Tuesday, March 18, 2014

SSLAuditor- Version 4 : GUI Utility to audit SSL services

SSLAuditor- Version 4 : GUI Utility to audit SSL services


Advantages:

Check all issues on SSL including ciphers, certificates and configuration issues.
Cipher issues: sslv2 support, weak ciphers
Certificate issues: selfsigned, wildcard, expiration, weak certificate key,
Configuration issues: CRIME, , preferred cipher - BEAST, renegotiation, resumption
Flexible input - file, individual or range with multiple ports
Internal timer to adjust according to the response of the server.
Detailed and professional reporting with mitigation procedures for identified issues.

No installer; unzip and click opabinia.exe to start the program.

Only requirement is vc++ 12 runtime.
http://www.amanhardikar.com/temp/vcredist_x64.exe
If the executable is not opening, then please install vc++ libraries
and try again.

Beta version for testing:
http://www.amanhardikar.com/temp/SSLAuditor4.zip

Please let me know your feedback/bugs/features missing on the same.


Friday, March 14, 2014

Tortilla - Anonymous Security Research through Tor

Tortilla:
         is an open source tool that allows users to securely, anonymously, and transparently route all TCP/IP and DNS traffic through Tor, regardless of the client software, and without relying on VPNs or additional hardware or virtual machines.


Supported Operating Systems: The tool runs on 32 bit and 64 bit versions of Windows from XP and above

Download Link : Click Here

SHA256 150eb477cd8a48daa792fbb610345e9c0aa981597106a02db03b06e71f56b586

Thursday, March 13, 2014

Free Toolkit For Incident Response - Crowd Response

CrowdResponse:
                     is a community-based platform that may eventually support as many as 25 software modules, each serving a different aspect of the incident response process, Kurtz says. This week's release includes three modules: @dirtlist, @pslist, and @yara.


@dirlist

This is the directory-listing module. This sounds quite simple, but it is actually extremely powerful.
The CrowdResponse DirList module enables the following features:
  • Verify and display digital signature information
  • Utilize a path exclusion/inclusion regular expression filter that acts on the full path name
  • Use a file wildcard mask to limit processing to specific file name components
  • SHA256 and MD5 file hashing
  • Perform "quick" hash of only the first 512 bytes of the file
  • Option to not hash files greater than a given size
  • Display application resource information
  • Select recursive listings and control recursion depth
  • Display creation, modification and access times for files
  • Optionally process only Windows executable (PE) files

@pslist

This is the active running process listing module.
The CrowdResponse PSList module enables the following features:
  • Verify the digital signature of the process executable
  • Obtain process command line
  • Obtain detailed PE file information for each process executable
  • Perform SHA256 and MD5 hashes of process executables
  • Enumerate loaded modules for each process
  • Control PE output detail level of function names for imports and exports
  • Control PE output detail level of resource information
  • Control format (nested or flat) for PE file resource information
  • Check for process thread injection

@yara

The YARA processing module is the one I am most excited about. YARA will be familiar to many as an incredibly useful tool aimed at helping malware researchers identify and classify malware. It can act on files on disk or in-memory process images and runs a set of pattern matching rules against the target of investigation.
While we have incorporated a fully functional version of YARA into CrowdResponse, we have made it very simple to use for analyzing all active process binaries and memory. Along with the regular ability to target a specific single-process ID or one or more files, we can automatically enumerate all running processes and launch YARA rules against them all by simply specifying a single tool option. This enables quick and easy evaluation of a system without resorting to cumbersome scripting. This functionality greatly speeds the scan time and aids a responder in quickly pinpointing adversary activity on a suspect system.
The CrowdResponse YARA module enables the following features:
  • Scan memory of all currently active running processes
  • Scan on-disk files of all currently active running processes
  • Download YARA rule files from a provided URL
  • Control target path recursion depth
  • Utilize a target path exclusion/inclusion regular expression filter that acts on the full path name
  • Use a file target wildcard mask to limit processing to specific file name components
  • Option to only show positive hits
  • Option to specify YARA rule file name mask
  • Utilize a YARA file inclusion regular expression filter that acts on the full path name
  • Scan all loaded module files of active processes
  • Operate on a single process ID
  • Optional recursion into provided YARA rules directory

Crowd Response is a lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. The application contains numerous modules, each of them invoked by providing specific command line parameters to the main application. Modules are all built into the main application in C++ language utilizing the Win32 API to achieve their functionality.
Crowd Response results may be viewed in a variety of ways, particularly when leveraging CrowdStrike’s CRconvert. By default, output from Crowd Response is provided in an XML file. CRconvert will flatten this XML to CSV, TSV or HTML, if desired. The various format options were created to support the different needs and analysis preferences of the end user.
Supported Operating Systems: The tool runs on 32 bit and 64 bit versions of Windows from XP and above.


