It retrieves domain names/web sites which are located on specified ip address/hostname.

In order to use FindDomains you need to:

1. Create an appid from “Bing Developers” at this link.
2. It’ll be like that : 32AFB589D1C8B4FEC73D4BCB6EA0AD810E0FA2C7
3. When you have registered an appid, enter it to the “appid.txt” which is in the program directory.

Features

• Uses Bing search engine. Works with first 1000 records.
• Multithreaded on crawling and DNS resolution.
• Performs DNS resolution for extracted domains to eleminate cached/old records.
• Has a console interface so it can be very useful with some command-line foo.
• Works with Mono. But running under Windows is more efficient.

Sample usage

FindDomains.exe 1.2.3.4

FindDomains.exe www.hotmail.com 

Requirements

• .NET Framework 3.5. Also working with Mono.

You can dowload FindDomains v.0.1.1 here:

FindDomainsv0.1.1.rar

Or read more here.

hostmap helps you using several techniques to enumerate all the hostnames associated with an IP address.

Features

• DNS names and virtual hosts enumeration
• Multiple discovery techniques, to read more see documentation.
• Results correlation, aggregation and normalization
• Multithreaded and event based engine
• Platform independent

Changes/New Features in v0.2

• Fully refactored and rewritten in Ruby.
• User requested interrupt (CTRL+C) now is handled.
• Added Rakefile to automatize task. For example readme and API documentation rebuilding.
• Changed info gathering plugin architecture. Now using PlugMan library.
• Added some host names to brute forcing dictionaries.
• Added parsing of alternate subject (subjectAltName) from X.509 certificates.
• Added info gathering plugin using dnshistory.org.
• Added wildcard domains detection.
• Added wildcard X.509 certificate detection.
• Added -d option to use a user supplied list of DNS servers
• Added blacklist for second level TLD (for example co.uk) detection.
• Added an enumeration plugin to use Microsoft Bing via API. API key must be provided in configuration file.
• Added a configuration file (hostmap.conf) to keep user settings.
• Added option –http-ports to specify the ports to check for an HTTP/HTTPS service.

You can see the complete list of changes here.

The user manual is available here – README.pdf [PDF]

You can download hostmap 0.2 here:

hostmap-0.2.tar.gz

Or read more here.

Binging is a simple tool to query Bing search engine. It will use your Bing API key and fetch multiple results. This particular tool can be used for cross domain footprinting for Web 2.0 applications, site discovery, reverse lookup, host enumeration etc. One can use various different directives like site, ip etc. and run queries against the engine. On top of it tool provides filtering capabilities so you can ask for unique URLs or hosts. It is also possible to filter results by applying power of regular expression. Get your Bing API key and use this tool for your audit, assessment and research.

You can download Binging here:

Binging.zip

Or read more here.

Features

• Create PDF documents from scratch.
• Parse existing documents, modify them and recompile them.
• Explore documents at the object level, going deep into the document structure, uncompressing PDF object streams and desobfuscating names and strings.
• High-level operations, such as encryption/decryption, signature, file attachments…
• A GTK interface to quickly browse into the document contents.

Full Scripts

Some scripts are provided to help in performing common actions on PDF files. You can contribute more by sending your own scripts to origami(at)security-labs.org.

• detectjs.rb: search for all JavaScript objects.
• embed.rb: add an attachment to a PDF file.
• create-jspdf.rb: add a JavaScript to a PDF file, executed when the document is opened.
• moebius.rb: transform a PDF to a moebius strip.
• encrypt.rb: encrypt a PDF file.

You can download Origami here:

origami-1.0.0-beta1.tar.gz

Or read more here.

Originally released in 2006, dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc. dnsmap was included in Backtrack 2 and 3, although the version included is the now dated version 0.1.

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work (public zone transfers rarely work nowadays).

Original Features of Version 0.1

• obtain all IP addresses (A records) associated to each successfully bruteforced subdomain, rather than just one IP address per subdomain
• abort the bruteforcing process in case the target domain uses wildcards
• ability to be able to run the tool without providing a wordlist by using a built-in list of keywords
• bruteforcing by using a user-supplied wordlist (as opposed to the built-in wordlist)

New Improvements in Version 0.22

• saving the results in human-readable and CSV format for easy processing
• fixed bug that disallowed reading wordlists with DOS CRLF format
• improved built-in subdomains wordlist
• new bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file.
• bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards

You can download dnsmap 0.22 here:

dnsmap-0222tar.gz (Make sure you add another . before the tar)

Or read more here.

