Thursday, February 28, 2013

[Xortool] A tool to analyze multi-byte xor cipher


A tool to do some xor analysis:
  • guess the key length (based on count of equal chars)
  • guess the key (base on knowledge of most frequent char)

Usage

! python3 is not supported, use python 2.x

  xortool [-h|--help] [OPTIONS] [<filename>]
Options:
-l,--key-length length of the key (integer)
-c,--char most possible char (one char or hex code)
-m,--max-keylen=32 maximum key length to probe (integer)
-x,--hex input is hex-encoded str
-b,--brute-chars brute-force all possible characters
-o,--brute-printable same as -b but will only use printable
characters for keys

Example

# xor is some external script to encrypt files
tests $ xor -f /bin/ls -s "secret_key" > binary_xored

tests $ xortool binary_xored
The most probable key lengths:
2: 5.0%
5: 8.7%
8: 4.9%
10: 15.4%
12: 4.8%
15: 8.5%
18: 4.8%
20: 15.1%
25: 8.4%
30: 14.9%
Key-length can be 5*n
Most possible char is needed to guess the key!

# 00 is the most frequent byte in binaries
tests $ xortool binary_xored -l 10 -c 00
...
1 possible key(s) of length 10:
secret_key

# decrypted ciphertexts are placed in ./xortool_out/Number_<key repr>
# ( have no better idea )
tests $ md5sum xortool_out/0_secret_key /bin/ls
29942e290876703169e1b614d0b4340a xortool_out/0_secret_key
29942e290876703169e1b614d0b4340a /bin/ls

The most common use is to pass just the encrypted file and the most frequent character (usually 00 for binaries and 20 for text files) - length will be automatically chosen:

tests $ xortool tool_xored -c 20
The most probable key lengths:
2: 5.6%
5: 7.8%
8: 6.0%
10: 11.7%
12: 5.6%
15: 7.6%
20: 19.8%
25: 7.8%
28: 5.7%
30: 11.4%
Key-length can be 5*n
1 possible key(s) of length 20:
an0ther s3cret \xdd key

Here, the key is longer then default 32 limit:

tests $ xortool ls_xored -c 00 -m 64
The most probable key lengths:
3: 3.3%
6: 3.3%
9: 3.3%
11: 7.0%
22: 6.9%
24: 3.3%
27: 3.2%
33: 18.4%
44: 6.8%
55: 6.7%
Key-length can be 3*n
1 possible key(s) of length 33:
really long s3cr3t k3y... PADDING

So, if automated decryption fails, you can calibrate:
  • (-m) max length to try longer keys
  • (-l) selected length to see some interesting keys
  • (-c) the most frequent char to produce right plaintext

[RemoteDLLInjector] Command-line Tool to Inject DLL into Remote Process


Remote DLL Injector is the free command-line tool to Inject DLL into remote process.

Currently it supports DLL injection using the CreateRemoteThread technique. If you are looking for advanced and more user friendly GUI version then check out our popular RemoteDll tool.

Being a command-line tool makes it easy to integrate into your automation scripts. Also useful when you are remotely operating on the system especially during Pen Testing situations.

One of the unique feature of Remote DLL Injector is its ability Inject DLL into ASLR enabled processes. It dynamically calculates DLL and function offsets within target process before the injection operation.

It is fully portable and includes both 32-bit & 64-bit versions. It has been successfully tested on all platforms starting from Windows XP to Windows 8.




Download RemoteDLLInjector

More information: securityxploded.com/remote-dll-injector.php

[MASTIFF2HTML] Static Analysis Framework Results Viewer


MASTIFF2HTML is a python program that is used to create a GUI results interface in HTML from MASTIFF results.

Download the python program at:
https://github.com/1aN0rmus/TekDefense/blob/master/MASTIFF2HTML.py
MASTIFF is an automated static malware analysis framework.

Wednesday, February 27, 2013

[Netsparker Community Edition v2.5.2.0] Released!

Netsparker Community Edition is a SQL Injection Scanner. It’s a free edition of our web vulnerability scanner for the community so you can start securing your website now. It’s user friendly, fast, smart and as always False-Positive-Free.

It shares many features with professional edition. It can detect SQL Injection and XSS issues better than many other scanners (if not all), and it’s completely FREE.



