Thursday, June 4, 2015

Top 14 Web Vulneranlity Scanners


In the past, many popular websites have been hacked. Hackers are now active and always try to hack websites and leak data. This is why security testing of web applications is very important. And here comes the role of web application security scanners. Web Application Security Scanner is a software program which performs automatic black box testing on a web application and identifies security vulnerabilities. Scanners do not access the source code, they only perform functional testing and try to find security vulnerabilities.
Various paid and free web application vulnerability scanners are available. In this post, we are listing the best free open source web application vulnerability scanners. I am adding the tools in random order. So please do not think it is a ranking of tools.
I am only adding open source tools which can be used to find security vulnerabilities in web applications. I am not adding tools to find server vulnerabilities. And do not confuse with free tools and open source tools. Because there are various other tools available for free, but they do not provide source code to other developers. Open source tools are those which offer source codes to developers so that developers can modify the tool or help in further development.
These are the best open source web application penetration testing tools:
Grabber
Grabber is a nice web application scanner which can detect many security vulnerabilities in web applications. It performs scans and tells where the vulnerability exists. It can detect the following vulnerabilities:
  • Cross site scripting
  • SQL injection
  • Ajax testing
  • File inclusion
  • JS source code analyzer
  • Backup file check
It is not fast as compared to other security scanners, but it is simple and portable. This should be used only to test small web applications because it takes too much time to scan large applications.
This tool does not offer any GUI interface. It also cannot create any PDF report. This tool was designed to be simple and for personal use. You can try this tool just for personal use. If you are thinking of it for professional use, I will never recommend it.
This tool was developed in Python. And an executable version is also available if you want. Source code is available, so you can modify it according your needs. The main script is grabber.py, which once executed calls other modules like sql.py, xss.py or others.
Source code on Github: https://github.com/neuroo/grabber
Vega
Vega is another free open source web vulnerability scanner and testing platform. With this tool, you can perform security testing of a web application. This tool is written in Java and offers a GUI based environment. It is available for OS X, Linux and Windows.
It can be used to find SQL injection, header injection, directory listing, shell injection, cross site scripting, file inclusion and other web application vulnerabilities. This tool can also be extended using a powerful API written in JavaScript.
While working with the tool, it lets you set a few preferences like total number of path descendants, number of child paths of a node, depth and maximum number of request per second. You can use Vega Scanner, Vega Proxy, Proxy Scanner and also Scanner with credentials. If you need help, you can find resources in the documentation section:
Dont Forget To Comment Below

