This tool is oriented to the extraction of metadata from files published in the domains of the target. It looks into the following type of files : PDF, PPT, DOC, XLS and MDB, and looks into different relevant fields, like "Author" or "Last Saved by".
The idea is to look into fields that may be used to get information about users, so can be used for brute-force attacks. This information can also provide windows domain users, or the methodology used by the company to generate user names.
Once the docs are identified, they are downloaded and analyzed. The information is presented in an HTML document. Please feel free to use this tool and don´t heasitate to send us your feedback.
Download: metagoofil-1.2.tar
Thursday, September 6, 2007
Wednesday, August 29, 2007
Protocols, Data structures and File formats
Recently i discover the website Wotsit.org, is a place where you can find information of Data Structures, Protocols, File Formats, etc. It's a valuable resource for creating fuzzing tools, analyzing protocols, or develop a tool.
Really a must have in the security professional bookmarks!
Site: Wotsit
Enjoy
Really a must have in the security professional bookmarks!
Site: Wotsit
Enjoy
Sunday, August 26, 2007
Wfuzz, proxys and webserver scanning
Yesterday i was performing a pentest on a very big network. After struggling a bit i managed to upload files to a web server, an antivirus was running so many known tools didn't work, so it's time for more creativity. I pulled the http-proxy, a python based proxy developed by Edge-security, and compiled it into binary with py2exe, created an self-extracting zip, and uploaded to the server. I configured the proxy to listen on the port 53, as they leave that port unfiltered, neat :P
Well, so far so good, now i needed to know which machines were running webservers. I could have programmed a python scanner and upload it, but i was running out of time, so i went for wfuzz, the swiss knife for application testing (every body says their tool is a swiss knife), i used this command line to scan for web servers in the internal LAN through the proxy:
me ----> Server w/proxy ---->LAN
wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ
Some wfuzz switchs:
-x set proxy
--hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request (this is added on the new version).
With this command line, i will get every web server on the segment 10.10.1.X, i had to repeat this line for every segment the compromised server could reach, just that easy, fast and fun.
The http-proxy i used is part of the next framework that is being baked at Edge-security, stay tuned..
See you soon
Well, so far so good, now i needed to know which machines were running webservers. I could have programmed a python scanner and upload it, but i was running out of time, so i went for wfuzz, the swiss knife for application testing (every body says their tool is a swiss knife), i used this command line to scan for web servers in the internal LAN through the proxy:
me ----> Server w/proxy ---->LAN
wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ
Some wfuzz switchs:
-x set proxy
--hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request (this is added on the new version).
With this command line, i will get every web server on the segment 10.10.1.X, i had to repeat this line for every segment the compromised server could reach, just that easy, fast and fun.
The http-proxy i used is part of the next framework that is being baked at Edge-security, stay tuned..
See you soon
Wfuzz, proxys and webserver scanning...
Today i was performing a pentest on a very big network. After struggling a bit i managed to upload files to a web server, an antivirus was running so many known tools didn't work, so it's time for more creativity. I pulled the http-proxy, a python based proxy developed by Edge-security, and compiled it into binary with py2exe, created an self-extracting zip, and uploaded to the server. I configured the proxy to listen on the port 53, as they leave that port unfiltered, neat :P
Well, so far so good, now i needed to know which machines were running webservers. I could have programmed a python scanner and upload it, but i was running out of time, so i went for wfuzz, the swiss knife for application testing (every body says their tool is a swiss knife), i used this command line to scan for web servers in the internal LAN through the proxy:
me ----> Server w/proxy ---->LAN
wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ
Some wfuzz switchs:
-x set proxy
--hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request (this is added on the new version).
With this command line, i will get every web server on the segment 10.10.1.X, i had to repeat this line for every segment the compromised server could reach, just that easy, fast and fun.
The http-proxy i used is part of the next framework that is being baked at Edge-security, stay tuned..
See you soon, Laramies.
