Kon-Boot is an prototype piece of software which allows to change contents of a Linux kernel (and now Windows kernel also!!!) on the fly (while booting).
In the current compilation state it allows to log into a Linux system as ’root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password.
It was mainly created for Ubuntu, later the author has made a few add-ons to cover some other Linux distributions.
Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.
Latest Updates – Kon-Boot for Windows
Kon-Boot was moved to Windows platforms. So now it provides support for Microsoft Windows systems and also the Linux systems listed below. Kon-Boot for Windows enables logging in to any password protected machine profile without without any knowledge of the password. This tool changes the contents of Windows kernel while booting, everything is done virtually – without any interferences with physical system changes. So far following systems were tested to work correctly with Kon-Boot:
- Windows Server 2008 Standard SP2 (v.275)
- Windows Vista Business SP0
- Windows Vista Ultimate SP1
- Windows Vista Ultimate SP0
- Windows Server 2003 Enterprise
- Windows XP
- Windows XP SP1
- Windows XP SP2
- Windows XP SP3
- Windows 7
No special usage instructions are required for Windows users, just boot from Kon-Boot CD/Floppy, select your profile and put any password you want. You lost your password? Now it doesnt matter at all.
It has been tested with the following Linux distributions:
- Gentoo 2.6.24-gentoo-r5 GRUB 0.97
- Ubuntu 2.6.24.3-debug GRUB 0.97
- Debian 2.6.18-6-6861 GRUB 0.97
- Fedora 2.6.25.9-76.fc9.i6862 GRUB 0.97
You can download Kon-Boot here:
Floppy Image – FD0-konboot-v1.1-2in1.zip
CD ISO Image – CD-konboot-v1.1-2in1.zip
Or read more here.
This application is more towards creating custom word lists from a specific domain by crawling it for unique words. Basically you give the application a spidering target website and it will collect unique words. The application is written in Ruby and is called CeWL, the Custom Word List generator. The app can spider a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.
IF you combine the info output by CeWL and AWLG with the standard wordlists for password cracking – you should have a fairly comprehensive set.
By default, CeWL sticks to just the site you have specified and will go to a depth of 2 links, this behaviour can be changed by passing arguments. Be careful if setting a large depth and allowing it to go offsite, you could end up drifting on to a lot of other domains. All words of three characters and over are output to stdout. This length can be increased and the words can be written to a file rather than screen so the app can be automated.
Version 2 of CeWL can also create two new lists, a list of email addresses found in mailto links and a list of author/creator names collected from meta data found in documents on the site. It can currently process documents in Office pre 2007, Office 2007 and PDF formats. This user data can then be used to create the list of usernames to be used in association with the password list.
Installation
CeWL needs the rubygems package to be installed along with the following gems:
- http_configuration
- mime-types
- mini_exiftool
- rubyzip
- spider
You can download CeWL here:
cewl_2.0.tar.bz2
Or read more here.
For those that don’t know BackTrack is the top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.
It’s evolved from the merge of the two wide spread distributions – Whax and Auditor Security Collection. By joining forces and replacing these distributions, BackTrack has gained massive popularity and was voted in 2006 as the #1 Security Live Distribution by insecure.org. Security professionals as well as new-comers are using BackTrack as their favorite toolset all over the globe.
The new version has busted the 700mb file size though so it’d DVD or USB, it’s recommended to use a USB drive to run it or install it on your HDD as running from a CD isn’t exactly speedy.
Full details available in the PDF guide:
BackTrack 4 Guide [PDF]
You can download BackTrack 4 Pre Release ISO here:
bt4-pre-final.iso
Or read more here.
This tool has been hitting the news, including some mentions in the SANS ISC Diary.
It’s not actually a new attack (it’s been around since 2005) but this is the first time a packaged tool has been released for the attack.
Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow.
Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they’ll still be able to see the site.
So it’s a bit of a race condition, but one that Slowloris will eventually always win – and sooner than later.
Slowloris lets the webserver return to normal almost instantly (usually within 5 seconds or so). That makes it ideal for certain attacks that may just require a brief down-time.
This affects a number of webservers that use threaded processes and ironically attempt to limit that to prevent memory exhaustion – fixing one problem created another. This includes but is not necessarily limited to the following:
- Apache 1.x
- Apache 2.x
- dhttpd
- GoAhead WebServer
- Squid
There are a number of webservers that this doesn’t affect as well, in the authors testing:
- IIS6.0
- IIS7.0
- lighttpd
- nginx
- Cherokee (verified by user community)
You can download Slowloris here:
slowloris.pl
Or read more here.
Combine this with the Session Auto Recognition module, which will identify when a logged in session is invalided or expired and will re-login automatically and you have a great tool for scanning authentication based web applications.
There is also a lot more support for JSP/Tomcat based application, I haven’t had chance to test this as I don’t deal with many Java based web applications.
Also included are some back-end and interface changes like the display of port scan & network alerts separately from the web alerts, which does make it easier to see where the issues are.
Backend stuff like cookie handling and Blind SQL Injection methods have been improved, you can also import your settings from Version 6 if you are currently using that.
You can read the press release here, or more on the blog here.
The pricing can be found here (in both Euros and USD).
If you want to know more about the features you can download the manual here:
Acunetix WVS 6.5 Manual [PDF]
fm-fsf is a new fuzzer/data scraper that works under OSX, Linux (with Mono) and Windows (.NET Framework). Fuzzing tools are always useful if you are looking at discovering some new flaws in a software or web service.
Quick Info
FSF is a plug-in based freakin’ simple fuzzer for fuzzing web applications and scraping data.
It supports some basic stuff and is missing some features however it has got some advanced RegEx capturing features for scraping data out of web applications.
It’s still in early stage of development so don’t expect too much.
Why bring yet another fuzzer into this cruel world?
The author was trying to fuzz something and after spending about 2-3 hours about 3-4 different terribly designed fuzzers he thought knocking up his own would be better.
Don’t use if you….
- Want a fuzzer where you can control the raw HTTP request
- Need some crazy features such as fuzzing multiple locations at a time
Use if you need a fuzzer…
- That allows to take advantage of RegEx with the full power for scraping data (this is quite useful while exploiting SQL Injections, gathering data, looking for some hidden resource or trying to enumerate all valid “user id”s)
- Simple to run and easy to use
- Which makes it easy to write your own fuzzing modules
- With simple and compact .NET code
You can download fm-fsf here:
FSF-7.1.0.0.tar.gz
Or read more here.