Zed Attack Proxy
Zed Attack Proxy is also known as ZAP. This tool is open source and is developed by AWASP. It is available for Windows, Unix/Linux and Macintosh platforms. I personally like this tool. It can be used to find a wide range of vulnerabilities in web applications. The tool is very simple and easy to use. Even if you are new to penetration testing, you can easily use this tool to start learning penetration testing of web applications.
These are the key functionalities of ZAP:
  • Intercepting Proxy
  • Automatic Scanner
  • Traditional but powerful spiders
  • Fuzzer
  • Web Socket Support
  • Plug-n-hack support
  • Authentication support
  • REST based API
  • Dynamic SSL certificates
  • Smartcard and Client Digital Certificates support
You can either use this tool as a scanner by inputting the URL to perform scanning, or you can use this tool as an intercepting proxy to manually perform tests on specific pages.
Wapiti
Wapiti is also a nice web vulnerability scanner which lets you audit the security of your web applications. It performs black-box testing by scanning web pages and injecting data. It tries to inject payloads and see if a script is vulnerable. It supports both GET and POSTHTTP attacks and detects multiple vulnerabilities.
It can detect following vulnerabilities:
  • File Disclosure
  • File inclusion
  • Cross Site Scripting (XSS)
  • Command execution detection
  • CRLF Injection
  • SEL Injection and Xpath Injection
  • Weak .htaccess configuration
  • Backup files disclosure
  • and many other
Wapiti is a command-line application. So, it may not be easy for beginners. But for experts, it will perform well. For using this tool, you need to learn lots of commands which can be found in official documentation.
Download Wapiti with source code: http://wapiti.sourceforge.net/
W3af
W3af is a popular web application attack and audit framework. This framework aims to provide a better web application penetration testing platform. It is developed using Python. By using this tool, you will be able to identify more than 200 kinds of web application vulnerabilities including SQL injection, Cross-Site Scripting and many others.
It comes with a graphical and console interface. You can use it easily by using its easy to understand interface.
If you are using it with Graphical Interface, I do not think that you are going to face any problem with the tool. You only need to select the options and then start the scanner. If a website needs authentication, you can also use authentication modules to scan the session-protected pages.
We have already covered this tool in detail in our previous W3af walkthrough series. You can read those articles to know more about this tool.
You can access source code at the Github repository:https://github.com/andresriancho/w3af/
Download it from the official website: http://w3af.org/
WebScarab
WebScarab is a Java-based security framework for analyzing web applications using HTTP or HTTPS protocol. With available plugins, you can extend the functionality of the tool. This tool works as an intercepting proxy. So, you can review the request and response coming to your browser and going to thw server. You can also modify the request or response before they are received by server or browser.
If you are a beginner, this tool is not for you. This tool was designed for those who have a good understanding of HTTP protocol and can write codes.
Webscarab provides many features which helps penetration testers work closely on a web application and find security vulnerabilities. It has a spider which can automatically find new URLs of the target website. It can easily extract scripts and HTML of the page. Proxy observes the traffic between server and your browser, and you can take control of the request and response by using available plugins. Available modules can easily detect most common vulnerabilities like SQL injection, XSS< CRLF and many other vulnerabilities.
Source code of the tool is available on Github: https://github.com/OWASP/OWASP-WebScarab
Skipfish
Skipfish is also a nice web application security tool. It crawls the website and then check each pages for various security threats and at the end prepares the final report. This tool was written in C. It is highly optimized for HTTP handling and utilizing minimum CPU. It claims that it can easily handle 2000 requests per second without adding a load on CPU. It use a heuristics approach while crawling and testing web pages. This tool also claims to offer high quality and less false positives.
This tool is available for Linux, FreeBSD, MacOS X and Windows.
Download Skipfish or code from GOogle Codes: http://code.google.com/p/skipfish/
Ratproxy