Download Link : Click Here
  • MD5 87b58fb3da849cedff3a107bfe600e9b
  • SHA1 08e5bed8e7ba7316e6ff23610561b14057a58d4c
  • SHA256 c5ab1006f47bba30fe23bccf9eebedf824efa3bc6212989c748aa147221b5103
     

Sunday, January 5, 2014

SpiderFoot 2.1.0 - Open Source Footprinting Tool

SpiderFoot:

                    simple web-based interface enables you to kick off a scan immediately after install - just give your scan a name, the domain name of your target and select which modules to enable.

                    You will quickly obtain information such as: URLs handling passwords, network ranges (netblocks), web servers, open ports, information about SSL certificates, and much more.




                       "Footprinting" is the process of understanding as much as possible about a given target in order to perform a more complete security penetration test. Particularly for large networks, this can be a daunting task.

                         The main objective of SpiderFoot is to automate this process to the greatest extent possible, freeing up a penetration tester's time to focus their efforts on the security testing itself.

                        SpiderFoot is designed from the ground-up to be modular. This means you can easily add your own modules that consume data from other modules to perform whatever task you desire.

                         As a simple example, you could create a module that automatically attempts to brute-force usernames and passwords any time a password-handling webpage is identified by the spidering module.


 

SpiderFoot 2.1.0 is now available, a major update over 2.0.5 which was released back in September.

Major improvements are as follows:

- Identifies sites co-hosted on IPs of your target.
- Checks whether your target, affiliates or co-hosts have a bad reputation (PhishTank, Google
SafeBrowsing, McAfee SiteAdvisor, abuse.ch and many more.)
- Identifies the ISPs and BGP AS of your target.
- Smarter at identifying owned netblocks.
- UI enhancements, including some data visualizations.
- More comprehensive searches across other Internet TLDs.
- Identifies the use of non-standard HTTP headers.
- Bing searches.
- Many tweaks, improvements and bug fixes.




Website & Download: http://www.spiderfoot.net
GitHub: https://github.com/smicallef/spiderfoot/tree/2.1
 Source Forge : http://sourceforge.net/projects/spiderfoot/



Thursday, January 2, 2014

Arachni v0.4.6-0.4.3 (Open Source Web Application Security Scanner Framework)

Arachni v0.4.6-0.4.3 has been released :

                     (Open Source Web Application Security Scanner Framework)

                      There's a new version of Arachni, an Open Source, modular and
high-performance Web Application Security Scanner Framework written in Ruby.






Brief list of changes:

Framework
----------
* Massively decreased RAM consumption.
* Amount of performed requests cut down by 1/3 -- and thus 1/3 decrease in scan times.
* Overhauled timing attack and boolean/differential analysis algorithms to fix
  SQLi false-positives with misbehaving webapps/servers.
* Vulnerability coverage optimizations with 100% scores on WAVSEP's tests for:
  * SQL injection
  * Local File Inclusion
  * Remote File Inclusion
  * Non-DOM XSS -- DOM XSS not supported until Arachni v0.5.





WebUI
-----
* Implemented Scan Scheduler with support for recurring scans.
* Redesigned Issue table during the Scan progress screen, to group
  and filter issues by type and severity. 


Issues table

The issues table has been massively redesigned to provide more context at a glance and help you prioritize and focus on the issues that interest you most.




While the scan is running and new issues appear, High and Medium severity type groups will, by default, be displayed as expanded, to show each logged issue, while Low and Informational severity ones will be displayed as collapsed. This way your attention will be drawn to where it’s most needed.
Of course, you can change the visibility settings to suit your preferences, using the controls on the left of the table, as well as reset them to their default configuration.

Scan scheduling

The major change for the web interface is the addition of the much awaited Scheduler, which combined with the existing incremental/revisioned scans provides quite a powerful feature. In essence, it allows you to schedule a scan to run at a later time and optionally configure it to be a recurring one.