Well, so far so good, now i needed to know which machines were running webservers. I could have programmed a python scanner and upload it, but i was running out of time, so i went for wfuzz, the swiss knife for application testing (every body says their tool is a swiss knife), i used this command line to scan for web servers in the internal LAN through the proxy:
me ----> Server w/proxy ---->LAN
wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ
Some wfuzz switchs:
-x set proxy
--hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request (this is added on the new version).
With this command line, i will get every web server on the segment 10.10.1.X, i had to repeat this line for every segment the compromised server could reach, just that easy, fast and fun.
The http-proxy i used is part of the next framework that is being baked at Edge-security, stay tuned..
See you soon, Laramies.
Sunday, August 12, 2007
New tools and some docs..
Hi i'm back from the vacations, i will start posting more frequently than before, it's an objetive that i set.
Well let's move on the first post, it is about some new tools and documents from the last weeks.
Docs:
Blackhat and Defcon are over, and the presentations and whitepapers could be downloaded from here:
Blackhat: http://164.106.251.250/docs/netsec/bh2007/
Defcon: http://164.106.251.250/docs/dc15/
There are a lot of presentations, and some are really good.
Tools:
Nmap-SOC: First Nmap SOC release! Nmap 4.22SOC1
The new nmap version is available, with all the improvements proposed in the Summer Of Code (Google). Some of the highlights are:
-The UMIT graphical Nmap frontend is now included
-The port selection mechanism was overhauled
-Added the --reason option which explains WHY Nmap assigned a port status
-Integrated all of your 2nd generation OS detection submissions, increasing the database size by 68% since 4.21ALPHA4 to 699 fingerprints.
-Added --servicedb and --versiondb command-line options which allow you to specify a custom Nmap services (port to port number translation and port frequency) file or version detection database.
-In verbose mode, Nmap now reports where it obtains data files (such as nmap-services) from.
These are some of the more significant (at least for me), there are many more improvements on the release.
Information: http://seclists.org/nmap-dev/2007/q3/0030.html
Umit: Nmap frontend.
Really a very good frontend, with a lot of functionalities, like comparing between different scans, saving scans, multiple tabs, profiles, information highlighting, etc. This project is sponsored by the Google Summer Of Code.
Install: http://umit.sourceforge.net/install.html
Blog: http://umitproject.blogspot.com/
Evolution: Massive information Gathering.
Evolution is a program that can be used to determine the relationships and real world links between different entities. Really it worths a try. I liked a lot the GUI, is still in beta stage, but is really awesome the interface.
Presentations: http://www.paterva.com/web/Evolution/Presentations/
Web: http://www.paterva.com/web/Evolution/
Immunity Debugger:
The new toy from Immunity guys, this is a new debugger oriented for vulnerability analysis, and security related task. It's programmed in python :), you can load python scripts to aid the analysis. Immunity says:
-A debugger with functionality designed specifically for the security industry
-Cuts exploit development time by 50%
-Simple, understandable interfaces
-Robust and powerful scripting language for automating intelligent debugging
-Lightweight and fast debugging to prevent corruption during complex analysis
-Connectivity to fuzzers and exploit development tools
Really a very good tool.
Information: http://www.immunitysec.com/products-immdbg.shtml
Announce: http://seclists.org/bugtraq/2007/Aug/0047.html
That's all for today :)
Well let's move on the first post, it is about some new tools and documents from the last weeks.
Docs:
Blackhat and Defcon are over, and the presentations and whitepapers could be downloaded from here:
Blackhat: http://164.106.251.250/docs/netsec/bh2007/
Defcon: http://164.106.251.250/docs/dc15/
There are a lot of presentations, and some are really good.
Tools:
Nmap-SOC: First Nmap SOC release! Nmap 4.22SOC1
The new nmap version is available, with all the improvements proposed in the Summer Of Code (Google). Some of the highlights are:
-The UMIT graphical Nmap frontend is now included
-The port selection mechanism was overhauled
-Added the --reason option which explains WHY Nmap assigned a port status
-Integrated all of your 2nd generation OS detection submissions, increasing the database size by 68% since 4.21ALPHA4 to 699 fingerprints.