Netsparker can scan for lots of web security vulnerabilities, this free version of Netsparker is a great SQL injection scanner. It can scan and exploit SQL Injection vulnerabilities in different back-end databases with really high accuracy and without any false-positives. Netsparker is the best SQL Injection Scanner among the all commercial, free and open source web vulnerability scanner according to 3rd party benchmark by finding 98.53% of all SQL Injections in tests1.


Netsparker CE features

  • False-Positive Free
  • AjAX/JavaScript Supp0rt
  • Hassle Free Licensing
  • Heuristic Cust0m 4o4 Support
  • Free Automated Updates
  • Error Based SqL Injection
  • Boolean Based SQL Injection
  • Reflective Cross-site ScriptIng (xss)
  • Permanent/St0red Cross-site Scripting (XSS)
  • and many more


Security Checks that come with CE

Error Based SQL Injection
Boolean Based SQL Injection
Time Based Blind SQL Injection
Local File Inclusion
Remote File Inclusions
Remote Code Injection / Evaluation
Cross-site Scripting (XSS) via RFI
Reflective Cross-site Scripting (XSS)
Permanent/Stored Cross-site Scripting (XSS)
OS Level Command Injection
CRLF / HTTP Header Injection / Response Splitting
Open Redirect
Find Backup Files
Crossdomain.xml Analysis
Finds and Analyse Potential Issues in Robots.txt
Finds and Analyse Google Sitemap Files
Detect TRACE / TRACK Method Support
Detect ASP.NET Debugging
Detect ASP.NET Trace
ASP.NET ViewState Analysis
ViewState is not Signed
ViewState is not Encrypted
Post Exploitation Checks
E-mail Address Disclosure
Internal IP Disclosure
Cookies are not marked as Secure
Cookies are not marked as HTTPOnly
Directory Listing
Stack Trace Disclosure
Version Disclosure
Access Denied Resources
Internal Path Disclosure
Programming Error Messages
Database Error Messages
CVS, GIT and SVN Information and Source Code Disclosure
Find PHPInfo() pages and PHPInfo() disclosures
Apache Server-Status and Apache Server-Info pages
Find Hidden Resources
Basic Authentication over HTTP
Password Transmitted over HTTP
Password Form Served over HTTP
Source Code Disclosure
Auto Complete Enabled

Download

http://www.mavitunasecurity.com/communityedition/

[ARPwner] ARP and DNS Poisoning Attack Tool

ARPwner is a tool to do ARP poisoning and DNS poisoning attacks, with a simple GUI and a plugin system to do filtering of the information gathered, also has a implementation of sslstrip and is coded 100% in python and on Github, so you can modify according to your needs.



This tool was released by Nicolas Trippar at BlackHat USA 2012.

For the tool to work you need pypcap, so assuming are using a Debian derivative OS (like all sane people do) – you’ll need to do this first:

apt-get install python-pypcap


You can download ARPwner here: ARPwner.zip
Or read more here.

Monday, February 25, 2013

[ADHD v.0.4.1] Active Defense Harbinger Distribution

The Active Defense Harbinger Distribution (ADHD) is a Linux distro based on Ubuntu 12.04 LTS. It comes with many tools aimed at active defense preinstalled and configured. The purpose of this distribution is to aid defenders by giving them tools to "strike back" at the bad guys.

ADHD has tools whose functions range from interfering with the attackers' reconnaissance to compromising the attackers' systems. Innocent bystanders will never notice anything out of the ordinary as the active defense mechanisms are triggered by malicious activity such as network scanning or connecting to restricted services.

Download:  http://sourceforge.net

[Hwk] Wireless Exploitation Tool

Hwk is an easy-to-use wireless authentication and deauthentication tool. Furthermore, it also supports probe response fuzzing, beacon injection flooding, antenna alignment and various injection testing modes. Information gathering is selected by default and shows the incoming traffic indicating the packet types.



http://www.nullsecurity.net/tools/wireless.html

[Web-Sorrow] Tool for Misconfiguration, Version Detection, Enumeration, and Server Information Scanning

Web-Sorrow is a perl based tool for misconfiguration, version detection, enumeration, and server information scanning. It's entirely focused on Enumeration and collecting Info on the target server. Web-Sorrow is a "safe to run" program, meaning it is not designed to be an exploit or perform any harmful attacks.




Download  Web-Sorrow

[Automater 1.2] IP and URL Analysis Tool


Automater is a IP and URL Analysis tool we created to help automate the analysis process. You can see a video of Automater in action in TekTip episode 15.