Hi, the new Backtrack 3.0 Beta is out there, the new version includes some of my tools, im very happy :P
Right now the tools included are Metagoofil , Subdomainer, TheHarvester (goog mails)
The new version claims to have these improvements:
* We will be releasing a ~ 1 GB USB / DVD image, as well as a stripped down 700 MB iso.
* Dual core issues have been fixed.
* Wireless card compatibility has maximised, and injection patches applied wherever possible.
* Xorg configuration scripts have been improved.
* Updated exploit repositories, updated metasploit exploit framework and dependencies.
* PXE network boot feature finally added (USB Version)
* PwnSauce Instant John the Ripper Cluster feature finally added (USB version)
* Compiz with ATI/Intel Drivers (USB version)
* Linux bt 2 6 21 5 #2 SMP
Download
And more security tools, that is what we want!!
Enjoy
Wednesday, December 19, 2007
Wednesday, October 17, 2007
Fist Conference - Barcelona
The next week (26/10/2007) i will be speaking at the FIST Conference about "Information Gathering" the speak will be based on Metagoofil. I will release a new version, with some fixes and improvements.
If you are in Barcelona, come and join us!
http://www.fistconference.org/barna.php
If you are in Barcelona, come and join us!
http://www.fistconference.org/barna.php
Thursday, September 6, 2007
Metagoofil
This tool is oriented to the extraction of metadata from files published in the domains of the target. It looks into the following type of files : PDF, PPT, DOC, XLS and MDB, and looks into different relevant fields, like "Author" or "Last Saved by".
The idea is to look into fields that may be used to get information about users, so can be used for brute-force attacks. This information can also provide windows domain users, or the methodology used by the company to generate user names.
Once the docs are identified, they are downloaded and analyzed. The information is presented in an HTML document. Please feel free to use this tool and don´t heasitate to send us your feedback.
Download: metagoofil-1.2.tar
The idea is to look into fields that may be used to get information about users, so can be used for brute-force attacks. This information can also provide windows domain users, or the methodology used by the company to generate user names.
Once the docs are identified, they are downloaded and analyzed. The information is presented in an HTML document. Please feel free to use this tool and don´t heasitate to send us your feedback.
Download: metagoofil-1.2.tar
Wednesday, August 29, 2007
Protocols, Data structures and File formats
Recently i discover the website Wotsit.org, is a place where you can find information of Data Structures, Protocols, File Formats, etc. It's a valuable resource for creating fuzzing tools, analyzing protocols, or develop a tool.
Really a must have in the security professional bookmarks!
Site: Wotsit
Enjoy
Really a must have in the security professional bookmarks!
Site: Wotsit
Enjoy
Sunday, August 26, 2007
Wfuzz, proxys and webserver scanning
Yesterday i was performing a pentest on a very big network. After struggling a bit i managed to upload files to a web server, an antivirus was running so many known tools didn't work, so it's time for more creativity. I pulled the http-proxy, a python based proxy developed by Edge-security, and compiled it into binary with py2exe, created an self-extracting zip, and uploaded to the server. I configured the proxy to listen on the port 53, as they leave that port unfiltered, neat :P
Well, so far so good, now i needed to know which machines were running webservers. I could have programmed a python scanner and upload it, but i was running out of time, so i went for wfuzz, the swiss knife for application testing (every body says their tool is a swiss knife), i used this command line to scan for web servers in the internal LAN through the proxy:
me ----> Server w/proxy ---->LAN
wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ
Some wfuzz switchs:
-x set proxy
--hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request (this is added on the new version).
With this command line, i will get every web server on the segment 10.10.1.X, i had to repeat this line for every segment the compromised server could reach, just that easy, fast and fun.
The http-proxy i used is part of the next framework that is being baked at Edge-security, stay tuned..
See you soon
Well, so far so good, now i needed to know which machines were running webservers. I could have programmed a python scanner and upload it, but i was running out of time, so i went for wfuzz, the swiss knife for application testing (every body says their tool is a swiss knife), i used this command line to scan for web servers in the internal LAN through the proxy:
me ----> Server w/proxy ---->LAN
wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ
Some wfuzz switchs:
-x set proxy
--hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request (this is added on the new version).
With this command line, i will get every web server on the segment 10.10.1.X, i had to repeat this line for every segment the compromised server could reach, just that easy, fast and fun.
The http-proxy i used is part of the next framework that is being baked at Edge-security, stay tuned..
See you soon
Wfuzz, proxys and webserver scanning...
Today i was performing a pentest on a very big network. After struggling a bit i managed to upload files to a web server, an antivirus was running so many known tools didn't work, so it's time for more creativity. I pulled the http-proxy, a python based proxy developed by Edge-security, and compiled it into binary with py2exe, created an self-extracting zip, and uploaded to the server. I configured the proxy to listen on the port 53, as they leave that port unfiltered, neat :P
Well, so far so good, now i needed to know which machines were running webservers. I could have programmed a python scanner and upload it, but i was running out of time, so i went for wfuzz, the swiss knife for application testing (every body says their tool is a swiss knife), i used this command line to scan for web servers in the internal LAN through the proxy:
me ----> Server w/proxy ---->LAN
wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ
Some wfuzz switchs:
-x set proxy
--hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request (this is added on the new version).
With this command line, i will get every web server on the segment 10.10.1.X, i had to repeat this line for every segment the compromised server could reach, just that easy, fast and fun.
The http-proxy i used is part of the next framework that is being baked at Edge-security, stay tuned..
See you soon, Laramies.