Ratproxy is also an open source web application security audit tool which can be used to find security vulnerabilities in web applications. It is supports Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.
This tool is designed to overcome the problems users usually face while using other proxy tools for security audits. It is capable of distinguishing between CSS stylesheets and JavaScript codes. It also supports SSL man in the middle attack, which means you can also see data passing through SSL. You can read more about this tool here: http://code.google.com/p/ratproxy/wiki/RatproxyDoc
SQLMap
SQLMap is another popular open source penetration testing tool. It automates the process of finding and exploiting SQL injection vulnerability in a website’s database. It has a powerful detection engine and many useful features. So, a penetration tester can easily perform SQL injection check on a website.
It supports range of database servers including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB. It offers full support to 6 kinds of SQL injection techniques: time-based blind, boolean-based blind, error-based, UNION query, stacked queries and out-of-band.
Access the source code on Github repository:https://github.com/sqlmapproject/sqlmap
Wfuzz
Wfuzz is another freely available open source tool for web application penetration testing. It can be used to brute force GET and POST parameters for testing against various kinds of injections like SQL, XSS, LDAP and many others. It also supports cookie fuzzing, multi-threading, SOCK, Proxy, Authentication, parameters brute forcing, multiple proxy and many other things. You can read more about the features of the tool here: http://code.google.com/p/wfuzz/
This tool does not offer a GUI interface, so you will have to work on command line interface.
Download Wfuzz from code.google.com: http://code.google.com/p/wfuzz/
Grendel-Scan
Grendel-Scan is another nice open source web application security tool. This is an automatic tool for finding security vulnerabilities in web applications. Many features are also available for manual penetration testing. This tool is available for Windows, Linux and Macintosh. This tool was developed in Java.
Download the tool and source code: http://sourceforge.net/projects/grendel/
Watcher
Watcher is a passive web security scanner. It does not attack with loads of requests or crawl the target website. It is not a separate tool but is an add-on of Fiddler. So you need to first install Fiddler and then install Watcher to use it.
It quietly analyzes the request and response from the user-interaction and then makes a report on the application. As it is a passive scanner, it will not affect the website’s hosting or cloud infrastructure.
Download watcher and its source code: http://websecuritytool.codeplex.com/
X5S
X5s is also a Fiddler add-on which aims to provide a way to find cross-site scripting vulnerabilities. This is not an automatic tool. So, you need to understand how encoding issues can lead to XSS. You need to manually find the injection point and then check where XSS can be in the application.
We have covered the X5S in a previous post. So, you can refer to that article to read more about X5S and XSS.
Download X5S and source code from codeplex: http://xss.codeplex.com/
You can also refer to this official guide to know how to use X5S:http://xss.codeplex.com/wikipage?title=tutorial
Arachni
Arachni is an open source tool developed for providing a penetration testing environment. This tool can detect various web application security vulnerabilities. It can detect various vulnerabilities like SQL Injection, XSS, Local File inclusion, remote file inclusion, unvalidated redirect, and many others.
Download this tool here: http://www.arachni-scanner.com/
Final Word
These are the best open source web application security testing tools. I tried my best to list all the tools available online. If a tool was not updated for many years, I did not mention it here. Because if a tool is more than 10 years old, it can create compatibility issues in the recent environment. If you are a developer, you can also join the developers’ community of these tools and help these tools to grow. By helping these tools, you will also increase your knowledge and expertise.
If you want to start penetration testing, I will recommend using Linux distributions which have been created for penetration testing. These environments are backtrack, gnacktrack, backbox and blackbuntu. All these tools come with various free and opensource tools for website penetration testing. So, you can go with those environments.
If you think I forgot to mention an important tool, you can drop a comment and I will try to add it.
at No comments:

