed info gathering plugin architecture. Now using PlugMan library.
• Added some host names to brute forcing dictionaries.
• Added parsing of alternate subject (subjectAltName) from X.509 certificates.
• Added info gathering plugin using dnshistory.org.
• Added wildcard domains detection.
• Added wildcard X.509 certificate detection.
• Added -d option to use a user supplied list of DNS servers
• Added blacklist for second level TLD (for example co.uk) detection.
• Added an enumeration plugin to use Microsoft Bing via API. API key must be provided in configuration file.
• Added a configuration file (hostmap.conf) to keep user settings.
• Added option –http-ports to specify the ports to check for an HTTP/HTTPS service.

You can see the complete list of changes here.

The user manual is available here – README.pdf [PDF]

You can download hostmap 0.2 here:

hostmap-0.2.tar.gz

Or read more here.

It’s been a while since I’ve seen a tool of this type, back in the heydays of Google Hacking (which became the generic term for information gathering via search engines) there were multiple tools such as Gooscan and Goolag.

Binging is a simple tool to query Bing search engine. It will use your Bing API key and fetch multiple results. This particular tool can be used for cross domain footprinting for Web 2.0 applications, site discovery, reverse lookup, host enumeration etc. One can use various different directives like site, ip etc. and run queries against the engine. On top of it tool provides filtering capabilities so you can ask for unique URLs or hosts. It is also possible to filter results by applying power of regular expression. Get your Bing API key and use this tool for your audit, assessment and research.

You can download Binging here:

Binging.zip

Or read more here.

origami is a Ruby framework designed to parse, analyze, and forge PDF documents. This is NOT a PDF rendering library. It aims at providing a scripting tool to generate and analyze malicious PDF files. As well, it can be used to create on-the-fly customized PDFs, or to inject (evil) code into already existing documents.

Features

• Create PDF documents from scratch.
• Parse existing documents, modify them and recompile them.
• Explore documents at the object level, going deep into the document structure, uncompressing PDF object streams and desobfuscating names and strings.
• High-level operations, such as encryption/decryption, signature, file attachments…
• A GTK interface to quickly browse into the document contents.

Full Scripts

Some scripts are provided to help in performing common actions on PDF files. You can contribute more by sending your own scripts to origami(at)security-labs.org.

• detectjs.rb: search for all JavaScript objects.
• embed.rb: add an attachment to a PDF file.
• create-jspdf.rb: add a JavaScript to a PDF file, executed when the document is opened.
• moebius.rb: transform a PDF to a moebius strip.
• encrypt.rb: encrypt a PDF file.

You can download Origami here:

origami-1.0.0-beta1.tar.gz

Or read more here.

dnsmap is a subdomain bruteforcer for stealth enumeration, you could say something similar to Reverse Raider or DNSenum.

Originally released in 2006, dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc. dnsmap was included in Backtrack 2 and 3, although the version included is the now dated version 0.1.

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work (public zone transfers rarely work nowadays).

Original Features of Version 0.1

• obtain all IP addresses (A records) associated to each successfully bruteforced subdomain, rather than just one IP address per subdomain
• abort the bruteforcing process in case the target domain uses wildcards
• ability to be able to run the tool without providing a wordlist by using a built-in list of keywords
• bruteforcing by using a user-supplied wordlist (as opposed to the built-in wordlist)

New Improvements in Version 0.22

• saving the results in human-readable and CSV format for easy processing
• fixed bug that disallowed reading wordlists with DOS CRLF format
• improved built-in subdomains wordlist
• new bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file.
• bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards

You can download dnsmap 0.22 here:

dnsmap-0222tar.gz (Make sure you add another . before the tar)

Or read more here.

We’ve mentioned Twitter a few times lately as it has become a larger and larger part of the social web and the premier ‘micro-blogging’ platform.

There was a recent Phishing issue on Twitter and before that Twitter Jacking and a CSRF bug that allowed auto-following.

Due to the large update of Twitter, the amount of datable available on the site and it’s easily searchable nature it has become a great platform for data-mining and information gathering (the first and sometimes most important parts of any pen test/vuln ass or security test).

Twitter is fun. It’s also a powerful research tool. People increasingly use Twitter to share advice, opinions, news, moods, concerns, facts, rumors, and everything else imaginable. Much of that data is public and available for mining.

Here’s how to use Twitter to gather useful information about topics, companies, and individuals. I’ll cover native Twitter features, as well as third-party tools with catchy names, such as 5and2fish, Twitter Venn, TwitterFriends, PeopleBrowsr , Twitturly, Twitter Spectrum, and others.

