[DEP Process Scanner] Tool to scan and show all the DEP enabled Processes

DEP Process Scanner is the free command-line tool to scan and show all the DEP enabled Processes.

Data Execution Prevention (DEP) is a security feature introduced since Windows XP SP2 onwards and designed to prevent an application executing code from a non-executable memory regions such as Stack or Data region. It is primarily intended to mitigate the successful execution of buffer overflow based exploits.

DEP runs in two modes: hardware-enforced DEP for CPUs that can mark memory pages as nonexecutable, and software-enforced DEP with limited protection for CPUs that do not have hardware support.

DEP Process Scanner currently detects only Software-enforced DEP and helps you to find Processes which have (Software based) DEP enabled/disabled.

Here is the list of things you can do with this tool,

• Show all DEP enabled Processes
• Show all Non-DEP or DEP disabled Processes
• Check the DEP status of Process with the ID
• Check the DEP status of Process with the name

Being a command-line tool makes it easy for automation. Also it can be handy tool for developers and researchers.

It is available in both 32-bit & 64-bit versions and works on all platforms starting from Windows XP to Windows 8.

Download DEP Process Scanner v1.0

[Arachni v0.4.2] web application security scanner (Boosted with new UI)

Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

It is smart, it trains itself by learning from the HTTP responses it receives during the audit process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives.

It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform

Features

• Cookie-jar/cookie-string support.
• Custom header support.
• SSL support.
• User Agent spoofing.
• Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
• Proxy authentication.
• Site authentication (Automated form-based, Cookie-Jar, Basic-Digest, NTLM and others).
• Automatic log-out detection and re-login during the audit (when the initial login was performed via the AutoLogin plugin).
• Custom 404 page detection.
• UI abstraction:
  • Command-line Interface.
  • Web User Interface.
• Pause/resume functionality.
• High performance asynchronous HTTP requests.
  With adjustable concurrency.
  
  
  

Major improvements with 0.4.2

Users

Regular users can enjoy:

• The ability to easily perform and manage scans via the brand new, Rails-based, simple, intuitive and beautiful web user interface — I’m overselling it a bit out of excitement.
• Much reduced RAM usage.
• More fluid and smoother progress %.
• Issue remarks – Providing extra context to logged issues and assisting you in determining the nature, variation and special circumstances that may apply.
• More resilient stance towards non-responsive servers.
• Much improved profiling and detection of custom 404 responses.
• Improved payloads for Windows machines for path traversal and OS command injection.
• The ability to exclude pages from the scan based on content.

Developers

Oh you devs out there controlling Arachni via RPC are gonna love these:

• Default serialization changed to Marshal, which translates to much faster and less bandwidth consuming RPC calls.
  • YAML serialization is still supported and it is an automatic fallback, YAML requests will still illicit a YAML response. Careful though, the engine has been changed to Psych, which has been the Ruby default for a while now.
• A bunch of convenience methods have been added to Arachni::RPC::Server::Instance, allowing you to perform and control scans much easier than before.
• More data returned for logged Issues during runtime.

Service providers

Well, you get to enjoy all of the above but at a higher, more abstract level:

• Significantly reduced RAM consumption.
• Significantly reduced bandwidth and CPU usage for RPC calls.
• Improved progress information for statistics, issues and progress %.

Download Arachni v0.4.2

[Nessus 5.2] Nessus Vulnerability Scanner

New release of the Nessus vulnerability scanner! This is a major release (moving from 5.0.3 to 5.2.0) and includes several new features and enhancements, including:

• IPv6 is now supported on all platforms (including Windows)
• Nessus server support for Windows 8 and Windows 2012
• Add attachments within scan result reports
• Mac OS X preference pane
• Digitally-signed Nessus RPM packages for supporting distributions
• Smaller memory footprint and reduced disk space usage
• Faster, more responsive web interface (uses less bandwidth)
• No longer need to visit the Tenable website for an activation code!

Several key features are described in detail below, including examples of the new MAC OS X preference pane and the new attachments feature:

Add Attachments to Scan Results

Information collected during the scan can now be included in the results as an attachment. The first iteration of attachments will be screenshots, but any attachment type can be included.

Remote Desktop Protocol (RDP)

If Nessus discovers Remote Desktop Protocol on a target, a screenshot is taken. This can reveal information such as the operating system version and the currently-logged-on user.