Well, so far so good, now i needed to know which machines were running webservers. I could have programmed a python scanner and upload it, but i was running out of time, so i went for wfuzz, the swiss knife for application testing (every body says their tool is a swiss knife), i used this command line to scan for web servers in the internal LAN through the proxy:
me ----> Server w/proxy ---->LAN
wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ
Some wfuzz switchs:
-x set proxy
--hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request (this is added on the new version).
With this command line, i will get every web server on the segment 10.10.1.X, i had to repeat this line for every segment the compromised server could reach, just that easy, fast and fun.
The http-proxy i used is part of the next framework that is being baked at Edge-security, stay tuned..
See you soon, Laramies.
Sunday, August 12, 2007
New tools and some docs..
Hi i'm back from the vacations, i will start posting more frequently than before, it's an objetive that i set.
Well let's move on the first post, it is about some new tools and documents from the last weeks.
Docs:
Blackhat and Defcon are over, and the presentations and whitepapers could be downloaded from here:
Blackhat: http://164.106.251.250/docs/netsec/bh2007/
Defcon: http://164.106.251.250/docs/dc15/
There are a lot of presentations, and some are really good.
Tools:
Nmap-SOC: First Nmap SOC release! Nmap 4.22SOC1
The new nmap version is available, with all the improvements proposed in the Summer Of Code (Google). Some of the highlights are:
-The UMIT graphical Nmap frontend is now included
-The port selection mechanism was overhauled
-Added the --reason option which explains WHY Nmap assigned a port status
-Integrated all of your 2nd generation OS detection submissions, increasing the database size by 68% since 4.21ALPHA4 to 699 fingerprints.
-Added --servicedb and --versiondb command-line options which allow you to specify a custom Nmap services (port to port number translation and port frequency) file or version detection database.
-In verbose mode, Nmap now reports where it obtains data files (such as nmap-services) from.
These are some of the more significant (at least for me), there are many more improvements on the release.
Information: http://seclists.org/nmap-dev/2007/q3/0030.html
Umit: Nmap frontend.
Really a very good frontend, with a lot of functionalities, like comparing between different scans, saving scans, multiple tabs, profiles, information highlighting, etc. This project is sponsored by the Google Summer Of Code.
Install: http://umit.sourceforge.net/install.html
Blog: http://umitproject.blogspot.com/
Evolution: Massive information Gathering.
Evolution is a program that can be used to determine the relationships and real world links between different entities. Really it worths a try. I liked a lot the GUI, is still in beta stage, but is really awesome the interface.
Presentations: http://www.paterva.com/web/Evolution/Presentations/
Web: http://www.paterva.com/web/Evolution/
Immunity Debugger:
The new toy from Immunity guys, this is a new debugger oriented for vulnerability analysis, and security related task. It's programmed in python :), you can load python scripts to aid the analysis. Immunity says:
-A debugger with functionality designed specifically for the security industry
-Cuts exploit development time by 50%
-Simple, understandable interfaces
-Robust and powerful scripting language for automating intelligent debugging
-Lightweight and fast debugging to prevent corruption during complex analysis
-Connectivity to fuzzers and exploit development tools
Really a very good tool.
Information: http://www.immunitysec.com/products-immdbg.shtml
Announce: http://seclists.org/bugtraq/2007/Aug/0047.html
That's all for today :)
Well let's move on the first post, it is about some new tools and documents from the last weeks.
Docs:
Blackhat and Defcon are over, and the presentations and whitepapers could be downloaded from here:
Blackhat: http://164.106.251.250/docs/netsec/bh2007/
Defcon: http://164.106.251.250/docs/dc15/
There are a lot of presentations, and some are really good.
Tools:
Nmap-SOC: First Nmap SOC release! Nmap 4.22SOC1
The new nmap version is available, with all the improvements proposed in the Summer Of Code (Google). Some of the highlights are:
-The UMIT graphical Nmap frontend is now included
-The port selection mechanism was overhauled
-Added the --reason option which explains WHY Nmap assigned a port status
-Integrated all of your 2nd generation OS detection submissions, increasing the database size by 68% since 4.21ALPHA4 to 699 fingerprints.
-Added --servicedb and --versiondb command-line options which allow you to specify a custom Nmap services (port to port number translation and port frequency) file or version detection database.
-In verbose mode, Nmap now reports where it obtains data files (such as nmap-services) from.
These are some of the more significant (at least for me), there are many more improvements on the release.
Information: http://seclists.org/nmap-dev/2007/q3/0030.html
Umit: Nmap frontend.
Really a very good frontend, with a lot of functionalities, like comparing between different scans, saving scans, multiple tabs, profiles, information highlighting, etc. This project is sponsored by the Google Summer Of Code.
Install: http://umit.sourceforge.net/install.html
Blog: http://umitproject.blogspot.com/
Evolution: Massive information Gathering.
Evolution is a program that can be used to determine the relationships and real world links between different entities. Really it worths a try. I liked a lot the GUI, is still in beta stage, but is really awesome the interface.
Presentations: http://www.paterva.com/web/Evolution/Presentations/
Web: http://www.paterva.com/web/Evolution/
Immunity Debugger:
The new toy from Immunity guys, this is a new debugger oriented for vulnerability analysis, and security related task. It's programmed in python :), you can load python scripts to aid the analysis. Immunity says:
-A debugger with functionality designed specifically for the security industry
-Cuts exploit development time by 50%
-Simple, understandable interfaces
-Robust and powerful scripting language for automating intelligent debugging
-Lightweight and fast debugging to prevent corruption during complex analysis
-Connectivity to fuzzers and exploit development tools
Really a very good tool.
Information: http://www.immunitysec.com/products-immdbg.shtml
Announce: http://seclists.org/bugtraq/2007/Aug/0047.html
That's all for today :)
Subscribe to:
Posts (Atom)