Tunna – Set Of Tools Which Will Wrap And Tunnel Any TCP Communication Over HTTP

Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments.SUMMARYTLDR: Tunnels TCP connections over HTTPIn a fully firewalled (inbound and outbound connections restricted – except the webserver port)The webshell can be used to connect to any service on the remote host. This would be a local connection on a local port at the remote host and should be allowed by the firewall.The webshell will read data from the service port wrap them over HTTP and send it as an HTTP response to the local proxy.The local proxy will unwrap and write the data to it’s local port where the client program would be connected.When the local proxy receives data on the local port, it will send them over to the webshell as an HTTP Post.The webshell will read the data from the HTTP Post and put them on the service portand repeat –^Only the webserver port needs to be open (typically 80/443) The whole communication (Externally) is done over the HTTP protocolUSAGEpython proxy.py -u -l <localport> [options]Options–help, -h show this help message and exit–url=URL, -u URL url of the remote webshell–lport=LOCAL_PORT, -l LOCAL_PORT local listening port–verbose, -v Verbose (outputs packet size)–buffer=BUFFERSIZE, -b BUFFERSIZE* HTTP request size (some webshels have limitations on the size)No SOCKS OptionsOptions are ignored if SOCKS proxy is used–no-socks, -n Do not use Socks Proxy–rport=REMOTE_PORT, -r REMOTE_PORT remote port of service for the webshell to connect to–addr=REMOTE_IP, -a REMOTE_IP address for remote webshell to connect to (default = 127.0.0.1)Upstream Proxy OptionsTunnel connection through a local Proxy–up-proxy=UPPROXY, -x UPPROXY Upstream proxy (http://proxyserver.com:3128)–auth, -A Upstream proxy requires authenticationAdvanced Options–ping-interval=PING_DELAY, -q PING_DELAY webshprx pinging thread interval (default = 0.5)–start-ping, -s Start the pinging thread first – some services send data first (eg. SSH)–cookie, -C Request cookies–authentication, -t Basic authenticationSee limitationsexample usage: python proxy.py -u http://10.3.3.1/conn.aspx -l 8000 -v# This will start a Local SOCKS Proxy Server at port 80000# This connection will be wrapped over HTTP and unwrapped at the remote serverpython proxy.py -u http://10.3.3.1/conn.aspx -l 8000 -x https://192.168.1.100:3128 -A -v# This will start a Local SOCKS Proxy Server at port 80000# It will connect through a Local Proxy (https://192.168.1.100:3128) that requires authentication# to the remote Tunna webshellpython proxy.py -u http://10.3.3.1/conn.aspx -l 4444 -r 3389 -b 8192 -v –no-socks# This will initiate a connection between the webshell and Remote host RDP (3389) service# The RDP client can connect on localhost port 4444# This connection will be wrapped over HTTPPrerequisitesThe ability to upload a webshell on the remote serverLIMITATIONS / KNOWN BUGS / HACKSThis is a POC code and might cause DoS of the server. All efforts to clean up after execution or on error have been made (no promises)Based on local tests: * JSP buffer needs to be limited (buffer option): 4096 worked in Linux Apache Tomcat 1024 worked in XAMPP Apache Tomcat (slow) * More than that created problems with bytes missing at the remote socket eg: ruby proxy.rb -u http://10.3.3.1/conn.jsp -l 4444 -r 3389 -b 1024 -v * Sockets not enabled by default php windows (IIS + PHP) * Return cariages on webshells (outside the code): get sent on responses / get written on local socket –> corrupt the packets * PHP webshell for windows: the loop function DoS’es the remote socket: sleep function added -> works but a bit slow * PHP webshell needs new line characters removed at the end of the file (after “?>") as these will get send in every response and confuse Tunna FILESWebshells: conn.jsp Tested on Apache Tomcat (windows + linux) conn.aspx Tested on IIS 6+8 (windows server 2003/2012) conn.php Tested on LAMP + XAMPP + IIS (windows + linux)WebServer: webserver.py Tested with Python 2.6.5Proxies: proxy.py Tested with Python 2.6.5Technical DetailsArchitecture descisionsData is sent raw in the HTTP Post Body (no post variable)Instructions / configuration is sent to the webshell as URL parameters (HTTP Get)Data is sent in the HTTP body (HTTP Post)Websockets not used: Not supported by default by most of webserversAsyncronous HTTP responses not really possible Proxy queries the server constantly (default 0.5 seconds)INITIATION PHASE1st packet initiates a session with the webshell – gets a cookie back eg: http://webserver/conn.ext?proxy2nd packet sends connection configuration options to the webshell eg: http://webserver/conn.ext?proxy&port=4444&ip=127.0.0.1IP and port for the webshell to connect toThis is a threaded request: In php this request will go into an infinate loop to keep the webshell socket connection alive In other webshells [OK] is received backTUNNA CLIENTA local socket is going to get created where the client program is going to connect to Once the client is connected the pinging thread is initiated and execution starts. Any data on the socket (from the client) get read and get sent as a HTTP Post request Any data on the webshell socket get sent as a response to the POST requestPINGING THREADBecause HTTP responses cannot be asyncronous. This thread will do HTTP Get requests on the webshell based on an interval (default 0.5 sec) If the webshell has data to send, it will (also) send it as a reply to this request Otherwise it sends an empty responseIn general: Data from the local proxy get send with HTTP Post There are Get requests every 0.5 sec to query the webshell for data If there is data on the webshell side get send over as a response to one of these requestsWEBSHELLThe webshell connects to a socket on the local or a remote host. Any data written on the socket get sent back to the proxy as a reply to a request (POST/GET) Any data received with a post get written to the socket.NOTESAll requests need to have the URL parameter "proxy" set to be handled by the webshell (http://webserver/conn.ext?proxy)AT EXIT / AT ERRORKills all threads and closes local socket Sends proxy&close to webshell: Kills remote threads and closes socketSOCKSThe SOCKS support is an addon module for Tunna. Locally is a seperate thread that handles the connection requests and traffic adds a header that specifies the port and the size of the packet and forwards it to Tunna. Tunna sends it over to the remote webserver, removes the HTTP headers and forwards the packet to the remote SOCKS proxy. The remote SOCKS proxy initiates the connection and mapps the received port to the local port. If the remote SOCKS proxy receives data from the service, it looks at the mapping table and finds the port it needs to respond to, adds the port as a header so the local SOCKS proxy will know where to forward the data. Any traffic from the received port will be forwarded to the local port and vice versa.Download Tunna

