Showing posts with label open-source. Show all posts
Showing posts with label open-source. Show all posts

Wednesday, July 24, 2019

Free / Open-Source tools for Kubernetes Security Audit


                   is an open-source tool that hunts for security issues in your Kubernetes clusters. It’s designed to increase awareness and visibility of the security controls in Kubernetes environments.

kube-hunter is available as a container (aquasec/kube-hunter), and we also offer a web site at where you can register online to receive a token allowing you see and share the results online. You can also run the Python code yourself as described below.

Contribute: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your own modules please read Guidelines For Developing Your First kube-hunter Module.

Ref link :


                  is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

"An objective, consensus-driven security guideline for the Kubernetes Server Software."

Note that it is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS and AKS, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments.

Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

Sample Output:

CIS Kubernetes Benchmark support

kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.0.0 to 1.4.0 respectively.

CIS Kubernetes Benchmark kube-bench config Kubernetes versions
1.0.0 1.6 1.6
1.1.0 1.7 1.7
1.2.0 1.8 1.8-1.10
1.3.0 1.11 1.11-1.12
1.4.0 1.13 1.13-

By default kube-bench will determine the test set to run based on the Kubernetes version running on the machine.

 Ref Link :

Wednesday, August 28, 2013

Nginx Anti Xss & Sql Injection : NAXSI ( Open-Source WAF )

NAXSI ( Nginx Anti Xss & Sql Injection ) :
                                                             is an open source WAF ( Web Application Firewall ) , high performance, low rules maintenance, Web Application Firewall module for Nginx. 

  _   _                _ 
 | \ | | __ ___  _____(_)
 |  \| |/ _` \ \/ / __| |
 | |\  | (_| |>  <\__ \ |
 |_| \_|\__,_/_/\_\___/_|
                          goal is to help people to secure their web application against attacks 
such as SQL Injection, Cross Site Scripting, Cross Site Request Forgery, 
Local & Remote file inclusions and such. 
The difference with most WAF (Web Applicative Firewalls) out there is that 
it does not rely on signatures to detect attacks. It is using a simpler model, 
where instead of trying to detect "known" attacks, it will detect unexpected 
characters in the HTTP request/arguments. Each kind of unusual character will 
increase the score of the request. If the request reaches a score that's 
considered "too high", the request will be denied, and the user will be 
redirected to a "forbidden" page. Yes, it works a bit like a spam system. 

NAXSI Project:
                        The NAXSI Project is not so known like the ModSecurity open source project, but has a very interesting approach and features.
NAXSI uses the small and performant reverse proxy engine of Nginx web server instead of the full blown Apache engine used by ModSecurity (and from a security point of view: the lesser code).
Following are the major feature of NAXSI:
  • Protects from XSS, SQL injections, CSRF, file inclusion
  • Fast engine
  • Relative simple configuration
  • Check GET/POST requests
  • Check HTTP headers and cookies
  • Forbid dangerous symbols and SQL keywords
  • Allows whitelist approach configuration creating a web application baseline
  • Able to run in learn or production mode
  • Uses no signature of known attack


Let’s do a quick installation with ubuntu sever 12.04 LTS. You may also install it from the sources following the Nginx prerequisites for reference. After you’ve installed the basic server with openssh, install NAXSI with:
 sudo apt-get install nginx-naxsi

Initial configuration

In the nginx configuration file (/etc/nginx/nginx.conf) uncomment this line to activate the basic rulesets:
# nginx-naxsi config
# Uncomment it if you installed nginx-naxsi
include /etc/nginx/naxsi_core.rules;
Note that this file is not an attack signature repository but rather a “score rules” set. Let’s configure NAXSI for our website To do so edit the Nginx configuration file in /etc/nginx/sites-enabled/default and add following entries in the server context:

server {
        proxy_set_header Proxy-Connection “”;    
        listen   80;

        location / {
                # put your website IP here

                # put your website FQDN here
                proxy_set_header Host;

                # Uncomment to enable naxsi on this location
                include /etc/nginx/naxsi.rules;

        # Only for nginx-naxsi : process denied requests
        location /RequestDenied {
                # For example, return an HTTP error code
                return 418;
Now you should be able to start the nginx service that will bring up the NASXI with following command:

sudo service nginx start
Be sure to check for error messages on the console or in the error log found in /var/log/nginx/error.log and verify with sudo netstat -antup that nginx daemon is opening the configured port (tcp/80 in our case). The output should look like this:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address    Foreign Address   State       PID/Program name
tcp        0      0*         LISTEN      9865/nginx
tcp        0      0*         LISTEN      8484/sshd
tcp        0      0*         LISTEN      9627/0
tcp        0      0*         LISTEN      9062/1
tcp        0     32 x.y.z.52:22      x.y.z.36:49749    ESTABLISHED 9046/sshd: anco
udp        0      0*                     649/dhclient3