VNC

If Nessus discovers a target is running VNC without a password to restrict access, a screenshot is included in the results. The above example shows the system using a web browser to visit the www.tenable.com website.

Websites

For Internet-connected web servers, Nessus will take a screenshot of the website as if you visited the website using a web browser. This feature is useful to identify the applications you are testing, including making sure you are testing the correct virtual host.

Mac OS X Preference Pane

The addition of a Nessus server preference pane in OS X allows the user to stop and start the Nessus server process and configure whether or not Nessus is started at boot time.

Getting Nessus 5.2

New users may download and evaluate Nessus free of charge by visiting the Nessus home page. Current customers can download 5.2 from the Tenable Support Portal. Detailed instructions and notes on upgrading are located in the Nessus 5.2 Installation and Configuration Guide.

Nessus ProfessionalFeed and Perimeter Service customers: Please contact Tenable Support (support -at- tenable.com) with any questions regarding the upgrade to Nessus 5.2.0. Users may also visit the Tenable Discussion Portal for more information.

Download Nessus 5.2

[Vega v1.0] Web Application Security Scanner

Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Vega can be extended using a powerful API in the language of the web: Javascript.

Vega was developed by Subgraph in Montreal.

Features

• Automated Crawler and Vulnerability Scanner
• Consistent UI
• Website Crawler
• Intercepting Proxy
• SSL MITM
• Content Analysis
• Extensibility through a Powerful Javascript Module API
• Customizable alerts
• Database and Shared Data Model

Some of the features in the 1.0 release include:

• Active proxy scanner
• Greatly improved detections
• Greatly improved support for authenticated scanning
• API enhancements
• HTTP message viewer enhancements

Modules

• Cross Site Scripting (XSS)
• SQL Injection
• Directory Traversal
• URL Injection
• Error Detection
• File Uploads
• Sensitive Data Discovery

Download Vega v1.0 RC84

[Brakeman v1.9.5] The Static analysis security scanner for Ruby on Rails

Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.

Unlike many web security scanners, Brakeman looks at the source code of your application. This means you do not need to set up your whole application stack to use it.

Once Brakeman scans the application code, it produces a report of all security issues it has found.

Advantages

No Configuration Necessary

Brakeman requires zero setup or configuration once it is installed. Just run it.

Run It Anytime

Because all Brakeman needs is source code, Brakeman can be run at any stage of development: you can generate a new application with rails new and immediately check it with Brakeman.

Better Coverage

Since Brakeman does not rely on spidering sites to determine all their pages, it can provide more complete coverage of an application. This includes pages which may not be ‘live’ yet. In theory, Brakeman can find security vulnerabilities before they become exploitable.

Best Practices

Brakeman is specifically built for Ruby on Rails applications, so it can easily check configuration settings for best practices.

Flexible Testing

Each check performed by Brakeman is independent, so testing can be limited to a subset of all the checks Brakeman comes with.

Speed

While Brakeman may not be exceptionally speedy, it is much faster than “black box” website scanners. Even large applications should not take more than a few minutes to scan.

Limitations

False Positives

Only the developers of an application can understand if certain values are dangerous or not. By default, Brakeman is extremely suspicious. This can lead to many “false positives.”

Unusual Configurations

Brakeman assumes a “typical” Rails setup. There may be parts of an application which are missed because they do not fall within the normal Rails application layout.

Only Knows Code

Dynamic vulnerability scanners which run against a live website are able to test the entire application stack, including the webserver and database. Naturally, Brakeman will not be able to report if a webserver or other software has security issues.

Isn’t Omniscient

Brakeman cannot understand everything which is happening in the code. Sometimes it just makes reasonable assumptions. It may miss things. It may misinterpret things. But it tries its best. Remember, if you run across something strange, feel free to file an issue for it.

Changes since 1.9.4:

• Add check for unsafe symbol creation (Aaron Weiner)
• Do not warn on mass assignment with slice/only (#203)
• Do not warn on session secret if in .gitignore (#241)
• Fix session secret check for Rails 4
• Fix scoping for blocks and block arguments
• Fix error when modifying blocks in templates
• Fix crash on before_filter outside controller
• Fix Sexp hash cache invalidation
• Respect quiet option in configuration file (#300)
• Convert assignment to simple if expressions to or
• More fixes for assignments inside branches
• Refactoring of CheckLinkTo and Report (Bart ten Brinke)
• Pin ruby2ruby dependency to version 2.0.3 (see here)

Download Brakeman v1.9.5

[Topera] The IPv6 port scanner invisible to Snort (IDS)

Topera is a brand new TCP port scanner under IPv6, with the particularity that these scans are not detected by Snort.