Link: http://feedproxy.google.com/~r/PentestTools/~3/p4t5NT8McxM/tunna-set-of-tools-which-will-wrap-and.html

UPDATE: OWASP Dependency-Check 3.1.0

PenTestIT RSS Feed
My first post about this open source OWASP project was about an older version. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP Dependency-Check 3.1.0! This release comes with production ready Node and NSP analyzers! What is OWASP Dependency-Check? OWASP dependency-check is a softwareRead more about UPDATE: OWASP Dependency-Check 3.1.0
The post UPDATE: OWASP Dependency-Check 3.1.0 appeared first on PenTestIT.

Link: http://pentestit.com/update-owasp-dependency-check-3-1-0/

Crips – IP Tools To quickly get information about IP Address’s, Web Pages and DNS records

This Tools is a collection of online IP Tools that can be used to quickly get information about IP Address’s, Web Pages and DNS records.MenuWhois lookupTracerouteDNS LookupReverse DNS LookupGeoIP LookupPort ScanReverse IP LookupINSTALL & UPDATEExitWhois lookupDetermine the registered owner of a domain or IP address block with the whois tool.TracerouteUsing mtr an advanced traceroute tool trace the path of an Internet connection.DNS LookupFind DNS records for a domain, results are determined using the dig DNS toolReverse DNS LookupFind Reverse DNS records for an IP address or a range of IP addresses.GeoIP LookupFind the location of an IP address using the GeoIP lookup location tool.Port ScanA simple TCP Port Scan to quickly determine the status of an Internet facing service or firewall.Reverse IP LookupDiscover web hosts sharing an IP address with a reverse IP lookup.INSTALL & UPDATETo install the tools directly in the system and get new update directly using terminalInstallation Linux[✓] git clone https://github.com/Manisso/Crips.git[✓] cd Crips && python Crips.py[◉] 0 : INSTALL & UPDATE[◉] -> 0[✓] press 0[✓] Congratulation Crips is Installed !Installation Windows [✔] Download Python 2.7[✓] Download Crips[✓] Extract Crips into Desktop[◉]Open CMD and type the following commands:[✓] $cd Desktop/Crips-master/[✓] $python crips.pyDownload Crips

Link: http://feedproxy.google.com/~r/PentestTools/~3/VcG8XPNvujQ/crips-ip-tools-to-quickly-get.html

