Friday, November 2, 2012

[Snuck] Automatic XSS filter bypass

Snuck is an automatic tool whose goal is to significantly test a given XSS filter by specializing the injections on the basis of the reflection context. This approach adopts Selenium to drive a web browser in reproducing both the attacker's behavior and the victim's.
snuck is an automated tool that may definitely help in finding XSS vulnerabilities in web applications. It is based on Selenium and supports Mozilla Firefox, Google Chrome and Internet Explorer. 
Automatic+XSS+filter+bypass
The approach, it adopts, is based on the inspection of the injection's reflection context and relies on a set of specialized and obfuscated attack vectors for filter evasion. In addition, XSS testing is performed in-browser, a real web browser is driven for reproducing the attacker's behavior and possibly the victim's.
snuck is quite different from typical web security scanners, it basically tries to break a given XSS filter by specializing the injections in order to increase the success rate. The attack vectors are selected on the basis of the reflection context, that is the exact point where the injection falls in the reflection web page's DOM.
Having access to the pages' DOM is possible through Selenium Web Driver, which is an automation framework, that allows to replicate operations in web browsers. Since many steps could be involved before an XSS filter is "activated", an XML configuration file should be filled in order to make snuck aware of the steps it needs to perform with respect to the tested web application.

Posted by at No comments:
Labels: , , , ,

[TCHead] TrueCrypt Password Cracking Tool

TCHead
TCHead is software that decrypts and verifies TrueCrypt headers. TCHead supports all the current hashes, individual ciphers, standard volume headers, hidden volume headers and system drive encrypted headers (preboot authentication).
Brute-force TrueCrypt : However, TrueCrypt passwords go through many iterations and are strengthened. Cracking them takes time. Very strong passwords will not be cracked. Also, in addition to trying multiple passwords an attacker must try each password against each combination of hash and cipher (assuming they do not know what these are beforehand). System encrypted hard drives use only one hash and cipher, so attacking those is faster.
Testing TCHead: Create a TrueCrypt volume using the default hash and cipher (RIPEMD-160 and AES), set the password to "secret", then run TCHead against it like this and it will decrypt the header (provided that the word "secret" is in the word list)
Command : TCHead -f name_of_volume.tc -P words.txt
Decrypt hidden volumes:
Command : TCHead -f name_of_volume.tc -P words.txt --hidden
Multiple passwords (brute-force): Create or download a list of words in a text file (one word per line) using words that you think are likely to decrypt the header, then run TCHead against it like this. If the correct password is found, the header will be decrypted:
Command : TCHead -f name_of_volume.tc -P words.txt

Posted by at No comments:
Labels: , , , ,

[ZAP] OWASP Zed Attack Proxy Weekly

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen tester's toolbox.
zap1-3historyfilter
Team is now releasing weekly updates on every Monday. These are not the full releases , like stable one, but to give more enhancements as soon as possible, ZAP team decide to release weekly updates also.
The following new features are included in weekly releases:
  • Completely rewritten 'traditional' Spider (c/o Cosmin Stefan and the GSoC)
  • New Ajax Spider (using Crawljax, c/o Guifre Ruiz and the GSoC)
  • Web sockets support (c/o Robert Koch and the GSoC)
  • Performance improvements (both speed and memory)
  • Session awareness
  • Authentication handling
  • Contexts
  • Modes (Safe, Protected and Standard)
  • Online links in menu

Posted by at No comments:
Labels: , , , , ,

[SET] Social-Engineer Toolkit 4.1.3

TrustedSec Release the latest version of Social-Engineer Toolkit (SET) as 4.1.3. As most of us know that, It is an open source, python-driven, social-engineering penetration testing framework of custom tools which solely focuses on attacking the human element of penetration testing.
Set-Box_2
It was designed in order to arm penetration testers and security researchers with the ability to effectively test heavily advanced social-engineering attacks armed with logical methods. The Social Engineer Toolkit leverages multiple attack vectors that take advantage of the human element of security in an effort to target attackers.
Change version 4.1.3:
* Added multiple checks when importing file, no longer exits the entire application
Download Social Engineer Toolkit 4.1.3:
Posted by at No comments:
Labels: , , , ,

Contact

If you want contact the webmaster of this blog, write to mail:



Posted by at No comments:
Labels: , ,

Thursday, November 1, 2012

[WebSploit] Framework 2.0.3 with Wifi Jammer

WebSploit Is An Open Source Project For Scan And Analysis Remote System From Vulnerability.

WebSploit+Framework+2.0.3+with+Wifi+Jammer

WebSploit Is An Open Source Project For :
[>]Social Engineering Works
[>]Scan,Crawler & Analysis Web
[>]Automatic Exploiter
[>]Support Network Attacks
[+]Autopwn - Used From Metasploit For Scan and Exploit Target Service
[+]wmap - Scan,Crawler Target Used From Metasploit wmap plugin
[+]format infector - inject reverse & bind payload into file format
[+]phpmyadmin Scanner
[+]LFI Bypasser
[+]Apache Users Scanner
[+]Dir Bruter
[+]admin finder
[+]MLITM Attack - Man Left In The Middle, XSS Phishing Attacks
[+]MITM - Man In The Middle Attack
[+]Java Applet Attack
[+]MFOD Attack Vector
[+]USB Infection Attack
[+]ARP Dos Attack
[+]Web Killer Attack
[+]Fake Update Attack
[+]Fake Access point Attack

Download WebSploit Framework 2.0.3
Posted by at No comments:
Labels: , , , ,

Wednesday, August 29, 2012

Future of Delight series..

I was expecting to get enough fund raised by donations to get a new 808 so I could keep making custom firmwares for N8 and 808.. Well it didn't work as expected .. .also since there is a new Belle Refresh released, people are expecting and asking me if there will be any update for Delight series for the same.

This post is to make clear that I am not thinking to work on Delight series anymore., however if circumstances changed somehow because of any reason., I will make sure I will let you know guys about it here ..

I will provide all my resources to freaxs_r_us so he will keep updating it for you guys within a week.

Hopefully you might get a new version of Delight soon enough..

take care..
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)