To test if it works, start a browser session and point it to the ip address of your test server (x.y.z.52:80) and you should see the website you configured ( in the config file above. To continue further testing make sure you will proxying all web request to the nginx-NAXSI WAF. To accomplish this you can ether use the web-proxy configuration setting in the browser or fake the testing website ip address in your system hostfile. I prefer to put the ip address in my hostfile:

Here are the location of the target hosts file (you need admin right to save changes):

OS Host Configuration File
Windows %SYSTEMROOT%\system32\drivers\etc\hosts
Linux /etc/hosts
Now we can browse to and be sure that our test NAXSI WAF will inspect the content and remember that by now the configuration is in learning mode; it will only report errors in the nginx error logs (/var/log/nginx/error.log) and not block any bad scored request.

How It Works

The naxsi_core.rules are responsible for scoring the HTTP input and looks like this (excerpt):
MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4" id:1008;
MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$XSS:8" id:1302;
MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie"
"s:$EVADE:4" id:1400;
MainRule "*|.asp*" "msg:asp/php file upload!" "mz:FILE_EXT"
"s:$UPLOAD:8" id:1500;
Insight this file is the logic configuration used to score the input; the result will be used in /etc/nginx/naxsi.rules to decide if such input may be allowed or not. The format is quite simple:
  1. Define what to look for: string (str:) or regular expression (rx:)
  2. Define message to report into logfiles (msg:)
  3. Put the rule a category (s:)
  4. Assign rule identifier (id:)
  5. Define where to look for (mz:) and short description below
mz entry Look in
URL URL path
ARGS HTTP argument
BODY HTML body entry
$HEADERS_VAR: HTTP header variable
Now let’s take a look on the second NAXSI config file /etc/nginx/naxsi.rules where the main NAXSI behavior is defined; this is how it looks like:

# config mode section
DeniedUrl "/RequestDenied";
# check rules section
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
Here is an explanation of the contents:
  1. LearningMode – activates learning mode; in this mode requests aren’t blocked and white lists may be created.
  2. SecRulesEnabled or SecRulesDisabled – to activate or disable NAXSI for this location/section.
  3. DeniedURL – redirect URL for blocked requests; can be an HTTP error code (like 4xx or 5xx) or forward to an HTML site with code to help track false-positives.
  4. CheckRule – per-category check scores; the score we saw above will be evaluated here. If a request hits a score in the naxsi.core.rules, this score will be recorded and added to each category (SQL, XSS, EVADE, ...) if the overall score for any of the categories is reached (8 in SQL per default) the input is treated as bad.
When you use the whitelist (positive secure model) approach you’ll find also the white-list entries (BasicRule statement) in this config file:
# Whitelist '|', as it's used on the /report/ page, in argument 'd'
BasicRule wl:1005 "mz:$URL:/report/|$ARGS_VAR:d";
# Whitelist ',' on URL zone as it's massively used for URL rewritting !
BasicRule wl:1008 "mz:URL";
The entry above will result in disabling some part of the check rule in naxsi_core.rules allowing a specific behavior and eliminate false-positives. BasicRule could be more or less specific at your pace (and security needs).

Information Gathering

At this stage we have our test installation inspecting the HTTP flow and reporting bad things in the /var/log/nginx/error.log file, let’s take a look on how NAXSI error entry looks like:

> error.log <
2012/11/30 04:57:55 [error] 9866#0: *47 NAXSI_FMT: ip=x.y.z.36&
var_name0=, client:x.y.z.36, server: localhost, 
request: "GET /testmiztot HTTP/1.1", host: "x.y.z.52"

As you can see it’s a special error message: it was generated on a “special” HTTP URL GET request and is not a really bad request. To test the functionality on the WAF I’ve created this test-rule in the  

MainRule "str:testmiztot" "msg:foobar test pattern" "mz:URL" "s:$SQL:42" id:1999;

This rule will trigger whenever the testmiztot string is detected in the address part (mz:URL) of the HTTP GET request and score as 42 (s:$SQL:42) in the SQL category. This will be evaluated as bad because the SQL category limit is 8. The msg: text will be shown in the learning mode log used to generate the white-list baseline.