There was a recent Phishing issue on Twitter and before that Twitter Jacking and a CSRF bug that allowed auto-following.

Due to the large update of Twitter, the amount of datable available on the site and it’s easily searchable nature it has become a great platform for data-mining and information gathering (the first and sometimes most important parts of any pen test/vuln ass or security test).

Twitter is fun. It’s also a powerful research tool. People increasingly use Twitter to share advice, opinions, news, moods, concerns, facts, rumors, and everything else imaginable. Much of that data is public and available for mining.

Here’s how to use Twitter to gather useful information about topics, companies, and individuals. I’ll cover native Twitter features, as well as third-party tools with catchy names, such as 5and2fish, Twitter Venn, TwitterFriends, PeopleBrowsr , Twitturly, Twitter Spectrum, and others.

Most of the techniques mentioned here don’t require you to be a registered Twitter user. If you use Twitter, consider what data tidbits you release there, and whether you need to be more careful.

People don’t tend to be so careful or post in such a considered manner when using Twitter as the tidbits posted are so short and off-the-cuff.

This leads to an interesting source of information for people like us doing research about an individual or organization. You can really get a good gauge on the publics feelings for a certain topic too by searching Twitter for relevant keywords.

For example if you search Twitter for ‘Darknet‘ you can see some people mentioning our posts and one guy pretty consistently re-syndicating our content onto the micro-blogging platform.

As you gather information on Twitter, be mindful of others attempting to manipulate you into arriving at their conclusions by feeding you misinformation. Cross-check data and understand its sources. For more on this, see Is Twitter A Market Manipulator’s Dream on the TwiTip blog. If the topic of reputational attacks interests you, also look at the SpinHunters blog.

If using Twitter to share information and stay in touch with your friends, be mindful of how others might misuse what you reveal about yourself, others, or your company. In the words of Wired magazine’s Steven Levy, “No matter how innocuous your individual tweets, the aggregate ends up being the foundation of a scary-deep self-portrait. It’s like a psychographic version of strip poker–I’m disrobing, 140 characters at a time.”

It’s an article well worth reading if you are a Twitter user or not, if you are an infosec professional it gives you another source to search when you are doing information gathering or data-mining tasks.

The Internet is always evolving along with the way people use it, as it becomes a more social platform – more information is bound to be ‘exposed‘ online – for us to find..

Source: SANS ISC

Coupled with its graphing libraries, Maltego, allows you to identify key relationships between information and identify previously unknown relationships between them. It is a must-have tool in the forensics, security and intelligence fields!

Maltego offers the user with unprecedented information. Information is leverage.

What does Maltego do?

Maltego is a program that can be used to determine the relationships and real world links between:

• People
• Groups of people (social networks)
• Companies
• Organizations
• Web sites
• Internet infrastructure such as: Domains, DNS Names, Netblocks and IP Addresses
• Phrases
• Affiliations
• Documents and files

These entities are linked using open source intelligence.

• Maltego is easy and quick to install – it uses Java, so it runs on Windows, Mac and Linux.
• Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate – making it possible to see hidden connections.
• Using the graphical user interface (GUI) you can see relationships easily – even if they are three or four degrees of separation away.
• Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

Limitations

The Community Edition is limited in the following ways:

• A 15second nag screen
• Save and Export has been disabled
• Limited zoom levels
• Can only run transforms on a single entity at a time
• Cannot copy and paste text from detailed view
• Transforms limited to 75 per day
• Throttled client to TAS communication

Check out the User Guide here.

You can download Maltego Community Edition here:

Maltego CE – Linux
Maltego CE – Windows

Or read more here.

It has all kinds of useful tools in a neat graphical interface, a lot of them are available on the command line in Windows – but they aren’t so easy to use. It’s extremely useful for tracking spam or ‘UCE’ as it’s known (Unsolicited Commercial E-mail).

Some of the features included are:

• Ping
• NSlookup
• Whois
• IP block search
• Dig
• Traceroute
• Finger
• SMTP VRFY
• Web browser keep-alive
• DNS zone transfer
• SMTP relay check
• Usenet cancel check
• Website download
• Website search
• Email header analysis
• Email blacklist
• Query Abuse address

Some other cool stuff it does is:

• Each tool displays it’s output in it’s own window, and everything is multi-threaded so you don’t need to wait for one query to complete before starting the next one
• Some functions are threaded still further to allow lazy reverse DNS lookups (never do a traceroute -n again)
• The output from each query is hotlinked, so you can right click on an email address, IP address, hostname or internic tag to run another query on it
• Appending the results of a query to the log window is a single button function
• There’s a lot of online help, in both WinHelp and HTMLHelp formats. This includes tutorials, background information and links to online resources as well as the program manual itself

You can download Sam Spade here:

Sam Spade v1.14

Or read more here.