Snort is the most known IDS/IPS and is widely used in many different critical environments. Some commercial tools (Juniper or Checkpoint ones) use it as detection engine also.

Mocking snort detection capabilities could suppose a high risk in some cases.

All the community is invited to test it in any environment and we would be thankful if you send us any feedback.

We keep researching on the security implications that the "new" IPv6 protocol will have in different environments. 

You can see an example of execution of Topera here:

Download Topera

[Acunetix Web Vulnerability Scanner 8] Automated Web Application Security Testing Tool

Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing.

Changelog v8.20130308

Unicode Transformation Issues

This new security test is looking for issues that can occur when working with Unicode data. Specifically, it is looking for Best-Fit mappings, Overlong byte sequences and Ill-Formed Subsequences issues.

Best-Fit Mappings occurs when a character X gets transformed to an entirely different character Y. For example, in some situations the Unicode character U+FF1C FULLWIDTH LESS-THAN SIGN can be transformed into U+003C LESS-THAN SIGN (<). This can cause serious security problems for the affected web application.

Overlong byte sequences (non-shortest form) – UTF-8 allows for different representations of characters that also have a shorter form. For security reasons, a UTF-8 decoder must not accept UTF-8 sequences that are longer than necessary to encode a character. For example, the character U+000A (line feed) must be accepted from a UTF-8 stream only in the form 0x0A, but not in any of the following five possible overlong forms:

• 0xC0 0x8A
• 0xE0 0×80 0x8A
• 0xF0 0×80 0×80 0x8A
• 0xF8 0×80 0×80 0×80 0x8A
• 0xFC 0×80 0×80 0×80 0×80 0x8A

Ill-Formed Subsequences - As REQUIRED by UNICODE 3.0, and noted in the Unicode Technical Report #36, the web application should not consume a leading byte when it is followed by an invalid successor byte. For example, at some point PHP was consuming the control characters leading to XSS and SQL injection vulnerabilities.

Analyze Parameter Values

Another script introduced with this update is Analyze_Parameter_Values.script. This script is analyzing parameter values and performs various actions based on their values. For example, if the parameter value contains a filename or a file path, the script will pass this information to the crawler and these files will be crawled and tested in the next scan iteration.

Hidden Virtual Hosts

Finally, the latest update contains a script that is trying to find hidden Virtual Hosts on the tested web server. Virtual hosting is a method for hosting multiple domain names on a single web server.

Sometimes developers hosts internal/test applications on production systems without making them public. These virtual hosts are not directly accessible unless you guess the name of their virtual host, connect to the web server’s IP address and specify the virtual host in the Host header.

This script is looking for common Virtual Host names and compares the responses received with the normal response. When it finds differences, it will issue alerts for these names.

Full Changelog: here

More Information:

Acunetix v8 Manual

Download Acunetix Web Vulnerability Scanner v8.20130308

[Bluelog v1.1.1] Simple Bluetooth Scanner

Bluelog is a simple Bluetooth scanner designed to tell you how many discoverable devices there are in an area as quickly as possible.

It is intended to be used as a site survey tool, identifying the number of possible Bluetooth targets there are in the surrounding environment.

Changelog v1.1.1

Codename: “Marshmallow Peep Edition”

• Merged in libmackerel
• Merged in MACLIST from haraldscan
• Experimental manufacturer lookups (currently x86 only)
• Configuration options broken out into config.h
• Allow for friendly class names in verbose mode, thanks Dean
• EXPERIMENTAL: Added -e option to encode MACs with CRC32
• Updated MAN page
• Updated README
• Improved memory management, thanks Paolo
• Improved file cleanup, less idiotic

Compatibility

Bluelog has been written with portability and efficiency in mind, so it is able to run on a number of systems and hardware platforms. Basically, as long as the device can run (and get results from) “hcitool scan”, and you can compile software for it, there is a good chance Bluelog can run on it.

In addition to running on all major Linux distributions, Bluelog has been used successfully on Chrome OS (running on the CR-48 netbook), and MIPS based OpenWRT devices. For information on the OpenWRT build of Bluelog, see the “openwrt” directory.

