Posts tagged: Hacking Tool

May 22 2012

Nmap 6 Released

Most popular open source network discovery and security auditing tool Nmap has reached version 6.0.

Nmap 6

The new code hit the Net last Monday, complete with a message from coder Gordon Lyon, aka Fyodor, that the new version represents “almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009.”

Fyodor recommends all users upgrade to the new version, so they can get their hands on 289 new scripts and a host of new features.

Top Improvements:

  • Enhanced Nmap Scripting Engine (NSE)
  • Better Web Scanning
  • Full IPv6 Support
  • New Nping Tool
  • Better Zenmap GUI and Results Viewer
  • Faster Scans

Download:
Linux: nmap-6.00.tar.bz2
Windows: nmap-6.00-win32.zip

Jan 27 2012

theHarvester – Information Gathering Tool

The HarvestertheHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources like search engines and PGP key servers.

This tools is intended to help Penetration testers in the early stages of the project It’s a really simple tool, but very effective.

The sources supported are:
– Google – emails,subdomains/hostnames
– Google profiles – Employee names
– Bing search – emails, subdomains/hostnames,virtual hosts
– Pgp servers – emails, subdomains/hostnames
– Linkedin – Employee names
– Exalead – emails,subdomain/hostnames

New features:
– Time delays between requests
– XML and HTML results export
– Search a domain in all sources
– Virtual host verifier
– Shodan computer database integration
– Active enumeration (DNS enumeration,DNS reverse lookups, DNS TLD expansion)
– Basic graph with stats

Some Examples:
Searching emails accounts for the domain microsoft.com, it will work with the first 500 google results:

./theharvester.py -d microsoft.com -l 500 -b google

Searching emails accounts for the domain microsoft.com in a PGP server, here it’s not necessary to specify the limit.

./theharvester.py -d microsoft.com -b pgp

Searching for user names that works in the company microsoft, we use google as search engine, so we need to specify the limit of results we want to use:

./theharvester.py -d microsoft.com -l 200 -b linkedin

Searching in all sources at the same time, with a limit of 200 results:

./theHarvester.py -d microsoft.com -l 200 -b all

Download: https://code.google.com/p/theharvester

Jan 20 2012

Patator – Multi-Purpose Brute Forcing Tool

Brute Force AttackPatator is a multi-purpose brute-forcer, with a modular design and a flexible usage.

Currently it supports the following modules:

  • ftp_login : Brute-force FTP
  • ssh_login : Brute-force SSH
  • telnet_login : Brute-force Telnet
  • smtp_login : Brute-force SMTP
  • smtp_vrfy : Enumerate valid users using the SMTP VRFY command
  • smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
  • http_fuzz : Brute-force HTTP/HTTPS
  • pop_passd : Brute-force poppassd (not POP3)
  • ldap_login : Brute-force LDAP
  • smb_login : Brute-force SMB
  • mssql_login : Brute-force MSSQL
  • oracle_login : Brute-force Oracle
  • mysql_login : Brute-force MySQL
  • pgsql_login : Brute-force PostgreSQL
  • vnc_login : Brute-force VNC
  • dns_forward : Forward lookup subdomains
  • dns_reverse : Reverse lookup subnets
  • snmp_login : Brute-force SNMPv1/2 and SNMPv3
  • unzip_pass : Brute-force the password of encrypted ZIP files
  • keystore_pass : Brute-force the password of Java keystore files

Download: patator_v0.3.py

Project Home: http://code.google.com/p/patator/

Jan 03 2012

Fully Automated MySQL 5 Boolean Enumeration Script

This script uses blind SQL injection and boolean enumeration to perform INFORMATION_SCHEMA Mapping.

Syntax:

perl mysql5enum.pl -h [hostname] -u [url] [-q [query]]

Example:

perl mysql5enum.pl -h www.target.tld -u http://www.target.tld/vuln.ext?input=24 -q “select system_user()”

Description:
– By default, this script will first determine username, version and database name before enumerating the information_schema information.
– When the -q flag is applied, a user can supply any query that returns only a single cell.
– If the exploit or vulnerability requires a single quote, simply tack %27 to the end of the URI.
– This script contains error detection: It will only work on a mysql 5.x database, and knows when its queries have syntax errors.
– This script uses perl’s LibWhisker2 for IDS Evasion (The same as Nikto).
– This script uses the MD5 algorithm for optimization. There are other optimization methods, and this may not work on all sites.

Download: mysql5enum.pl.zip

Dec 29 2011

Reaver – WiFi Protected Setup Brute Force Attack Tool

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.

Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.

On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

While Reaver does not support reconfiguring the AP, this can be accomplished with wpa_supplicant once the WPS pin is known.

Description:
Reaver targets the external registrar functionality mandated by the WiFi Protected Setup specification. Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar.

In order to authenticate as a registrar, the registrar must prove its knowledge of the AP’s 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration.

Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP’s 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values.

The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum.

Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number.

Installation:
Reaver is only supported on the Linux platform, requires the libpcap and libsqlite3 libraries, and can be built and installed by running:

$ ./configure
$ make
# make install

To remove everything installed/created by Reaver:

# make distclean

Usage:
Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP:

# reaver -i mon0 -b 00:01:02:03:04:05

Download: reaver-1.3.tar.gz

Reaver Home: http://code.google.com/p/reaver-wps/