The Google Hacking Database has been active for years now and there are hundreds of queries that can bring up juicy information. Goolag was also released this year which gives a much easier, automated way of Google Hacking for specific domains or info.

Search engines such as Google are increasingly being used by hackers against Web applications that hold sensitive data, according to a security expert.

Even with rising awareness about data security, it takes all of a few seconds to pluck Social Security numbers from Web sites using targeted search terms, said Amichai Shulman, founder and CTO for database- and application-security company Imperva.

The fact that Social Security numbers are even on the Web is a human error; the information should never be published in the first place. But hackers are using Google in more sophisticated ways to automate attacks against Web sites, Shulman said.

Shulman said Imperva recently discovered a way to execute a SQL injection attack that comes from an IP address that belongs to Google.

It seems like it’s becoming big business on both sides, finding information and vulnerable sites and by gaming Google into dropping pages from the index (Blackhat SEO).

Even with the throttling it’ll still continue, people will find smarter ways to make the queries so it’s not blocked and they’ll build rate limiting into their tools so they don’t get dropped. The bad guys have plenty of patience, trust me on that.

Manipulating Google is particularly useful since it offers anonymity for a hacker plus an automated attack engine, Shulman said.

Tools such as Goolag and Gooscan can execute broad searches across the Web for specific vulnerabilities and return lists of Web sites that have those problems.

“This is no more a script kiddy game — this is a business,” Shulman said. “This is a very powerful hacking capability.”

Another attack method is so-called Google worms, which use the search engine to find specific vulnerabilities. With the inclusion of additional code, the vulnerability can be exploited, Shulman said.

“In 2004, this was science fiction,” Shulman said. “In 2008, this is a painful reality.”

Google and other search engines are taking steps to stop the abuse. For example, Google has stopped certain kinds of searches that could yield a trove of Social Security numbers in a single swoop. It also puts limits on the number of search requests sent per minute, which can slow down mass searches for vulnerable Web sites.

As they said, this is not some script kiddy stuff, with the amount of queries going on and the complexity this is some serious business!

Any pen-test or vulnerability assessment should have an information gathering stage and it’s here you should be using Google Hacking techniques and tools to uncover anything on the domain or company infrastructure that shouldn’t be there.

Just be warned that this kind of stuff is on the up, so brief your clients of the dangers and make sure this step is included in the audit.

Source: Network World

Process of extracting data from Web pages is also referred as Web Scraping or Web Data Mining. World Wide Web, as the largest database, often contains various data that we would like to consume for our needs. The problem is that this data is in most cases mixed together with formatting code – that way making human-friendly, but not machine-friendly content. Doing manual copy-paste is error prone, tedious and sometimes even impossible. Web software designers usually discuss how to make clean separation between content and style, using various frameworks and design patterns in order to achieve that. Anyway, some kind of merge occurs usually at the server side, so that the bunch of HTML is delivered to the web client.

Every Web site and every Web page is composed using some logic. It is therefore needed to describe reverse process – how to fetch desired data from the mixed content. Every extraction procedure in Web-Harvest is user-defined through XML-based configuration files. Each configuration file describes sequence of processors executing some common task in order to accomplish the final goal. Processors execute in the form of pipeline. Thus, the output of one processor execution is input to another one. This can be best explained using the simple configuration fragment:

<xpath expression="//a[@shape='rect']/@href">
    <html-to-xml>
        <http url="http://www.somesite.com/"/>
    </html-to-xml>
</xpath>

When Web-Harvest executes this part of configuration, the following steps occur:

1. http processor downloads content from the specified URL.
2. html-to-xml processor cleans up that HTML producing XHTML content.
3. xpath processor searches specific links in XHTML from previous step giving URL sequence as a result.

Web-Harvest supports a set of useful processors for variable manipulation, conditional branching, looping, functions, file operations, HTML and XML processing, exception handling. See User manual for technical description of provided processors.

You can download Web-Harvest 1.0 here:

webharvest1-exe.zip

Or read more here.