Newsletter - September 2014. T o o l s W a t c h T e a m NJ OUCHN & MJ SOLER

Similar documents
Newsletter - January T o o l s W a t c h T e a m NJ OUCHN & MJ SOLER

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Introduction to Penetration Testing Graham Weston

Application Security Testing

Ethical Hacking as a Professional Penetration Testing Technique

Introduction: 1. Daily 360 Website Scanning for Malware

Penetration Testing Workshop

Penetration Testing with Kali Linux

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

June 2014 WMLUG Meeting Kali Linux

Learn Ethical Hacking, Become a Pentester

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Penetration: from Application down to OS

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Vulnerability Assessment and Penetration Testing

Penetration Testing. Presented by: Elham Hojati Advisor: Dr. Akbar Namin July 2014

CRYPTUS DIPLOMA IN IT SECURITY

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

Pivotal Basics for Every Beginner

Information Security. Training

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

FortiWeb 5.0, Web Application Firewall Course #251

(WAPT) Web Application Penetration Testing

WEB APPLICATION VULNERABILITY STATISTICS (2013)

CYBERTRON NETWORK SOLUTIONS

STABLE & SECURE BANK lab writeup. Page 1 of 21

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Metasploit The Elixir of Network Security

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Web Application Vulnerability Testing with Nessus


The Top Web Application Attacks: Are you vulnerable?

HTExploit: Bypassing htaccess Restrictions

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web application testing

SAST, DAST and Vulnerability Assessments, = 4

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

FORBIDDEN - Ethical Hacking Workshop Duration

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Penetration Testing in Romania

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Web Application Security

Overview of the Penetration Test Implementation and Service. Peter Kanters

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Client logo placeholder XXX REPORT. Page 1 of 37

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

ensuring security the way how we do it

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

IDS and Penetration Testing Lab ISA 674

Adobe Systems Incorporated

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Integrating Web Application Security into the IT Curriculum

Best IT Security Tools & Software. rewind< & past database.com

Introduction to Network Security Lab 2 - NMap

McAfee Certified Assessment Specialist Network

The only False Positive Free. Web Application Security Scanner

Intrusion detection for web applications

Common Security Vulnerabilities in Online Payment Systems

Real World Web Service Testing For Web Hackers

April 11, (Revision 2)

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Guidelines for Web applications protection with dedicated Web Application Firewall

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Evaluation of Penetration Testing Software. Research

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Sample Report. Security Test Plan. Prepared by Security Innovation

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Table of Contents. Page 2/13

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Loophole+ with Ethical Hacking and Penetration Testing

Bust a cap in a web app with OWASP ZAP

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Enterprise-Grade Security from the Cloud

Vulnerability analysis

The Security Development Life Cycle

Web application security: Testing for vulnerabilities

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Attack and Penetration Testing 101

Penetration testing: exposure of fallacies 1-14

Passing PCI Compliance How to Address the Application Security Mandates

2016 TÜBİTAK BİLGEM Cyber Security Institute

Intelligence Gathering. n00bpentesting.com

The Nexpose Expert System

Network Security Audit. Vulnerability Assessment (VA)

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Using Nessus In Web Application Vulnerability Assessments

Transcription:

Newsletter - September 2014 T o o l s W a t c h T e a m NJ OUCHN & MJ SOLER

Tools! Lots of Tools Released! During September 2014, we published 7 Posts with 2 News Tools. Organized by Date OWASP Xenotix XSS Exploit Framework v6 Released Lynis v1.6.2 Released [New Tool] Hakabana v0.2.1 Visualization Tool Released Lynis v1.6.0 Released Nmap v6.47 Released Arachni v1.0 Web User Interface v0.5 Released [New Tool] dirs3arch v0.2.5 Brute Force Directories and Files Black Hat Arsenal USA 2014 - Wrap up Day 2 http:// www.toolswatch. org/? p=109219 Developer Corner This is a new section where some developers have the possibility to tell us about their tools. Do you want to participate? maxisoler *nospam* toolswatch dot org Articles: OWASP Xenotix XSS Exploit Framework v6 (By Ajin Abraham) MKBRUTUS: Password bruteforcer for Mikrotik devices or boxes running RouterOS (By Ramiro J. Caire & Federico Massa) Papers (IN)Secure Magazine issue 43 (September 2014) available

Find Vulnerabilities in your Web Applications with Netsparker Malicious hackers are constantly looking for vulnerable web applications to hack into and steal sensitive business intelligence data, customer information, credit card numbers and more. The more your business relies on web applications the more of a target these web applications become because they are available 24/7 and are unprotected. Web application vulnerabilities can be automatically detected and are easily exploited. You can find web application vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) with the Netsparker Web Application Security Scanner before hackers do and ensure that your web applications, business operations and reputation are protected. Netsparker is the only fully automated False Positive Free web application security scanner that detects vulnerabilities on websites and in web applications and reports extensive details about every detected vulnerability. Netsparker is the only False-positive-free web application security scanner www.netsparker.com