Fsociety Hacking Tools Pack – A Penetration Testing Framework

A Penetration Testing Framework , you will have evry script that a hacker needsMenuInformation GatheringPassword AttacksWireless TestingExploitation ToolsSniffing & SpoofingWeb HackingPrivate Web HackingPost ExploitationINSTALL & UPDATEInformation Gathering :NmapSetoolkitPort ScanningHost To IPwordpress userCMS scannerXSStracerDork – Google Dorks Passive Vulnerability AuditorScan A server’s UsersPassword Attacks :CuppNcrackWireless Testing :reaverpixiewpsExploitation Tools :VenomsqlmapShellnoobcommixFTP Auto Bypassjboss-autopwnSniffing & Spoofing :SetoolkitSSLtrippyPISHERSMTP MailerWeb Hacking :Drupal HackingInurlbrWordpress & Joomla ScannerGravity Form ScannerFile Upload CheckerWordpress Exploit ScannerWordpress Plugins ScannerShell and Directory FinderJoomla! 1.5 – 3.4.5 remote code executionVbulletin 5.X remote code executionBruteX – Automatically brute force all services running on a targetArachni – Web Application Security Scanner FrameworkPrivate Web HackingGet all websitesGet joomla websitesGet wordpress websitesControl Panel FinderZip Files FinderUpload File FinderGet server usersSQli ScannerPorts Scan (range of ports)ports Scan (common ports)Get server InfoBypass CloudflarePost ExploitationShell CheckerPOETPhishing FrameworkInstall MeInstall Directly On System (Only For Linux & Mac System )Update instantly When There are New UpdateInstallation Linux[✓] git clone https://github.com/Manisso/fsociety.git[✓] cd fsociety && python fsociety.py[◉] 0 : INSTALL & UPDATE[◉] -> 0[✓] press 0[✓] Congratulation Fsociety is Installed !Installation Windows[✔] Download python 2.7[✓] Download fsociety[✓] Extract fsociety into Desktop[◉]Open CMD and type the following commands:[✓] $cd Desktop/fsociety-master/[✓] $python fsociety.pyUseDownload Fsociety

Link: http://feedproxy.google.com/~r/PentestTools/~3/3QZ8keQBIZg/fsociety-hacking-tools-pack-penetration.html

