UPDATED VERSION: RouterSploit 3.3.0

PenTestIT RSS Feed
Since my last update, this router exploitation framework have gone through a lot of updates. This post is about RouterSploit 3.3.0 code named I Know You Were Trouble. We will also discuss changes made to and an earlier version 3.2.0 to maintain a chain with the hopes that I keep a watch on these coolRead more about UPDATED VERSION: RouterSploit 3.3.0
The post UPDATED VERSION: RouterSploit 3.3.0 appeared first on PenTestIT.

Link: http://pentestit.com/updated-version-routersploit-3-3-0/

UPDATE: OWASP Dependency-Check 3.3.0

PenTestIT RSS Feed
My first post about this open source OWASP project was about an older version. This post discusses the changes made to the open source software composition analysisutilityin the latest release yesterday. This is theOWASP Dependency-Check 3.3.0, which includes a lot of bug fixes and enhancements. What is OWASP Dependency-Check? OWASP dependency-check is a software compositionRead more about UPDATE: OWASP Dependency-Check 3.3.0
The post UPDATE: OWASP Dependency-Check 3.3.0 appeared first on PenTestIT.

Link: http://pentestit.com/update-owasp-dependency-check-3-3-0/

UPDATED VERSION: AutoSploit 2.2

PenTestIT RSS Feed
It has been some days since there was a lot of hue and cry about AutoSploit and eventually everything subsided. I wrote about it in a post titledAutoSploit = Shodan/Censys/Zoomeye + Metasploit too. Recently, an updated an improved updated version – AutoSploit 2.2 was released. This post will try to describe the changes between theRead more about UPDATED VERSION: AutoSploit 2.2
The post UPDATED VERSION: AutoSploit 2.2 appeared first on PenTestIT.

Link: http://feedproxy.google.com/~r/PenTestIT/~3/1YYxIzm27jk/

Sslmerge – Tool To Help You Build A Valid SSL Certificate Chain From The Root Certificate To The End-User Certificate

Is an open source tool to help you build a valid SSL certificate chain from the root certificate to the end-user certificate. Also can help you fix the incomplete certificate chain and download all missing CA certificates.How To UseIt’s simple:# Clone this repositorygit clone https://github.com/trimstray/sslmerge# Go into the repositorycd sslmerge# Install./setup.sh install# Run the appsslmerge -i /data/certs -o /data/certs/chain.crtsymlink to bin/sslmerge is placed in /usr/local/binman page is placed in /usr/local/man/man8ParametersProvides the following options: Usage: sslmerge Examples: sslmerge –in Root.crt –in Intermediate1.crt –in Server.crt –out bundle_chain_certs.crt sslmerge –in /tmp/certs –out bundle_chain_certs.crt –with-root sslmerge -i Server.crt -o bundle_chain_certs.crt Options: –help show this message –debug displays information on the screen (debug mode) -i, –in add certificates to merge (certificate file, multiple files or directory with ssl certificates) -o, –out saves the result (chain) to file –with-root add root certificate to the certificate chainHow it worksLet’s start with ssllabs certificate chain. They are delivered together with the sslmerge and can be found in the example/ssllabs.com directory which additionally contains the all directory (containing all the certificates needed to assemble the chain) and the server_certificate directory (containing only the server certificate).The correct chain for the ssllabs.com domain (the result of the openssl command):Certificate chain 0 s:/C=US/ST=California/L=Redwood City/O=Qualys, Inc./CN=ssllabs.com i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. – for authorized use only/CN=Entrust Certification Authority – L1K 1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. – for authorized use only/CN=Entrust Certification Authority – L1K i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. – for authorized use only/CN=Entrust Root Certification Authority – G2 2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. – for authorized use only/CN=Entrust Root Certification Authority – G2 i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification AuthorityThe above code presents a full chain consisting of: Identity Certificate (Server Certificate)issued for ssllabs.com by Entrust Certification Authority – L1K Intermediate Certificateissued for Entrust Certification Authority – L1K by Entrust Root Certification Authority – G2 Intermediate Certificateissued for Entrust Root Certification Authority – G2 by Entrust Root Certification Authority Root Certificate (Self-Signed Certificate)issued for Entrust Root Certification Authority by Entrust Root Certification Authority Scenario 1In this scenario, we will chain all delivered certificates. Example of running the tool:Scenario 2In this scenario, we only use the server certificate and use it to retrieve the remaining required certificates. Then, as above, we will combine all the provided certificates. Example of running the tool:Certificate chainIn order to create a valid chain, you must provide the tool with all the necessary certificates. It will be:Server CertificateIntermediate CAs and Root CAsThis is very important because without it you will not be able to determine the beginning and end of the chain.However, if you look inside the generated chain after generating with sslmerge, you will not find the root certificate there. Why?Because self-signed root certificates need not/should not be included in web server configuration. They serve no purpose (clients will always ignore them) and they incur a slight performance (latency) penalty because they increase the size of the SSL handshake.If you want to add a root certificate to the certificate chain, call the utility with the –with-root parameter.Certification PathsSslmerge allows use of two certification paths:Output commentsWhen generating the chain of certificates, sslmerge displays comments with information about certificates, including any errors.Here is a list of all possibilities:not found identity (end-user, server) certificateThe message is displayed in the absence of a server certificate that is the beginning of the chain. This is a unique case because in this situation the sslmerge ends its operation displaying only this information. The server certificate is the only certificate required to correctly create a chain. Without this certificate, the correct chain will not be created.found correct identity (end-user, server) certificateThe reverse situation here – message displayed when a valid server certificate is found.not found first intermediate certificateThis message appears when the first of the two intermediate certificates is not found. This information does not explicitly specify the absence of a second intermediate certificate and on the other hand it allows to determine whether the intermediate certificate to which the server certificate was signed exists. Additionally, it can be displayed if the second intermediate certificate has been delivered.not found second intermediate certificateSimilar to the above, however, it concerns the second intermediate certificate. However, it is possible to create the chain correctly using the second certification path, e.g. using the first intermediate certificate and replacing the second with the main certificate.one or more intermediate certificate not foundThis message means that one or all of the required intermediate certificates are missing and displayed in the absence of the root certificate.found ‘n’ correct intermediate certificate(s)This message indicates the number of valid intermediate certificates.not found correct root certificateThe lack of the root certificate is treated as a warning. Of course, when configuring certificates on the server side, it is not recommended to attach a root certificate, but if you create it with the sslmerge, it treats the chain as incomplete displaying information about the incorrect creation of the chain.an empty CN field was found in one of the certificatesThis message does not inform about the error and about the lack of the CN field what can happen with some certificates (look at example/google.com). Common Name field identifies the host name associated with the certificate. There is no requirement in RFC3280 for an Issuer DN to have a CN. Most CAs do include a CN in the Issuer DN, but some don’t, such as this Equifax CA.RequirementsSslmerge uses external utilities to be installed before running:opensslOtherContributingSee this.Project architectureSee this.Download Sslmerge