More Information: here

Download Bluelog v1.1.1

[PunkSPIDER] Búsqueda Masiva de Vulnerabilidades en Aplicaciones Web

Alejandro Caceres, CTO de Hyperion Gray, presentó en la conferencia ShmooCon 2013 un interesante proyecto llamado PunkSPIDER. Se trata de una arquitectura basada en clusters Apache Hadoop para un escaner distribuido capaz de realizar miles de escaneos de vulnerabilidades web al día y poner a disposición de cualquiera sus resultados. Es decir, PunkSPIDER es un gran motor global de búsqueda de vulnerabilidades en aplicaciones web.

El objetivo de este proyecto es llamar la atención acerca de la pobre seguridad de las aplicaciones web en general. Con sólo escribir la URL puede ayudar a cualquier organización a conocer si su portal público tiene vulnerabilidades críticas que necesitan ser corregidas de inmediato.

Por supuesto, PunkSPIDER puede generar también cierta controversia porque, como muchas herramientas, puede ser utilizada para fines maliciosos, es decir, para conocer y explotar vulnerabilidades de aplicaciones web ajenas. Si bien recordemos que los escaneos son bastante automatizados y generalistas y cualquier atacante podría hacerlos previamente de forma similar en las fases previas a la intrusión...

Puedes descargar el código fuente, donar en Kickstarter y/o contactar con punkspider@hyperiongray.com si deseas colaborar con el proyecto.

Buscador: http://punkspider.hyperiongray.com/

Sobre PunkSPIDER: http://www.hyperiongray.com/index.php/punk-topmenu/about-punkspider

Fuente: http://www.hackplayers.com/

[WhatWeb] Scanner para Fingerprinting de una Web

WhatWeb es una herramienta que nos permite realizar Fingerprinting de una web.

WhatWeb tiene la particularidad de identificar webs que están realizadas con alguno de los CMS más populares como WordPress, Joomla!, phpBB o Drupal, además permite identificar versiones de librerías JavaScript, Geolocalización de dominios, identificación de etiquetas HTML, Servidores Web y más de 900 plugins para extender su funcionalidad.

A los que nunca utilizaron esta herramienta y quieren comenzar a entrar en las etapas de reconocimiento y fingerprinting, sus primeros pasos sin es utilizar WhatWeb.

Descarga WhatWeb
Repositorio  en GitHub
Web del Autor
The WhatWeb Wiki

[JoomlaScan v1.5] Scanner para encontrar vulnerabilidades en Joomla

En esta nueva actualización de JoomlaScan se reconoce la versión 3.1.0-beta1 de Joomla! pasando por las últimas de 2.5.x y las primeras de 3.0.x

Desde que apareció la versión 2.5 la identificación de la versión de Joomla! se reduce a consultar un archivo, concretamente http://tu.joomla.com/administrator/manifest/files/joomla.xml donde podemos localizar la versión exacta:

<version>3.0.3</version>

Aunque bien es cierto que en versiones anteriores ha podido ser un quebradero de cabeza, teniendo que analizar la existencia y/o contenido de diferentes ficheros, que aparecen y desaparecen en nuevas revisiones, todo ello previo estudio de los repositorios de Joomla!.

Aprovechando los retoques, he actualizado también algunos exploits nuevos, obteniendo los enlaces de http://www.exploit-db.com y http://www.securityfocus.com

Para descargarlo: http://pepelux.org/download.php?f=scripts/joomlascan.tgz

O si ya lo tienes instalado:

$ perl joomlascan.pl -update

Web del Autor: http://blog.pepelux.org/

[SSLyze v0.6] SSL Server Configuration Scanning Tool

SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify misconfigurations affecting their SSL servers.

Features

• SSL 2.0/3.0 and TLS 1.0/1.1/1.2 compatibility
• Performance testing: session resumption and TLS tickets support
• Security testing: weak cipher suites, insecure renegation, CRIME and THC-SSL DOS attacks
• Server certificate validation
• Support for StartTLS with SMTP and XMPP, and traffic tunneling through an HTTPS proxy
• Client certificate support for servers performing mutual authentication
• Scan results can be written to an XML file for further processing

New in v0.6:

• Added support for Server Name Indication; see –sni
• Partial results are returned when the server requires client authentication but no client certificate was provided
• Preliminary IPv6 support
• Various bug fixes and better support of client authentication and HTTPS tunneling

You can download SSLyze v0.6 here:

Linux/OSX – sslyze-0.6_src.zip
Windows 7/Python 32-bit – sslyze-0.6_Windows7_Python32.zip
Windows 7/Python 64-bit – sslyze-0.6_Windows7_Python64.zip

Or read more here.