Hack Facebook Accounts By Sending A Text Message

This post will demonstrate a simple bug which will lead to a full takeover of any Facebook account, with no user interaction.
Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can login using the number rather than your email address.
The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to.
The thing is, profile_id is set to your account (obviously), but changing it to your target’s doesn’t trigger an error.
To exploit this bug, we first send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. We receive an 8 character verification code back.
We enter this code into the activation box (located here), and modify the profile_id element inside the fbMobileConfirmationForm form.
Submitting the request returns a 200. You can see the value of __user (which is sent with all AJAX requests) is different from the profile_id we modified.
Note: You may have to reauth after submitting the request, but the password required is yours, not the targets.
An SMS is then received with confirmation.
Now we can initate a password reset request against the user and get the code via SMS.
Another SMS is received with the reset code.
We enter this code into the form, choose a new password, and we’re done. The account is ours.

Fix

Facebook responsed by verifying that you have permission to modify the phone number on the profile denoted by profile_id.

Timeline

  • 23rd May 2013 - Reported
  • 28th May 2013 - Acknowledgment of Report
  • 28th May 2013 - Issue Fixed

Note

The bounty assigned to this bug was $20,000, clearly demonstrating the severity of the issue.
at No comments:

Become A Great Hacker By Following Simple Steps

1. Learn TCP/IP, Basic Information gathering, Proxies, Socks, SSL, VPN, VPS, RDP, FTP, POP3, SMTP, Telnet, SSH.
2. Learn Linux, Unix, Windows - You can do this using vmware or any virtual desktop utility.
3. Learn a programming language that's compatible with all OS - Perl, Python, C, ASM
4. Learn HTML, PHP, Javascript, ASP, XML, SQL, XSS, SQLI, RFI, LFI
5. Learn Reverse engineering and crack some programs for serials easy ones like mirc, winzip, winrar or old games.
6. Code a fuzzer for common protocols - ftp, pop3, 80, 8080 - Pick some free software like ftp server, mail server, apache or iis webserver or a webserver all-in-one pack, or teamspeak, ventrilo, mumble.
7. Code a tool that uses grep to sort out unique code in source codes.
8. Make a custom IPtable, IPsec firewall that blocks all incoming traffic and out going traffic and add filters to accept certain ports that your software or scripts use.
9. Pick a kernel in linux or unix, also pick a Microsoft OS version lets say Winxp pro sp2 put them on the virtual desktops (vmware) and find and code a new local exploit in those versions, then install a Apache webserver on the Linux/Unix and a IIS webserver on the winxp pro and attempt to find and code a new local reverse_tcp_shell exploit.
10. Learn Cisco Router and Switch configuration and setup.
11. Learn Checkpoint Setup and Config
12. Learn Wifi scanning, cracking, sniffing.
13. Pick a person in you phonebook for the area code you live in or city then ring the person on a anonymous line like skype or a payphone or a carded sim and attempt to social engineer the person for his name, address, data of birth, city born, country born, ISP connected with, Phone company connected with, What bank he/she uses and anything else you can get. Then Attempt to ring using a spoof caller ID software with the person's phone number - call the ISP and try reset the password to his/her internet connection/web-mail, get access to bank account or ask them to send out a new *** to a new address (drop) with a new pin, reset of phone company passwords.
14. Use your information gathering skills to get all the information off a website like a shop then use the spoof caller-id software or hack your phone to show a new number of the Webserver's Tech Support number then ring the shop owner and try get the shop site password.
15. Do the same thing but attempt to use a web attack against a site or shop to gain admin access.
16. Once got access upload a shell and attempt to exploit the server to gain root using a exploit you coded not someone else s exploit.
17. Make your own Linux Distro
18. Use your own Linux Distro or use a vanilla Linux gnome (not kde) keep it with not much graphics so you can learn how to depend on the terminal and start from scratch install applications that you will only need for a blackbox (Security test box), make folders for fuzzers, exploits, scanners..etc Then load them up with your own scripts and other tools ( By this stage you shouldn't need to depend on other peoples scripts).
19. Learn macosx and attempt to gain access to a Macosx box whether it be your own or someone's else.
20. Create a secure home network and secure your own systems with your own Security policies and firewall settings.

All this isn't a over night learning it will take a nice 3 - 4 years to learn a bit of this 5+ years to learn most of it and even then you may need time to keep learn as IT keeps changing ever day.

As long as your dedicated to learning you won't have any problems and if you learn all that you should easy get a job in any company if you show proof that you can do these things (print out scripts that you made or put on disc) to show the companies.
at No comments:

Facebook Hacking Softwares


1. PWN STAR

A bash script to launch the AP, can be configured with a variety of attack options. Including a php script and server index.html, for phishing. Can act as a multi-client captive portal using php and iptables. Exploitation classics such as crime-PDF, De-auth with aireplay, etc..



General Features:


  • Managing Interfaces and MAC Spoofing
  • Set sniffing
  • Phishing Web
  • Karmetasploit
  • WPA handshake
  • De-auth client
  • Managing Iptables



2. ZED ATTACK PROXY (ZAP)

(ZAP) is an integrated penetration testing tool for finding vulnerabilities in web applications. This tool is designed for use by people with a variety of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to the toolbox tester.


Key Features:


  • Intercepting Proxy
  • Active scanners
  • Passive scanners
  • Brute Force scanner
  • Spider
  • Fuzzer
  • Port Scanner
  • Dynamic SSL certificates
  • API
  • Beanshell integration

                                                    ZAP Download Here:


3. SET (SOCIAL ENGINEERING TOOLKIT)

Tools that focus on attacking the human element of weakness and inadvertence. This tool is widely used today and is one of the most successful tools demonstrated at Defcon.


Key Features:

  • Spear-Phishing Attack Vector
  • Java Applet Attack Vector
  • Metasploit Browser Exploit Method
  • Credential Harvester Attack Method
  • Tabnabbing Attack Method
  • Man Left in the Middle Attack Method
  • Web Jacking Attack Method
  • Multi-Attack Web Vector
  • Infectious Media Generator
  • Teensy USB HID Attack Vector



4. BURP SUITE

Burp Suite is a very nice tool for web application security testing. This tool is great for pentester and security researchers. It contains a variety of tools with many interfaces between them designed to facilitate and accelerate the process of web application attacks.