Tools! Lots of Tools Released! OWASP Xenotix XSS Exploit Framework v6 Released OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. http:// www.toolswatch. org/? p=123979 Lynis v1.6.2 Released Lynis is an auditing tool which tests and gathers (security) information from Unix based systems. The audience for this tool are security and system auditors, network specialists and system maintainers. http:// www.toolswatch. org/? p=123976 [New Tool] Hakabana v0.2.1 - Visualization Tool Released Visualize Haka traffic in real-time using Kibana and Elasticsearch. Haka is an open source security oriented language which allows to describe protocols and apply security policies on (live) captured traffic. http:// www.toolswatch. org/? p=123939 Lynis v1.6.0 Released Lynis is an auditing tool which tests and gathers (security) information from Unix based systems. The audience for this tool are security and system auditors, network specialists and system maintainers. http:// www.toolswatch. org/? p=109438 Nmap v6.47 Released Nmap ( Network Mapper ) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for network

inventory, managing service upgrade schedules, monitoring host or service uptime, and many other tasks. http:// www.toolswatch. org/? p=109433 Arachni v1.0 Web User Interface v0.5 Released Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. http:// www.toolswatch. org/? p=109409 [New Tool] dirs3arch v0.2.5 Brute Force Directories and Files dirs3arch is a simple command line tool designed to brute force directories and files in websites. Licensed under GNU General Public License, version 2. http:// www.toolswatch. org/? p=109353 Do you have or know tools to be published? Don't hesitate and contact us, send it! http://www.toolswatch.org/submit-a-tool/

OWASP Xenotix XSS Exploit Framework v6 (By Ajin Abraham) OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world s 2nd largest XSS Payloads of about 4700+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be. OWASP Xenotix is built with powerful offensive modules for performing Information Gathering and Exploitation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within a few clicks. Xenotix offers a couple of XSS Information Gathering & Exploitation Modules that work Cross Platform and with the latest Browsers. V6 Changes Intelli Fuzzer Context Based Fuzzer Blind Fuzzer HTA Network Configuration HTA Drive-By HTA Drive-By Reverse Shell JSFuck 6 Char Encoder jjencode Encoder aaencode Encoder IP to Location IP to GeoLocation IP Hinting Download Spoofer HTML5 Geolocation API Reverse TCP Shell Addon (Linux) OAuth 1.0a Request Scanner 4800+ Payloads SSL Error Fixed More Information: OWASP Xenotix XSS Exploit Framework

Ajin Abraham An Information Security Enthusiast interested in learning new things everyday. Areas of interest includes Security Research, Fuzzing and Reversing anything of Interest, Actively Develops Hacker's Arsenal, Graphics & Web Design. Contributes to Free and Open Information Security Eduction via OpenSecurity. Special Discount ToolsWatchers 10% Discount using Promotional Code: TOOLSWATCH

MKBRUTUS: Password bruteforcer for Mikrotik devices or boxes running RouterOS (By Ramiro J. Caire & Federico Massa) Motivation & Scenario Mikrotik brand devices (www.mikrotik.com), which runs the RouterOS operative system, are worldwide known and popular with a high networking market penetration. Many companies choose them as they are a great combination of low-cost and good performance. RouterOS can be also installed on other devices such as PC. This system can be managed through the following ways: Telnet, SSH, HTTP, Winbox (proprietary GUI of Mikrotik) and Mikrotik API. Both, Winbox and API ports, uses a RouterOS proprietary protocol to "talk" with management clients. Many network sysadmins choose to close Telnet, SSH and HTTP ports, leaving the Winbox port open for graphical management or to use it with another client (developed by third parties) which use the RouterOS API port, such as applications for Android or web front-ends. At this point, MKBRUTUS comes into play ;) MKBRUTUS In Action MKBRUTUS is a Password bruteforcer for MikroTik devices or boxes running RouterOS. MKBRUTUS is a tool developed in Python that performs bruteforce attacks (dictionary-based) against RouterOS systems (ver. 3.x or newer) which have the 8728/TCP port open. Currently has all the basic features of a tool to make dictionary-based attacks, but in the future we plan to incorporate other options. Fig. 1 - MKBRUTUS options.

Fig. 2 - MKBRUTUS performing an attack! Installation The project is available here in GitHub, and you can install the tool just by typing: # git clone https://github.com/mkbrutusproject/mkbrutus.git It is necessary to have Python 3.x installed in order to run this tool. It was successfully tested in KALI LINUX, previous Python3 installation (apt-get install python3). More Information: http://mkbrutusproject.github.io/mkbrutus/ Ramiro J. Caire is an Pentester and Ethical Hacking consultant. Trainer & speaker. Member of HoneynetAR Project. Author of MKBRUTUS and several infosec papers. Areas of interest includes Hacking, malware research, OSINT, Cybercrime and new technologies. Federico Massa is an independent Security consultant specialized in Ethical Hacking. He has been involved in several national and international security projects. He is the developer of the tools VScan (presented at BlackHat 2013) and MKBrutus.

Papers (IN)Secure Magazine issue 43 (September 2014) (IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics. http:// www.toolswatch. org/? p=110393 vfeed The Open Source Cross-linked Local Vulnerability Database Security Standards: CVE, CWE, CPE, OVAL, CAPEC, CVSS, and more! Vulnerability Assessment & Exploitation IDs. Vendors Security Alerts. https://github.com/toolswatch/vfeed

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information