 Analyze in detail the meaning of these commands:
  • LearningMode - Training Mode is enabled. Requests are not blocked, White-shaped leaf.
  • SecRulesEnabled - NAXSI enabled for this location. If you want to switch off for another location (for example, a protected inner zone), then do it SecRulesDisabled.
  • DeniedURL - URL redirect for the denied requests.
  • CheckRule - checking the "penalty points" query by category.
  • / Etc / nginx / mynaxsi.rules - generated rules (not yet gener - commented out).

Official Change Log For Naxsi 0.41:-
Feature: added support for FILE_EXT. We can now control file uploads names/extensions as well.
Added a rule for FILE_EXT into naxsi_core.rules
Added unit testing for FILE_EXT feature
Fixed erroneous log messages
Fixed an error on whitelist of types $URL:xxx|URL

To Know More :

To Download :

OWASP Naxsi Project :

NAXSI Matrix :

 NAXSI Presentation :

Monday, September 5, 2011

Best Open Source Information Security Tools

Open Source Security Assessment Tools

Best - Open Source Security Assessment , Vulnerability Auditing, & Penetration Testing Tools:

Stockade Virtual Appliance with Snort, BASE, Inprotect, CACTI, NTOP & Others


Open source vulnerability assessment tool
Snort Intrusion Detection (IDS) tool
Wireshark TCP/IP Sniffer- AKA Ethereal


Analyze applications that communicate using the HTTP and HTTPS protocols
Wikto Web server assessment tool
BackTrack Penetration Testing live Linux distribution
Netcat The network Swiss army knife
Metasploit Framework Comprehensive hacking framework
Sysinternals Collection of windows utilities
Paros proxy Web application proxy
Enum Enumerate Windows information
P0F v2 Passive OS identification tool
IPPersonality Masquerade IP Stack
SLAN Freeware VPN utility
IKE Crack IKE/IPSEC cracking utility
ASLEAP LEAP cracking tool
Karma Wireless client assessment tool- dangerous
WEPCrack WEP cracking tool
Wellenreiter Wireless scanning application


Great Google hacking tool
Several DDOS Tools Distributed Denial of Service(DDOS) tools
Achilles Web Proxy Tool
Firefox Web Developer Tool Manual web assessment
Scoopy Virtual Machine Identification tool
WebGoat Learning tool for web application pentests
FlawFinder Source code security analyzer
ITS4 Source code security analyzer

Source code security analyzer

PwDump3 Dumps Windows 2000 & NT passwords
Loki ICMP covert channel tool
Zodiac DNS testing tool
Hunt TCP hijacking tool
SniffIT Curses-Based sniffing tool
CactiEZ Network traffic analysis ISO
Inprotect Web-based Nessus administration tool
OSSIM Security Information Management (SIM)
Nemesis Command-Line network packet manipulation tool
NetDude TCPDump manipulation tool
TTY Watcher Terminal session hijacking
Stegdetect Detects stego-hidden data
Hydan Embeds data within x86 applications
S-Tools Embeds data within a BMP, GIF, & WAV Files
Nushu Passive covert channel tool
Ptunnel Transmit data across ICMP
Covert_TCP Transmit data over IP Header fields
THC-PBX Hacker PBX Hacking/Auditing Utility
THC-Scan Wardialer
Syslog-NG MySQL Syslog Service


Edit WinNT 4 & Win2000 log files
Rootkit Detective Rootkit identification tool
Rootkit Releaver Rootkit identification tool
RootKit Hunter Rootkit identification tool


Rootkit identification tool
LKM Linux Kernal Rootkit
TCPView Network traffic monitoring tool
NMAP Network mapping tool
Ollydbg Windows unpacker
UPX Windows packing application
Burneye Linux ELF encryption tool

SilkRpoe 2000

GUI-Based packer/wrapper
EliteWrap Backdoor wrapper tool

Remote-Control backdoor tool

MegaSecurity Site stores thousands of trojan horse backdoors

Backdoor for Windows

Back Orfice 2000 Windows network administration tool
Tini Backdoor listener similar to Netcat


