Weekly round up of pen test and forensic tools that have come to my attention over the last week, it is
not a comprehensive tool list but tools that I found interesting or details of
tools I use that have been upgrade.
maxisploit v1.0 released
http://maxisploit-scanner.googlecode.com/files/MaxISploit.rar
Scanner for SQL injection(error/blind) and XSS.Admin finder and shared hosting scanner (uses sameip.org service).
This tool has four purposes :
1. SQL injection :
a) Error based: it scans for vulnerable websites based on common SQL errors for variety of databases.
b) Difference (true/false) scan: it scans for sites that do not display SQL errors but yet are vulnerable , the concept behind this scan is true / false query to the database which will give different answers which will then be scanned and in case of difference in length and content site will be considered vulnerable.
2.XSS scanner : it encrypts XSS vector and tries to scan result from web server , if XSS vector is found inside source than site is vulnerable. It only uses GET request to web server. NOTE: It will scan for XSS vector but it will not test if alert or any other event really happened.
3. Admin scanner : it scans for admin login locations , based on default list or any other that you have supplied.Response code 200 and 306 is considered success.
4. Shared hosting scanner : it send request to sameip.org and then parses html for pages
An interesting tool category is this proof of concept tool which will help in showing what is vulnerably after a successful exploit of a system.
Ransack Post Exploitation Tool
http://www.infiltrated.net/scripts/ransack.sh
Ransack Post Exploitation Tool v 0.1 - Ransack is a post exploitation tool to be used by penetration testers. It is more of a proof of concept and its purpose is to grab any information deemed relevant on a system, post root compromise. This information may include config files, ssh keys, ssl keys, or any other information deemed valuable.
CIntruder v0.2 Beta Released
http://sourceforge.net/projects/cintruder/files/
CIntruder (Captcha Intruder) is an automatic pentesting tool to bypass captchas, the first beta was released on April 13th, a further update has been released on May 1st. Tools to automatically bypass Captcha are usefully in either bypassing a captcha or showing how easy it can to bypass an implementation.
sqlcake v1.1 - Automatic SQL injection and database information gathering tool.
http://sourceforge.net/projects/sqlcake/files/latest/download?source=files
sqlcake is an automatic SQL injection exploitation kit written in Ruby. It's designed for system administration and penetration testing. sqlcake offers a few useful functions to gather database information easily by sql injection usage. sqlcake also allows you to bypass magic quotes, dump tables and columns and gives you the possibility to run an interactive MySQL shell. sqlcake supports union stacked queries for real fast processing and blind injections with logarithmic techniques for saving time.
Updated vulnerabilities check for 10 packages including MediaWiki and added 2 servers database
http://nstalker.co.uk/category/latest-updates/
N-Stalker is now delivering new updates for N-Stalker 2012 Edition, including: Static Database: Updated vulnerabilities check for the following package: Invision Power Board IndexU PHP Live MediaWiki Cacti XMB Crafty Syntax Live Help MODx SugarCRM PHPSysInfo Updated Abyss server database check Updated PHP 5.4.x server database check Important: these updates are ONLY available for commercial edition users
No comments:
Post a Comment