General Function:

  • Interception proxies
  • Radar and spiders crawling
  • Webapps scanner
  • Tool assault
  • Repeater and sequencer tools

5. ETTERCAP

Ettercap is a multipurpose sniffer / interceptor / logger for Local Area Network . It supports active and passive dissection of many protocols (even in code) and includes many feature for network and host analysis.




General Function:

  • To capture traffic and data
  • To do logging network
  • Etc.


6. SANS INVESTIGATIVE FORENSIC TOOLKIT (SIFT)

The SANS Investigative Forensic Toolkit (SIFT) Workstation is a VMware Appliance that can be configured with all the requirements to perform a detailed digital forensic. Compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The new version has been completely rebuilt on the Ubuntu base with many additional tools and capabilities that are used in modern forensic technology.


General Function SIFT:

  • iPhone, Blackberry, and Android Forensic Capabilities
  • Registry Viewer (YARU)
  • Compatibility with F-Response Tactical, Standard, and Enterprise
  • PTK 2.0 (Special Release - Not Available for Download)
  • Automated Generation Timeline via log2timeline
  • Many Firefox Investigative Tools
  • Windows Journal Parser and Shellbags Parser (jp and sbag)
  • Many Windows Analysis Utilities (prefetch, usbstor, event logs, and more)
  • Complete Overhaul of Regripper Plugins (added over 80 additional plugins)


7. WIRESHARK

Wireshark is the most widely used and most popular in the world the protocol analyzer, and is the de facto standard across many industries and educational institutions to analyze the network in different protocol.



General Function:

  • Live capture and offline analysis
  • Standard three-pane packet browser
  • Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
  • Captured data network can be browsed via a GUI, or via the TTY-mode tshark utility
  • The most powerful display filters in the industry
  • Rich VoIP analysis
  • Read / write many different capture file formats
  • Etc.

8. WEBSPLOIT 
WebSploit is an Open Source Project for Remote Scan and Analysis System of the weaknesses in web applications. 

Key Features: 

[>] Social Engineering Works
[>] Scan, Web Crawler & Analysis
[>] Automatic Exploiter
[>] Support Network Attacks
-
[+] Autopwn - Used From Metasploit For Scan and Exploit Target Service
[+] WMAP - Scan, Target Used Crawler From Metasploit WMAP plugin
[+] format infector - inject the payload into reverse and bind file format
[+] phpmyadmin Scanner
[+] LFI Bypasser
[+] Apache Users Scanner
[+] Dir Bruter
[+] admin finder
[ +] MLITM Attack - Man Left In The Middle, XSS Phishing Attacks
[+] MITM - Man In The Middle Attack
[+] Java Applet Attack
[+] MFOD Attack Vector
[+] USB Infection Attack
[+] Dos ARP Attack
[+ ]'s Killer Attack
[+] Attack Fake Update
[+] Fake Access Point Attack


9. WINAUTOPWN

WinAutoPWN is a tool that is used to exploit the Windows Framework directly, so that we are automatically going to be an administrator on the windows. Widely used by "Defacer" Indonesia to deface the Windows Server



10. HASHCAT

Hashcat are a variety of tools to crack passwords in encrypted, it is very powerful for password recovery.


General Function:

  • Multi-Threaded
  • Free
  • Multi-Hash (up to 24 million hashes)
  • Multi-OS (Linux, Windows and OSX native binaries)
  • Multi-Algo (MD4, MD5, SHA1, DCC, NTLM, MySQL, ...)
  • SSE2 accelerated
  • All Attack-Modes except Brute-Force and Permutation can be extended by rules
  • Very fast Rule-engine
  • Rules compatible with JTR and PasswordsPro
  • Possible to resume or limit session
  • Automatically recognizes recovered hashes from outfile at startup
  • Can automatically generate random rules
  • Load saltlist from an external file and then use them in a Brute-Force Attack variant
  • Able to work in an distributed environment
  • Specify multiple wordlists or multiple directories of wordlists
  • Number of threads can be configured
  • Lowest priority threads run on
  • 30 + Algorithms is implemented with performance in mind
  • ... and much more



11. UNISCAN

Uniscan is a scanner for web applications, written in perl for Linux. Currently Uniscan version is 6.2.