Microsoft Baseline Security Analyzer
OpenVPN SSL VPN solution
Sguil An Analyst Console for network security/log Monitoring
Honeyd Create your own honeypot
Brutus Brute-force authentication cracker
cheops / cheops-ng Maps local or remote networks and identifies OS of machines
ClamAV A GPL anti-virus toolkit for UNIX
Fragroute/Fragrouter Intrusion detection evasion toolkit
Arpwatch Monitor ethernet/IP address pairings and can detect ARP Spoofing
Angry IP Scanner Windows port scanner
Firewalk Advanced traceroute
RainbowCrack Password Hash Cracker
EtherApe EtherApe is a graphical network monitor for Unix
WebInspect Web application scanner
Tripwire File integrity checker
Ntop Network traffic usage monitor
Sam Spade Windows network query tool
Scapy Interactive packet manipulation tool
Superscan A Windows-only port scanner
Airsnort 802.11 WEP Encryption Cracking Tool
Aircrack WEP/WPA cracking tool
NetStumbler Windows 802.11 Sniffer
Dsniff A suite of powerful network auditing and penetration-testing tools
John the Ripper Multi-platform password hash cracker
BASE The Basic Analysis and Security Engine- used to manage IDS data
Kismet Wireless sniffing tool

THC Hydra

Network authentication cracker
Nikto Web scanner
Tcpdump TCP/IP analysis tool


Windows password auditing and recovery application

Reverse WWW Shell

Shell access across port 80
THC-SecureDelete Ensure deleted files are unrecoverable
THC-AMAP Application mapping tool

Monday, August 29, 2011

OpenDLP - Open source Data Loss Prevention


is a free and open source, agent-based, centrally-managed, massively distributable data loss prevention tool released under the GPL. Given appropriate Windows domain credentials, OpenDLP can simultaneously identify sensitive data at rest on hundreds or thousands of Microsoft Windows systems from a centralized web application. OpenDLP has two components: a web application and an agent.

The speed and simplicity of OpenDLP make it a great choice for Penetration Testers. Unfortunately, it also does the same for an attacker. In one case, SecureState was able to sift through 50 machines to pull out various HIPAA and PCI data in less than an hour. This may result in non-compliance in both areas. With the weaponization of OpenDLP, an attacker no longer has to spend days searching systems or limiting themselves to only large file shares. Attackers can be in and out before they are ever detected.

Data Loss Prevention suite with centralized web frontend to manage Windows agent filesystem scanners, agentless database scanners, and agentless Windows/UNIX filesystem scanners that identify sensitive data at rest.Web Application
  • Automatically deploy and start agents over Netbios/SMB
  • When done, automatically stop, uninstall, and delete agents over Netbios/SMB
  • Pause, resume, and forcefully uninstall agents in an entire scan or on individual systems
  • Concurrently and securely receive results from hundreds or thousands of deployed agents over two-way-trusted SSL connection
  • Create Perl-compatible regular expressions (PCREs) for finding sensitive data at rest
  • Create reusable profiles for scans that include whitelisting or blacklisting directories and file extensions
  • Review findings and identify false positives
  • Export results as XML
  • Written in Perl with MySQL backend


  • Runs on Windows 2000 and later systems
  • Written in C with no .NET Framework requirements
  • Runs as a Windows Service at low priority so users do not see or feel it
  • Resumes automatically upon system reboot with no user interaction
  • Securely transmit results to web application at user-defined intervals over two-way-trusted SSL connection
  • Uses PCREs to identify sensitive data inside files
  • Performs additional checks on potential credit card numbers to reduce false positives
  • Can read inside ZIP files, including Office 2007 and OpenOffice files
  • Limits itself to a percent of physical memory so there is no thrashing when processing large files

Agentless Database Scans

In addition to performing data discovery on Windows operating systems, OpenDLP also supports performing agentless data discovery against the following databases:

  • Microsoft SQL server
  • MySQL

Agentless File System and File Share Scans

With OpenDLP 0.4, one can perform the following scans:

  • Agentless Windows file system scan (over SMB)
  • Agentless Windows share scan (over SMB)
  • Agentless UNIX file system scan (over SSH using sshfs)


Agent-based Windows OS scan, summary results view:

Agent-based Windows OS scan, detailed results view:

Agentless Microsoft SQL Server scan, detailed results view:

Download Link : Click Here


Wednesday, July 27, 2011

Open Source Live-CD for Penetration testing

BackBox :
is a Linux distribution based on Ubuntu Lucid 10.04 LTS developed to perform penetration
tests and security assessments. Designed to be fast, easy to use and to provide a minimal yet complete desktop environment thanks to its own software repositories always been updated to the last stable version of the most known and used ethical hacking tools.