Most of the techniques mentioned here don’t require you to be a registered Twitter user. If you use Twitter, consider what data tidbits you release there, and whether you need to be more careful.

People don’t tend to be so careful or post in such a considered manner when using Twitter as the tidbits posted are so short and off-the-cuff.

This leads to an interesting source of information for people like us doing research about an individual or organization. You can really get a good gauge on the publics feelings for a certain topic too by searching Twitter for relevant keywords.

For example if you search Twitter for ‘Darknet‘ you can see some people mentioning our posts and one guy pretty consistently re-syndicating our content onto the micro-blogging platform.

As you gather information on Twitter, be mindful of others attempting to manipulate you into arriving at their conclusions by feeding you misinformation. Cross-check data and understand its sources. For more on this, see Is Twitter A Market Manipulator’s Dream on the TwiTip blog. If the topic of reputational attacks interests you, also look at the SpinHunters blog.

If using Twitter to share information and stay in touch with your friends, be mindful of how others might misuse what you reveal about yourself, others, or your company. In the words of Wired magazine’s Steven Levy, “No matter how innocuous your individual tweets, the aggregate ends up being the foundation of a scary-deep self-portrait. It’s like a psychographic version of strip poker–I’m disrobing, 140 characters at a time.”

It’s an article well worth reading if you are a Twitter user or not, if you are an infosec professional it gives you another source to search when you are doing information gathering or data-mining tasks.

The Internet is always evolving along with the way people use it, as it becomes a more social platform – more information is bound to be ‘exposed‘ online – for us to find..

Source: SANS ISC

Maltego is an open source intelligence and forensics application. It allows for the mining and gathering of information as well as the representation of this information in a meaningful way.

Coupled with its graphing libraries, Maltego, allows you to identify key relationships between information and identify previously unknown relationships between them. It is a must-have tool in the forensics, security and intelligence fields!

Maltego offers the user with unprecedented information. Information is leverage.

What does Maltego do?

Maltego is a program that can be used to determine the relationships and real world links between:

• People
• Groups of people (social networks)
• Companies
• Organizations
• Web sites
• Internet infrastructure such as: Domains, DNS Names, Netblocks and IP Addresses
• Phrases
• Affiliations
• Documents and files

These entities are linked using open source intelligence.

• Maltego is easy and quick to install – it uses Java, so it runs on Windows, Mac and Linux.
• Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate – making it possible to see hidden connections.
• Using the graphical user interface (GUI) you can see relationships easily – even if they are three or four degrees of separation away.
• Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

Limitations

The Community Edition is limited in the following ways:

• A 15second nag screen
• Save and Export has been disabled
• Limited zoom levels
• Can only run transforms on a single entity at a time
• Cannot copy and paste text from detailed view
• Transforms limited to 75 per day
• Throttled client to TAS communication

Check out the User Guide here.

You can download Maltego Community Edition here:

Maltego CE – Linux
Maltego CE – Windows

Or read more here.

Sam Spade is one of the oldest network security tools around in terms of a neat package containing a lot of stuff you need, it’s one of the first things I used when I got into information security and I was on a crusade against spammers and scammers.

It has all kinds of useful tools in a neat graphical interface, a lot of them are available on the command line in Windows – but they aren’t so easy to use. It’s extremely useful for tracking spam or ‘UCE’ as it’s known (Unsolicited Commercial E-mail).

Some of the features included are:

• Ping
• NSlookup
• Whois
• IP block search
• Dig
• Traceroute
• Finger
• SMTP VRFY
• Web browser keep-alive
• DNS zone transfer
• SMTP relay check
• Usenet cancel check
• Website download
• Website search
• Email header analysis
• Email blacklist
• Query Abuse address

Some other cool stuff it does is:

• Each tool displays it’s output in it’s own window, and everything is multi-threaded so you don’t need to wait for one query to complete before starting the next one
• Some functions are threaded still further to allow lazy reverse DNS lookups (never do a traceroute -n again)
• The output from each query is hotlinked, so you can right click on an email address, IP address, hostname or internic tag to run another query on it
• Appending the results of a query to the log window is a single button function
• There’s a lot of online help, in both WinHelp and HTMLHelp formats. This includes tutorials, background information and links to online resources as well as the program manual itself

You can download Sam Spade here:

Sam Spade v1.14

Or read more here.