Username Anarchy – Username Tools For Penetration Testing

Tools for generating usernames when penetration testing. Usernames are half the password brute force problem.This is useful for user account/password brute force guessing and username enumeration when usernames are based on the users’ names. By attempting a few weak passwords across a large set of user accounts, user account lockout thresholds can be avoided.Users’ names can be identified through a variety of methods:Web scraping employee names from LinkedIn, Facebook, and other social networks.Extracting metadata from document types such as PDF, Word, Excel, etc. This can be performed with FOCA.Common aliases, or self chosen usernames, from forums are also included.FeaturesPlugin architecture for username formatsFormat string style username format definitionsSubstitutions. e.g. when only a first initial and lastname is known (LinkedIn lists users like this), it will attempt all possible first namesCountry databases of common first and last names from Familypedia and PublicProfilerHas the Facebook common first and lastnames listsExtrasCommon forum usernames, ordered by popularityUsageUsername Anarchy is a command line tool. ___ ____ | | \ ______ ____ _______ ____ _____ __ __ ____ | : // ___/_/ \\_ __ \ / \ \__ \ / : \ _/ \ ‘ . / \___ \ \ o_/ | | \/| : \ / o \ | . . \\ o_/ \_____/ /______) \_____)|__| |___: /(______)|__: : / \_____) _____ \/ .__ \/ / \ ____ _____ _______ ____ | |__ ___.__. / o \ / \ \__ \ \_ __ \_/ ___\ | | \( : | / . \| . \ / o \ | | \/\ \___ | . \\___ | \____:__ /|___:__/(______)|__| \_____)|___:__//_____| \/ Usage: ./username-anarchy [OPTIONS]… [firstname|first last|first middle last] Author: Andrew Horton (urbanadventurer). Version: 0.5 Names: -i, –input-file FILE Input list of names. Can be SPACE, CSV or TAB delimited. Defaults to firstname, lastname. Valid column headings are: firstinitial, firstname, lastinitial, lastname, middleinitial, middlename. -a, –auto Automatically generate names from a country/list -c, –country COUNTRY COUNTRY can be one of the following datasets: PublicProfiler: argentina, austria, belgium, canada, china, denmark, france, germany, hungary, india, ireland, italy, luxembourg, netherlands, newzealand, norway, poland, serbia, slovenia, spain, sweden, switzerland, uk, us Other: Facebook – uses the Facebook top 10,000 names –given-names FILE Dictionary of given names –family-names FILE Dictionary of family names -s, –substitute STATE Control name substitutions Valid values are ‘on’ and ‘off’. Default: off Can substitute any part of a name not available -m, –max-sub NUM Limit quantity of substitutions per plugin. Default: -1 (Unlimited) Username format: -l, –list-formats List format plugins -f, –select-format LIST Select format plugins by name. Comma delimited list -r, –recognise USERNAME Recognise which format is in use for a username. This uses the Facebook dataset. Use verbose mode to show progress. -F, –format FORMAT Define the user format using either format string or ABK format. See README.md for format details. Output: -@, –suffix BOOL Suffix. e.g. @example.com Default: None -C BOOL, Case insensitive usernames. –case-insensitive Default: True (All lower case) Miscellaneous: -v, –verbose Display plugin format comments in output and displays last name searches in plugin format recogniser -h, –helpExample UsageYou know the name of a user but not the username format./username-anarchy anna keyannaannakeyanna.keyannakeyannaka.keyakeykannak.anna…You know the username format and names of users./username-anarchy –input-file ./test-names.txt –select-format first.lastandrew.hortonjim.vongrippenvudpeter.otooleYou know the server is in FranceNote that -a or –auto is required when you do not specify any input names../username-anarchy –country france –automartinbernardthomasdurandrichardrobertpetitmoreauduboissimonmartinsmithmartinjohnson…List username format plugins./username-anarchy –list-formatsPlugin name Example——————————————————————————–first annafirstlast annakeyfirst.last anna.keyfirstlast[8] annakeyfirstl annakf.last a.keyflast akeylfirst kannal.first k.annalastf keyalast keylast.f key.alast.first key.annaFLast AKeyfirst1 anna0,anna1,anna2fl akfmlast abkeyfirstmiddlelast annaboomkeyfml abkFL AKFirstLast AnnaKeyFirst.Last Anna.KeyLast KeyFML ABKAutomatically recognise the username format in use./username-anarchy –recognise j.smithRecognising j.smith. This can take a while.Username format j.smith recognised. Plugin name: f.lastInput FilesTo generate usernames for more than one user account you must provide the names in a text file. This can be either TAB or CSV delimited.Example 1Firstname,LastnameAndrew,HortonJim, von GrippenvudPeter,O’TooleExample 2LinkedIn often shows the firstname and last initialfirstname,lastinitialandrew,hfoo,bExample 3Mixed set of namesfirstname,firstinitial,middleinitial,lastname,lastinitialandrew,,,horton,jim,,,,v,p,,o’toole,Custom PluginsCommand line PluginsDefine a custom plugin format using either the ABK or format string format. Specify the username format with -F or –formatExample 1./username-anarchy -F “v-annakey" andrew hortonv-andrewhortonExample 2./username-anarchy -F "v-%f%l" -a -C polandv-nowaksmithv-nowakjohnsonv-nowakjonesv-nowakwilliamsv-nowakbrownv-nowakleev-nowakkhanv-nowaksinghv-nowakkumarv-nowakmiller…Writing PluginsYou can add plugins to username anarchy by defining them in format-plugins.rbThis example uses the ABK format.Plugin.define "last.first" do def generate(n) n.format_anna("key.anna") endendThis example uses the format string format.Plugin.define "first" do def generate(n) n.format("%f") endendFormat StringsUsername Anarchy provides a method of defining a username format with format strings.%F – Firstname%M – Middlename%L – Lastname%f – firstname%m – middlename%l – lastname%i.f – first initial%i.m – middle initial%i.l – last initial%i.F – First initial%i.M – Middle initial%i.L – Last initial%D – Digit range 0..9%DD – Digit range 00..99ABK FormatUsername Anarchy provides a method of defining a username format with ABK format which translates to format strings.Anna – %FBoom – %MKey – %Lanna – %fboom – %mkey – %lA – %i.FB – %i.MK – %i.La – %i.fb – %i.mk – %i.lForum UsernamesThe forum-names folder contains:common-forum-names.csv – A CSV file with forum names and the frequency they appeared withcommon-forum-names-top10k.txt – The top 10,000 forum namescommon-forum-names.txt – 1,774,313 forum namesphpbb-scraper.rb – a web scraper for usernames on PHPbb forumsName ResourcesNameshttp://worldnames.publicprofiler.org/SearchArea.aspx Some common countries. Top 10 surnames and forenameshttps://secure.wikimedia.org/wikipedia/en/wiki/List_of_most_popular_given_nameshttp://www.babynamefacts.com/popularnames/countries.php?country=NZD top 100 baby names per countryhttps://secure.wikimedia.org/wikipedia/en/wiki/List_of_most_common_surnames_in_OceaniaName Parsing:https://secure.wikimedia.org/wikipedia/en/wiki/Capitalizationhttp://cpansearch.perl.org/src/KIMRYAN/Lingua-EN-NameParse-1.28/lib/Lingua/EN/NameParse.pmhttp://search.cpan.org/~summer/Lingua-EN-NameCase/NameCase.pmDownload username-anarchy

Link: http://feedproxy.google.com/~r/PentestTools/~3/vlKEA72Y_4g/username-anarchy-username-tools-for.html