BlindElephant – Web Application Fingerprinting

During Black Hat USA 2010, Patrick Thomas presented a new web application fingerprinting tool called Blind Elephant.

The BlindElephant Web Application Finger-printer attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatically.

BlindElephant works via a new trendy technique of fetching static elements of the web app such as .js, .css, and other core files then running a check sum to compare sizes of those files from released versions.

BlindElephant is available via SVN here

svn co https://blindelephant.svn.sourceforge.net/svnroot/blindelephant/trunk blindelephant

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Plecost 0.2.2-9-beta : Wordpress fingerprinting tool

Wordpress finger printer tool, plecost search and retrieve information about the plugins versions installed in Wordpress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each plugin, if there.Plecost retrieves the information contained on Web sites supported by Wordpress, and also allows a search on the results indexed by Google.

Plecost works in two modes. On the one hand by analyzing a single URL and the other analyzing the results of Google searches (-G).

Threads version Usage:

./plecost-0.2.2-8-beta.py [options] [ URL | [-l num] -G]

Mono task version Usage: 

./plecost_0.0.1-5beta.py [options] URL | [options] -G

DOWNLOAD Plecost 0.2.2-9-beta

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Satori 0.7.3 : Passive OS fingerprinting Tool

Satori is a passive OS identification/fingerprinting tool. Using winpcap it listens on the wire to all IP traffic, not just tcp/ip syn and syn-ack packets, and tries to utilize everything it hears to determine the OS of the devices it sees. Satori does passive os identification via a multitude of methods. The primary ones currently being actively updated are: TCP (p0f style fingerprinting), DHCP, Web and SMB. Other methods are CDP, HPSP, ICMP, EIGRP, Hot Spare Router Protocol, MDNS, OSPF, Skinny, SNMP, STP, UPNP, IPX/SPX.

Official change log for Satori 0.7.3:

• Updated the bpf filters that I use prior to sending pcap traffic to my code to 25 or so of the 30 plugins for Satori. Instead of listing them all out, I’ll just say, most were updated!
• They originally did something like ‘tcp or vlan’, this was updated to ‘tcp or (vlan and tcp)’ to help limit the traffic Satori has to process.
• Other protocols, where there was a bpf filter such as aarp were added instead of just greater 0 type rules.
• CDP has a filter in place that is much better also.
• added new .dll that I did a LONG time ago, but wasn’t in the download dir for plugins. SIP.dll
• Last but not least, fixed some bugs I found in the SCCP code that wasn’t picking up IP Phones correctly in a LOT of cases.
• Oh, and released 0.7.3 version of satori.exe, mainly because I’ve noticed updating the oui.txt file isn’t getting picked up unless I recompile Satori. Not sure why, on my list to fix, but this way updated oui.txt from a few months back is better than the one from a few years ago!

Download Satori 0.7.3

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Finddomains - Reverse IP lookup Tool

FindDomains is a multithreaded search engine discovery tool that will be very useful for penetration testers dealing with discovering domain names/web sites/virtual hosts which are located on too many IP addresses. Provides a console interface so you can easily integrate this tool to your pentest automation system. It retrieves domain names/web sites which are located on specified ip address/hostname.

In order to use FindDomains :
Create an appid from "Bing Developers", this link.
It'll be like that : 32AFB589D1C8B4FEC73D4BCB6EA0AD810E0FA2C7
When you have registered an appid, enter it to the "appid.txt" which is on program directory.

Some outlines :

• Uses Bing search engine. Works with first 1000 records.
• Multithreaded on crawling and DNS resolution.
• Performs DNS resolution for extracted domains to eleminate cached/old records.
• Has a console interface so it can be very useful with some command-line foo.
• Works with Mono. But running under Windows is more efficient.

Sample usage :
FindDomains.exe 1.2.3.4
FindDomains.exe www.hotmail.com

Download FindDomains

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Inguma v 0.4 - Penetration testing and vulnerability research toolkit

Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits.