Nmap para Android

NMAP (Network Mapper o Mapeador de Redes) es una herramienta para scannear puertos abiertos. Se diseño para explorar grandes redes, aunque funciona a perfecto también para hacer mapeos a equipos individuales. A demás de puertos, también dice que servicio lo utiliza y sus versiones. Otra de las cosas que suele mostrar es que filtros o cortafuegos tiene, y a veces hasta el sistema operativo que tiene el equipo entre otras docenas de cosas. 

Nmap es una herramienta que se usa mucho en auditorias de seguridad y a demás muchos la usan con fines delictivos. Lo primordial es su tabla de puertos con sus estados que son los siguientes: 

Closed: Cerrado

Open: Abierto

Filtred: Filtrado

Unfiltred: No Filtrado

Abierto significa que la aplicación en la máquina destino se encuentra esperando conexiones o paquetes en ese puerto. Filtrado indica que un cortafuego, filtro, u otro obstáculo en la red está bloqueando el acceso a ese puerto, por lo que Nmap no puede saber si se encuentra abierto o cerrado.  Los puertos cerrados no tienen ninguna aplicación escuchando en los mismos, aunque podrían abrirse en cualquier momento. Los clasificados como no filtrados son aquellos que responden a los sondeos de Nmap, pero para los que que Nmap no puede determinar si se encuentran abiertos o cerrados.

A lo largo de este tutorial se encontraran con parámetros en mayúsculas y minúsculas, es muy importante que los respeten ya que varia su función.

DESCARGA

[Fuente]

[Netsparker Community Edition v2.5.2.0] Released!

Netsparker Community Edition is a SQL Injection Scanner. It’s a free edition of our web vulnerability scanner for the community so you can start securing your website now. It’s user friendly, fast, smart and as always False-Positive-Free.

It shares many features with professional edition. It can detect SQL Injection and XSS issues better than many other scanners (if not all), and it’s completely FREE.

Netsparker can scan for lots of web security vulnerabilities, this free version of Netsparker is a great SQL injection scanner. It can scan and exploit SQL Injection vulnerabilities in different back-end databases with really high accuracy and without any false-positives. Netsparker is the best SQL Injection Scanner among the all commercial, free and open source web vulnerability scanner according to 3rd party benchmark by finding 98.53% of all SQL Injections in tests1^.

Netsparker CE features

• False-Positive Free
• AjAX/JavaScript Supp0rt
• Hassle Free Licensing
• Heuristic Cust0m 4o4 Support
• Free Automated Updates
• Error Based SqL Injection
• Boolean Based SQL Injection
• Reflective Cross-site ScriptIng (xss)
• Permanent/St0red Cross-site Scripting (XSS)
• and many more

Security Checks that come with CE

Error Based SQL Injection
Boolean Based SQL Injection
Time Based Blind SQL Injection
Local File Inclusion
Remote File Inclusions
Remote Code Injection / Evaluation
Cross-site Scripting (XSS) via RFI
Reflective Cross-site Scripting (XSS)
Permanent/Stored Cross-site Scripting (XSS)
OS Level Command Injection
CRLF / HTTP Header Injection / Response Splitting
Open Redirect
Find Backup Files
Crossdomain.xml Analysis
Finds and Analyse Potential Issues in Robots.txt
Finds and Analyse Google Sitemap Files
Detect TRACE / TRACK Method Support
Detect ASP.NET Debugging
Detect ASP.NET Trace
ASP.NET ViewState Analysis
ViewState is not Signed
ViewState is not Encrypted
Post Exploitation Checks
E-mail Address Disclosure
Internal IP Disclosure
Cookies are not marked as Secure
Cookies are not marked as HTTPOnly
Directory Listing
Stack Trace Disclosure
Version Disclosure
Access Denied Resources
Internal Path Disclosure
Programming Error Messages
Database Error Messages
CVS, GIT and SVN Information and Source Code Disclosure
Find PHPInfo() pages and PHPInfo() disclosures
Apache Server-Status and Apache Server-Info pages
Find Hidden Resources
Basic Authentication over HTTP
Password Transmitted over HTTP
Password Form Served over HTTP
Source Code Disclosure
Auto Complete Enabled

Download

http://www.mavitunasecurity.com/communityedition/