Link: http://feedproxy.google.com/~r/PentestTools/~3/G7_uBQCMSxY/sslmerge-tool-to-help-you-build-valid.html

UPDATE: OWASP Dependency-Check 3.2.1

PenTestIT RSS Feed
My first post about this open source OWASP project was about an older version. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP Dependency-Check 3.2.1! Actually, this post is also about an older release – OWASP Dependency-Check 3.2.0 which fixes a security vulnerability. WhatRead more about UPDATE: OWASP Dependency-Check 3.2.1
The post UPDATE: OWASP Dependency-Check 3.2.1 appeared first on PenTestIT.

Link: http://pentestit.com/update-owasp-dependency-check-3-2-1/

UPDATE: Sysdig Falco v0.10.0

PenTestIT RSS Feed
Four weeks ago, I posted about Sysdig Falco v0.9.0. A week ago, the open source behavorial activity monitor which has container support was updated to Sysdig Falco v0.10.0. This release includes a number of improvements focused on making Falco easier to deploy, improvements with rules, and improvements in the system call events Falco supports. This release alsoRead more about UPDATE: Sysdig Falco v0.10.0
The post UPDATE: Sysdig Falco v0.10.0 appeared first on PenTestIT.

Link: http://feedproxy.google.com/~r/PenTestIT/~3/zVH1iDbAhjI/

UPDATE: Kali Linux 2018.2 Release!

PenTestIT RSS Feed
Second Kali Linux update of this year and this time, it is about the latest Kali Linux 2018.2 release! The last release was made available recently in the month of February. This new release includes all patches, fixes, updates, and improvements since the last release – Kali Linux 2018.1, including the shiny new Linux kernel version 4.15, whichRead more about UPDATE: Kali Linux 2018.2 Release!
The post UPDATE: Kali Linux 2018.2 Release! appeared first on PenTestIT.

Link: http://pentestit.com/update-kali-linux-2018-2-release/

UPDATE: WordPress Exploit Framework v1.9.2

PenTestIT RSS Feed
WPXF update time again guys! Since my first post about this WordPress exploitation framework almost a year ago, this tool has gotten better and a new version – WordPress Exploit Framework v1.9.2 has been released. This post will summarize the updates for the latest release such as update for the latest Ruby versions and moduleRead more about UPDATE: WordPress Exploit Framework v1.9.2
The post UPDATE: WordPress Exploit Framework v1.9.2 appeared first on PenTestIT.

Link: http://feedproxy.google.com/~r/PenTestIT/~3/IU3ySifsNxA/

UPDATE: P4wnP1 v0.1.0-alpha1

PenTestIT RSS Feed
P4wnP1 update time guys and this time it is the P4wnP1 v0.1.0-alpha1, the first pre-built image! It has almost been a year since I last posted about this Raspberry Pi based, customizable USB attack platform and yet, what an update! Read on! What is P4wnP1? P4wnP1 is a highly customizable USB attack platform, based on a lowRead more about UPDATE: P4wnP1 v0.1.0-alpha1
The post UPDATE: P4wnP1 v0.1.0-alpha1 appeared first on PenTestIT.

Link: http://pentestit.com/update-p4wnp1-v0-1-0-alpha1/