While the current exploitation capabilities in Inguma may be limited, this program provides numerous tools for information gathering and target auditing.

The biggest changes are:

• The GUI has been modified and cleaned in order to give more space to the most active areas like the network map, the RCE interface or the exploits/fuzzing areas.
• We have updated Bokken subproject to the last stable version available, v1.0. It features an interactive mode, better code disassembly and analysis and better integration with Inguma's GUI. More information about Bokken can be found here.
• The systray functionality allows now to hide the Inguma GUI while it's working and it will warn you once the running modules have finished.
• A new fuzzing tab has been added to the Exploits workspace with two different fuzzers: Krash and Scapy.
• The CLI interface has received some attention again and a few new shortcuts like '?' for help or '..' to go back to the main menu are now available in nearly all the modules.
• Inguma CLI now works better on MacOS with autocompletion and key bindings.
• All the fuzzing modules are now under the fuzzers category and have been fixed.
• Minor changes here and there.
• Lots of code refactoring and bugs fixed.

Get Inguma Package Installation Guide here and How to use, Quick Start also published by Author.

DOWNLOAD INGUMA v 0.4

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

FS-WPSFp v1.0 - Wordpress fingerprinting tool

Developed by Dr. Alberto Fontanella, Fast and tiny CMS Wordpress Security scanner to find vulnerable plugins installed and to give related exploits details. Exploits found also for Wordpress version identified. Useful for Penetration Tests tasks and/or for Fun and Profit. Actual version count 240 security tests.

Download FS-WPSFp v1.0

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Web-Sorrow - An Enumerating Remote Security Scanner

Web-Sorrow is a remote security scanner that is used in the information gaining phase of penetration testing. It is open source and written in Perl. It helps you with detecting mis-configuration, version detection, enumeration, and server information scanning. Web-Sorrow is a “safe to run” program. Meaning it is not designed attempt to exploit or preform any kind of injection, DDoS/DoS, CSRF, XSS, or any harmful attacks. It’s entirely focused on enumeration and collecting information from the target server. Web-Sorrow also has false positives checking on most of it’s requests.

Current functionality provided by Web-Sorrow:

• -S – scans for a set of standard tests. They include: index directory testing, banner grabbing, language detection (should be obvious), robots.txt, 200 response testing (some servers send a 200 ok for every req), and thumbs.db scanning
• -auth – looks for login pages with a list of some of the most common login files and dirs and admin consoles. don’t need to be very big list of URLs because what else are going to name it? notAlogin.php???
• -Cp – scan with a huge list of plugins dirs. the list is a bit old (Drupal and wordpress plugins databases are now current but sorry joomla’s still a bit old)
• -I – Web-Sorrow searches the responses for interesting strings
• -Ws – looks for web services such as hosting provider, blogging services, favicon fingerprinting, and cms version info
• -Fd – look for generally things people don’t want you to see. The list is generated form a TON of robot.txt so whatever it finds should be interesting.
• -ninja – A light weight and undetectable scan that uses bits and pieces from other scans
• -R – use HTTP range headers to make scans faster
• -Shadow – Use Google cache instead of requesting from the target host
• -Sd – Bruteforce sub-domains in a Web-Sorrow scan
• -Db – Bruteforce Directories with the big dirbuster Database
• -ua – use a custom UserAgent. Add QUOTES if there are spaces in the string.
• -proxy – send all HTTP reqs via a proxy. example: 255.255.255.254:8080
• -e – run all the scans in the tool
• -Ws - Scan for Web Services on host such as: cms version info, blogging services, favicon fingerprints, and hosting provider.

Web-Sorrow grabs banners when you get responses such as server:, x-powered-by:, x-meta-generator:, x-meta-framework:, x-meta-originator:, x-aspnet-version:, via: and MIME-Version:. Since it has been programmed in Perl and the source code is available, you can surely edit it to suit your needs.