-Added --servicedb and --versiondb command-line options which allow you to specify a custom Nmap services (port to port number translation and port frequency) file or version detection database.
-In verbose mode, Nmap now reports where it obtains data files (such as nmap-services) from.
These are some of the more significant (at least for me), there are many more improvements on the release.
Information: http://seclists.org/nmap-dev/2007/q3/0030.html
Umit: Nmap frontend.
Really a very good frontend, with a lot of functionalities, like comparing between different scans, saving scans, multiple tabs, profiles, information highlighting, etc. This project is sponsored by the Google Summer Of Code.
Install: http://umit.sourceforge.net/install.html
Blog: http://umitproject.blogspot.com/
Evolution: Massive information Gathering.
Evolution is a program that can be used to determine the relationships and real world links between different entities. Really it worths a try. I liked a lot the GUI, is still in beta stage, but is really awesome the interface.
Presentations: http://www.paterva.com/web/Evolution/Presentations/
Web: http://www.paterva.com/web/Evolution/
Immunity Debugger:
The new toy from Immunity guys, this is a new debugger oriented for vulnerability analysis, and security related task. It's programmed in python :), you can load python scripts to aid the analysis. Immunity says:
-A debugger with functionality designed specifically for the security industry
-Cuts exploit development time by 50%
-Simple, understandable interfaces
-Robust and powerful scripting language for automating intelligent debugging
-Lightweight and fast debugging to prevent corruption during complex analysis
-Connectivity to fuzzers and exploit development tools
Really a very good tool.
Information: http://www.immunitysec.com/products-immdbg.shtml
Announce: http://seclists.org/bugtraq/2007/Aug/0047.html
That's all for today :)
Tuesday, May 8, 2007
Metasploit GUI & Assistant
After a long waiting, a cool Metasploit GUI is available. In the development version of the metasploit is available the GUI with the new Metasploit::Assistant.
I think this is a great advance, and step by step the project is getting near the commercial options (Canvas, Core Impact). Right now Metasploit has 187 exploits, 106 payloads and many more
One great thing of this Framework is that runs on the Nokia 770/800, i hope for the GUI to run on the Nokia soon, it will be very easy to hack on the move, not typing in the mini X-term. Someone to port ruby-libglade and ruby-gtk2?
Next, Next, Next, Own3d ;)
For installing in Backtrack2 Final:
1-Download the following files:
ruby-gtk2
ruby-libglade2
2-Execute these commands:
# lzm2dir ruby-gtk2-0.16.0.lzm /
# lzm2dir ruby-libglade2-0.16.lzm /
# cd /pentest/exploits/framework3
# svn update
# ./msfgui
And here are some screenshots of the GUI running:
I think this is a great advance, and step by step the project is getting near the commercial options (Canvas, Core Impact). Right now Metasploit has 187 exploits, 106 payloads and many more
One great thing of this Framework is that runs on the Nokia 770/800, i hope for the GUI to run on the Nokia soon, it will be very easy to hack on the move, not typing in the mini X-term. Someone to port ruby-libglade and ruby-gtk2?
Next, Next, Next, Own3d ;)
For installing in Backtrack2 Final:
1-Download the following files:
ruby-gtk2
ruby-libglade2
2-Execute these commands:
# lzm2dir ruby-gtk2-0.16.0.lzm /
# lzm2dir ruby-libglade2-0.16.lzm /
# cd /pentest/exploits/framework3
# svn update
# ./msfgui
And here are some screenshots of the GUI running:
Sunday, May 6, 2007
Wfuzz update!
We did some bug cleaning, and some improvements to our wfuzz. Now it supports colored output on Windows machines!, we added support for fuzzing all GET and POST variables with one command, and we also tackle some errors.
If you find an error please send us an email, also if you have a new dictionary please help with the project and send it to us ;)
Check the new version: Wfuzz
If you find an error please send us an email, also if you have a new dictionary please help with the project and send it to us ;)
Check the new version: Wfuzz
Subscribe to:
Posts (Atom)