Hacking tools new or updated: Firefox 4, Hydra 6.2, Kismet 2011.03.2, Metasploit Framework 3.6.0, NMap 5.51, SET 1.3.5, SqlMap 0.9, sslstrip 0.8, w3af 1.0-rc5, weevely 0.3, WhatWeb 1.4.7,
Wireshark 1.4.5, Zaproxy 1.2, etc

Download Link : Click Here


Blackbuntu :
is distribution for penetration testing which was specially designed for security training students and practitioners of information security.
Blackbuntu is Ubuntu base distro for Penetration Testing with GNOME Desktop Environment. It's currently being built using the Ubuntu 10.10.

Download Link : Click here


Tuesday, July 26, 2011

Open Source network firewall

NetDefender :
is a Free Firewall with source code, which can be downloaded along with firewall executables. Netdefender works on windows 2000 and windows XP.

Requirements :

1. Netdefender can only run on an OS higher than windows 2000 (i.e. Win 2000, Win Xp I hope Vista would not break anything)
2. User must has admin rights (i.e. must be member of administrator group ) on the system.

Download Link : Click here

Shorewall :
is a gateway/firewall configuration tool for GNU/Linux.

Download Link : Click here


is a new generation proxy firewall suite and as such its core architecture is built around today's security demands: it uses application level proxies, it is modular and component based, it uses a script language to describe policy decisions, it makes it possible to monitor encrypted traffic, it let's you override client actions, it let's you protect your servers with its built in IDS capabilities... The list is endless. It gives you all the power you need to implement your local security policy.

Download Link : Click here

Ufw :

stands for Uncomplicated Firewall, and is program for managing a netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use.

Download Link : Click here



Monday, July 25, 2011

Best SQL Injection Security Scanners


– SQLIer takes a vulnerable URL and attempts to determine all the necessary information to exploit the SQL Injection vulnerability by itself, requiring no user interaction at all.

Get SQLIer : Click Here


SQLbftools is a collection of tools to retrieve MySQL information available using a blind SQL Injection attack.

Get SQLbftools : Click here

SQL Injection Brute-forcer –
SQLibf is a tool for automatizing the work of detecting and exploiting SQL Injection vulnerabilities. SQLibf can work in Visible and Blind SQL Injection. It works by doing simple logic SQL operations to determine the exposure level of the vulnerable application.

Get SQLLibf : Click Here

SQLBrute –
SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries.

Get SQLBrute.

BobCat – BobCat is a tool to aid an auditor in taking full advantage of SQL injection vulnerabilities. It is based on AppSecInc research. It can list the linked severs, database schema, and allow the retrieval of data from any table that the current application user has access to. Get BobCat.

SQLMap –
SQLMap is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of SQLMap is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.

Get SQLMap : Click Here

Absinthe –
Absinthe is a GUI-based tool that automates the process of downloading the schema and contents of a database that is vulnerable to Blind SQL Injection.

Get Absinthe: Click here

SQL Injection Pen-testing Tool – The SQL Injection Tool is a GUI-based utility designed to examine database through vulnerabilities in web-applications. Get SQL Injection Pen-testing tool.


SQL Injection digger (SQLID) is a command line program that looks for SQL injections and common errors in websites. It can perform the follwing operations: look for SQL injection in a web pages and test submit forms for possible SQL injection vulnerabilities.

Get SQID : Click here

Blind SQL Injection Perl Tool
bsqlbf is a Perl script that lets auditors retrieve information from web sites that are vulnerable to SQL Injection.

Get Blind SQL Injection Perl Tool : Click here

SQL Power Injection Injector
SQL Power Injection helps the penetration tester to inject SQL commands on a web page. It’s main strength is its capacity to automate tedious blind SQL injection with several threads.

Get SQL Power Injection : Click here

FJ-Injector Framework
FG-Injector is a free open source framework designed to help find SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and modifying HTTP requests, and an interface for automating SQL injection exploitation.

Get FJ-Injector Framework: Click here

SQLNinja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end database.

Get SQLNinja: Click here

Automagic SQL Injector
The Automagic SQL Injector is an automated SQL injection tool designed to help save time on penetration testing. It is only designed to work with vanilla Microsoft SQL injection holes where errors are returned.

Get Automagic SQL Injector: Click here

NGSS SQL Injector –
NGSS SQL Injector exploit vulnerabilities in SQL injection on disparate database servers to gain access to stored data. It currently supports the following databases: Access, DB2, Informix, MSSQL, MySQL, Oracle, Sysbase. Get NGSS SQL Injector.