ARPwner is a tool to do ARP poisoning and DNS poisoning attacks, with a simple GUI and a plugin system to do filtering of the information gathered, also has a implementation of sslstrip and is coded 100% in python and on Github, so you can modify according to your needs.

This tool was released by Nicolas Trippar at BlackHat USA 2012.

For the tool to work you need pypcap, so assuming are using a Debian derivative OS (like all sane people do) – you’ll need to do this first:

“apt-get install python-pypcap”

Download: ARPwner.zip

Read More: ARPwner @ GitHub

Joomscan, Joomla Security Scanner is now updated to 611 vulnerabilities database.

In Joomscan you can check for new updates with command: ./joomscan.pl check or ./joomscan.pl update

Overview:
Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few. So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity. It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS.

Features:

• Exact version Probing
• Common Joomla! based web application firewall detection
• Searching known vulnerabilities of Joomla! and its components
• Reporting to Text & HTML output
• Immediate update capability via scanner or svn

Requirement:
Perl 5.6 or up

Download: joomscan-latest.zip

theHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources like search engines and PGP key servers.

This tools is intended to help Penetration testers in the early stages of the project It’s a really simple tool, but very effective.

The sources supported are:
– Google – emails,subdomains/hostnames
– Google profiles – Employee names
– Bing search – emails, subdomains/hostnames,virtual hosts
– Pgp servers – emails, subdomains/hostnames
– Linkedin – Employee names
– Exalead – emails,subdomain/hostnames

New features:
– Time delays between requests
– XML and HTML results export
– Search a domain in all sources
– Virtual host verifier
– Shodan computer database integration
– Active enumeration (DNS enumeration,DNS reverse lookups, DNS TLD expansion)
– Basic graph with stats

Some Examples:
Searching emails accounts for the domain microsoft.com, it will work with the first 500 google results:

./theharvester.py -d microsoft.com -l 500 -b google

Searching emails accounts for the domain microsoft.com in a PGP server, here it’s not necessary to specify the limit.

./theharvester.py -d microsoft.com -b pgp

Searching for user names that works in the company microsoft, we use google as search engine, so we need to specify the limit of results we want to use:

./theharvester.py -d microsoft.com -l 200 -b linkedin

Searching in all sources at the same time, with a limit of 200 results:

./theHarvester.py -d microsoft.com -l 200 -b all

Download: https://code.google.com/p/theharvester

The Federal Bureau of Investigation is looking for a better way to spy on Facebook and Twitter users.

The Bureau is asking companies to build software that can effectively scan social media online for significant words, phrases and behavior so that agents can respond.

A paper posted on the FBI website asks for companies to build programs that will map sentiment and wrongdoing.

“The application must be infinitely flexible and have the ability to adapt quickly to changing threats to maintain the strategic and tactical advantage,” the Request for Information said, “The purpose of this effort is to meet the outlined objectives…for the enhancement [of] FBI SOIC’s overall situation awareness and improved strategic decision making.”The tool would be used in “reconnaisance and surveillance missions, National Special Security Events (NSS) planning, NSSE operations, SOIC operations, counter intelligence, terrorism, and more.

Although the police, including in Britain, already use Facebook routinely to ascertain the whereabouts of criminals, automatically filtering out irrelevant information remains challenging. The new FBI application will be able to automatically highlight the most relevant information.

The FBI is seeking responses by 10 February.

Thousands of iPhone owners have joined forces with a team of hackers to help them find new ways to jailbreak Apple’s phone software.

Jailbreaking involves unlocking a device so that it is not restricted to running software officially approved by the manufacturer.

Mobile phones that run Google’s Android operating system do not face this restriction and Microsoft allows its Windows Phone 7 operating system to be unlocked. But Apple has always fought very hard to prevent anyone jailbreaking its devices.

The latest version of the iPhone’s operating system is proving to be extremely hard to jailbreak fully, according to Joshua Hill, a member of the Chronic Dev hacker team.

“Apple is really making it tough for us. The iPhone is now better protected than most nuclear missile facilities,” he says.

Bug Hunt
Bugs may result in a program crashing or shutting down, and they are like gold dust to hackers because sometimes they can be exploited to create a jailbreak.

To help prevent this, Apple’s phones record details of program crashes and send these reports back to the company. Apple’s programmers can then analyse the crash reports and fix any underlying bugs that pose serious security risks.

Crash Reports
The solution to this problem is to subvert Apple’s crash reporting capability by turning it against the company, he says.

“Chronic Dev is ready to turn this little information battle into an all-out, no-holds-barred information WAR,” Mr Hill wrote on the Chronic-Dev blog recently, using his nom de guerre Posixninja.

To do this he has written and distributed a program called CDevreporter that iPhone users can download to their PC or Mac. The program intercepts crash reports from their phones destined for Apple and sends them to the Chronic Dev team.

“In the first couple of days after we released CDevreporter we received about twelve million crash reports,” he says.

Legal Breaks
Jailbreaking phones is legal in the United States, thanks to a ruling in July 2010 by the Library of Congress – an agency that carries out legal research for the US government.

“There’s nothing Apple can do that would make jailbreaking impossible,” he says.

“Apple will always add new features to its phones, and there will always be bugs in its software. It’s just a matter of find the right ones.”