General Function:

  • Identification of system pages through a Web Crawler.
  • Use of threads in the crawler.
  • Control the maximum number of requests the crawler.
  • Control of variation of system pages identified by Web Crawler.
  • Control of file extensions that are ignored.
  • Test of pages found via the GET method.
  • Test the forms found via the POST method.
  • Support for SSL requests ( HTTPS ).
  • Proxy support.
  • Generate site list using Google.
  • Generate site list using Bing.
  • Plug-in support for Crawler.
  • Plug-in support for dynamic tests.
  • Plug-in support for static tests.
  • Plug-in support for stress tests.
  • Multi-language support.
  • Web client.



12. OLYYDBG 
OllyDbg is a 32-bit assembler debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where source code is not available. 

General Function:

  • Intuitive user interface, no cryptical commands
  • Code analysis - traces registers, recognizes procedures, loops, API calls, switches, tables, constants and strings
  • Directly loads and debugs DLLs
  • Object file scanning - locates routines from object files and libraries
  • Allows for user-defined labels, comments and function descriptions
  • Understands debugging information in Borland ® format
  • Saves patches between sessions, writes them back to executable file and updates fixups
  • Open architecture - many third-party plugins are available
  • No installation - no trash in registry or system directories
  • Debugs multithreaded applications
  • Attaches to running programs
  • Configurable disassembler, supports both MASM and IDEAL formats
  • MMX, 3DNow! and SSE instructions and the data types, Including Athlon extensions
  • Full UNICODE support
  • Dynamically recognizes ASCII and UNICODE strings - also in Delphi format!
  • Recognizes complex code constructs, like call to jump to procedure
  • Decodes calls to more than 1900 standard API and 400 C functions
  • Gives context-sensitive help on API functions from external help file
  • Sets conditional, logging, memory and hardware breakpoints
  • Traces program execution, logs arguments of known functions
  • Shows fixups
  • Dynamically traces stack frames
  • Searches for imprecise commands and masked binary sequences
  • Searches whole allocated memory
  • Finds references to constant or address range
  • Examines and modifies memory , sets breakpoints and Pauses program on-the-fly
  • Assembles commands into the shortest binary form
  • Starts from the floppy disk
13. BBQSQL

BBQSQL an Opensource SQL injection tools with the framework specifically designed to carry out the process in hyper fast, database agnostic, easy to setup, and easy to modify. This is another amazing release from Arsenal Blackhat USA 2012. When conducting security assessments of applications, we often find that it is difficult to SQL vulnerabilities exploitable, with this tool will be extremely easy.

BBQSQL written in the Python programming language. This is very useful when complex SQL injection attack vulnerabilities. BBQSQL also a semi-automated tool, which allows little customization for those who are finding it difficult to trigger a SQL injection. The tool is built to be database agnostic and very versatile. It also has an intuitive UI for setting up the attack much easier.



General Function:

  • SQL Injection Tools
  • URL
  • HTTP Method
  • Headers
  • Cookies
  • Encoding methods
  • Redirect behavior
  • Files
  • HTTP Auth
  • Proxies

14. CRYPTOHAZE 
Tools to crack password / hash where cryptohaze supports CUDA, OpenCL , and the CPU code (SSE, AVX, etc.). Can run on OS that support CUDA. These are intended to make it easier to pentester did crack the hash. 

General Function:

  • Crack various kinds of hash
  • Showing results from crackhash
  • Cracking on various OS platforms

                                          


15. SAMURAI WEB TESTING FRAMEWORK (SWTF)
SWTF is used to do testing / pentest against web application, is used to find a weakness and exploited to perform web. Very comprehensive and widely used in the world, including one used by staff binushacker



General Function:

  • Web Scanner
  • Web Mapping
  • Web Exploitation

at No comments: