Archive for November, 2007

fwtest - Firewall Testing Toolkit

Published at November 30, 2007 in Applications, Articles and Security. Comments

The firewall test suite fwtest is a security auditing tool made up of two parts: the test control application fwtest and optionally one or two helper processes named fwagent. The test control application fwtest starts up the python interpreter with the given test script. The test script controls the packet data flow between two virtual interfaces A and B.

For this purpose the python interpreter is extended by commands which support the construction and transfer of arbitrary IP-packets. In this way it is possible to stimulate a firewall (or other relaying network nodes) connected between the interfaces A and B.

According to the interface-spec the virtual interfaces A and B are mapped on given physical interfaces on the same host the fwtest is running or to an interface on a remote host which runs the application fwagent. For the remote access the fwtest establishes a control TLS-protected connection to the fwagent on the specified host. You may use a ca structure or a fingerprint file to authenticate the peer. The shell script keymager.sh is distributed with this software to help you generate the necessary keys for both (ca structure and fingerprint) variants.

For both variants (one or two fwagents) the interfaces needs to be controlled by fwtest and fwagent on the link level. This is achieved by use of the berkely packet filter library pcap for reading and The Network Library libnet for writing of packets.

You can download fwtest source code here:

fwtest-0.5.2.tgz

Or read more here.

Technorati Tags: , , , , , , ,

Chaosreader - Trace TCP/UDP Sessions from tcpdump

Published at November 29, 2007 in Applications and Articles. Comments

A freeware tool to trace TCP/UDP sessions and fetch application data from snoop or tcpdump logs. This is a type of “any-snarf” program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG), SMTP emails and so on from the captured data inside network traffic logs.

Similar to tcpflow which we mentioned recently.

A html index file is created that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions; and reports such as image reports and HTTP GET/POST content reports. Chaosreader can also run in standalone mode - where it invokes tcpdump or snoop (if they are available) to create the log files and then processes them.

The cool thing about Chaosreader is that it outputs a nicely formatted HTML file to enable you to look at the extracted sessions a lot easier.

In this example, a snoop file was created while a website was loaded, telnet was used to login and ftp to transfer files. Chaosreader has managed to extract the HTTP sections, follow the telnet session, grab the FTP files, and create an Image Report from the snoop log. It has also created a replay program to playback the telnet session. You can see the example here.

You can find some more screenshots here.

You can download Chaosreader here:

Chaosreader 0.94

You can read more here.

Technorati Tags: , , , , , , ,

tcpflow - TCP Flow Recorder for Protocol Analysis and Debugging

Published at November 26, 2007 in Applications, Articles and Security. Comments

tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like ‘tcpdump’ shows a summary of packets seen on the wire, but usually doesn’t store the data that’s actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. However, it currently does not understand IP fragments; flows containing IP fragments will not be recorded properly.

tcpflow is based on the LBL Packet Capture Library (available from LBL) and therefore supports the same rich filtering expressions that programs like ‘tcpdump’ support. It should compile under most popular versions of UNIX; see the INSTALL file for details.

tcpflow stores all captured data in files that have names of the form

128.129.130.131.02345-010.011.012.013.45103

Where the contents of the above file would be data transmitted from host 128.129.131.131 port 2345, to host 10.11.12.13 port 45103.

The only downside to this tool is that it’s not being actively maintained, the last version was released in 2003.

The upside is that the TCP protocol hasn’t changed, so the tool still work just fine.

Definitely extremely useful for network forensics, it’s one of the tools I use to demo network dissection in classes.

You can download it here:

Version 0.21 source tarball
Version 0.21 Source RPM

Or read more here.

Technorati Tags: , , , ,

SSA Version 1.5.2 - OVAL Vulnerability Assessment Software

Published at November 24, 2007 in Penetration Testing, Hacking Tools, Applications and Articles. Comments

SSA (Security System Analyzer) is free non-intrusive OVAL-Compatible software. It provides security testers, auditors with an advanced overview of the security policy level applied.

Features
OVAL-compatible product
SCAP (Security Content Automation Protocol)
Perform a deep inventory audit on installed softwares and applications
Scan and map vulnerabilities using non-intrusive techniques based on schemas
Detect and identify missed patches and hotfixes
Define a patch management deployment strategy using CVSS scores

Changelog for v.1.5.2
Based on OVAL 5.3 build 20 (see OVAL project for more information)
SSA now supports SCAP (Security Content Automation Protocol - http://nvd.nist.gov/scap.cfm)
SSA now supports scan for missed patches (using SCAP format)
Updated OVAL XML Viewer Plugin
Updated database to 2039 definitions

Download it here:

SSA Version 1.5.2

Or read more here.

Technorati Tags: , , , , , ,

sqlninja 0.2.1-r1 - SQL Injection Tool for MS-SQL

Published at November 24, 2007 in Hacking Tools, Web Hacking, Applications and Articles. Comments

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

It is written in perl and so far has been successfully tested on:

Linux
FreeBSD
Mac OS X

Features
Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
Bruteforce of ’sa’ password (in 2 flavors: dictionary-based and incremental)
Privilege escalation to sysadmin group if ’sa’ password has been found
Creation of a custom xp_cmdshell if the original one has been removed
Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
Direct and reverse bindshell, both TCP and UDP
DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)

What’s New
A new flavor of bruteforce attack, performed remotely on the target DB Server by using its own CPU resources (use it with caution !)
Detection of the authentication mode (mixed or Windows-only), which is useful to understand whether the bruteforce attack to the ’sa’ account can succeed or not
Documentation is now in HTML format, which should make things much easier for new users
Several bugfixes and minor improvements
You can download sqlninja 0.2.1-r1 here:

sqlninja 0.2.1-r1

Or read more here.

Technorati Tags: , , , , , , ,