Download Web-Sorrow v1.3.9

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Kolkata - Web Application Fingerprinting

Kolkata is a web application fingerprinting engine written in Perl that combines cryptography with IDS evasion. Kolkata uses session splicing for IDS evasion and configurable checksums of static files in order to determine the version of a web application.

Usage:
kolkata.pl -d domain.tld [-v -p [remote_path_to_web_application]]

• kolkata requires a directory called sigs in its directory
• The sigs directory must contain properly formatted yml files with checksums.

Download Kolkata

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Firewalk 0.99.1 - The Advanced traceroute

Firewalking is a technique developed by Mike Schiffman and David Goldsmith that employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks.

Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets on the floor and we will see no response.

To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hopcount (at that point the scan is said to be `bound`) we can begin our scan. It is significant to note the fact that the ultimate destination host does not have to be reached. It just needs to be somewhere downstream, on the other side of the gateway, from the scanning host.

The newest version of the tool, firewalk/GTK introduces the option of using a graphical interface and a few bug fixes.

Download Firewalk 0.99.1

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Nmap 6 Released - Network Mapper

Nmap (“Network Mapper”) is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results (Ndiff).”

Nmap 6 comes with six major changes and added features.

1. NSE enhanced: The Nmap Scripting Engine (NSE) has exploded in popularity and capabilities. This modular system allows users to automate a wide variety of networking tasks, from querying network applications for configuration information to vulnerability detection and advanced host discovery. The script count has grown from 59 in Nmap 5 to 348 in Nmap 6, and all of them are documented and categorized. The underlying NSE infrastructure has improved dramatically as well.
2. Better Web scanning: When Nmap was first released in 1997, most of the network services offered by a server listened on individual TCP or UDP ports and could be found with a simple port scan. Now, applications are just as commonly accessed via URL path instead, all sharing a web server listening on a single port. Nmap now includes many techniques for enumerating those applications, as well as performing a wide variety of other HTTP tasks, from web site spidering to brute force authentication cracking. Technologies such as SSL encryption, HTTP pipelining, and caching mechanisms are well supported.
3. Full IPv6 support: Given the exhaustion of available IPv4 addresses, the Internet community is trying to move to IPv6. Nmap version 6 contains full support for IP version 6. And it is released just in time for the World IPv6 Launch. Nmap’s developers have created a new IPv6 OS detection system, advanced host discovery, raw-packet IPv6 port scanning, and many NSE scripts for IPv6-related protocols. It’s easy to use too just specify the -6 argument along with IPv6 target IP addresses or DNS records.
4. New Nping Tool: The newest member of the Nmap suite of networking and security tools is Nping, an open source tool for network packet generation, response analysis and response time measurement. Nping can generate network packets for a wide range of protocols, allowing full control over protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress testing, ARP poisoning, Denial of Service attacks, route tracing, etc. Nping’s novel echo mode lets users see how packets change in transit between the source and destination hosts. That’s a great way to understand firewall rules, detect packet corruption, and more.
5. Better Zenmap GUI and results viewer: While Nmap started out as a command-line tool and many (possibly most) users still use it that way, Nmap’s developers have also developed an enhanced GUI and results viewer named Zenmap. One addition since Nmap 5 is a “filter hosts” feature which allows you to see only the hosts which match your criteria (e.g. Linux boxes, hosts running Apache, etc.) They have also localized the GUI to support five languages besides English. A new script selection interface helps you find and execute Nmap NSE scripts. It even tells you what arguments each script supports.
6. Faster scans: Since Nmap 5, the developers have rewritten the traceroute system for higher performance and increased the allowed parallelism of the Nmap Scripting Engine and version detection subsystems. They also performed an intense memory audit which reduced peak consumption during our benchmark scan by 90%. They made many improvements to Zenmap data structures and algorithms as well so that it can now handle large enterprise scans with ease.

Download Nmap 6

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email