                                            What’s interesting here is the recurring bit, each scan occurrence is not a separate entity but a revision of the previous scan, this way you’ll be able to track changes in your website’s security with ease. It also allows you to speed things up by providing you with the ability to feed the sitemaps of previous revisions to the next one (either to extend or restrict the scope), thus making the crawl process much faster (or skipping it altogether).



 For more details about the new release please visit:
    http://www.arachni-scanner.com/blog/arachni-0-4-6-0-4-3-release/

Download page:               http://www.arachni-scanner.com/download/

Homepage                      - http://www.arachni-scanner.com
Blog                                 - http://www.arachni-scanner.com/blog
Documentation               - https://github.com/Arachni/arachni/wiki
Support                           - http://support.arachni-scanner.com
GitHub page                   - http://github.com/Arachni/arachni
Code Documentation     - http://rubydoc.info/github/Arachni/arachni
Copyright                        - 2010-2014
License                             - Apache License v2

Thursday, December 19, 2013

Hook Analyser 3.0 Released with Cyber Threat Intelligence Features


Hook Analyser : ( Released V3.0)

                          a new module has been added - Cyber Threat Intelligence. Threat Intel module is being created to gather and analyse information related to Cyber Threats and vulnerabilities.

The module can be run using HookAnalyser.exe (via Option 6 ), or can be run directly.


The module present information on a web browser (with dashboard alike representation) with the following sections -

  1. Threat Vectors - by (%) Country
  2. Threat Vectors - by Geography 
  3. Vulnerability / Threat Feed.
Project documentation - Click Here

Here is the screenshot of the Cyber Threat Intelligence dashboard -





To download the project - Click Here 

 

Monday, December 2, 2013

Malware Forensics Tools

Windows Prefetch Files:


WinPrefetchView :


                            is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.





                               WinPrefetchView doesn't require any installation process or additional DLL files. In order to start using it, simply run the executable file - WinPrefetchView.exe

                                 The main window of WinPrefetchView contains 2 panes: The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.


                                 These is also special Prefetch file, with 'NTOSBOOT-B00DFAAD.pf' filename, which can show you the list of files that are loaded during Windows boot process.



                                 WinPrefetchView also allows you to delete the selected Prefetch files. However, be aware that even when your delete a Prefetch file, it'll be created again by the operating system when you run the same program again.

 Download Link : http://www.nirsoft.net/utils/winprefetchview.zip


 Windows Registry Hives:

 RegRipper:

                    is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.



                     RegRipper consists of two basic tools, both of which provide similar capability. The RegRipper GUI allows the analyst to select a hive to parse, an output file for the results, and a profile (list of plugins) to run against the hive. When the analyst launches the tool against the hive, the results go to the file that the analyst designated. If the analyst chooses to parse the System hive, they might also choose to send the results to system.txt. The GUI tool will also create a log of it's activity in the same directory as the output file, using the same file name but using the .log extension (i.e., if the output is written to system.txt, the log will be written to system.log).

 RegRipper also includes a command line (CLI) tool called rip. Rip can be pointed against to a hive and can run either a profile (a list of plugins) or an individual plugin against that hive, with the results being sent to STDOUT. Rip can be included in batch files, using the redirection operators to send the output to a file. Rip does not write a log of it's activity.

RegRipper is similar to tools such as Nessus, in that the application itself is simply an engine that runs plugins. The plugins are individual Perl scripts that each perform a specific function. Plugins can locate specific keys, and list all subkeys, as well as values and data, or they can locate specific values. Plugins are extremely valuable in the sense that they can be written to parse data in a manner that is useful to individual analysts.


Note: Plugins also serve as a means of retaining corporate knowledge, in that an analyst finds something, creates a plugin, and adds that plugin to a repository that other analysts can access. When the plugin is shared, this has the effect of being a force multiplier, in that all analysts know have access to the knowledge and experience of one analyst. In addition, plugins remain long after analysts leave an organization, allowing for retention of knowledge.

Download Link : http://code.google.com/p/regripper/downloads/list



Auto_rip:

                 auto_rip is a wrapper script for RegRipper. The script automates 
the execution of the RegRipper plug-ins according to the categories below:

all              gets information from all categories
os               gets General Operating System Information
users            gets User Account Information
software         gets Installed Software Information
network          gets Networking Configuration Information
storage          gets Storage Information
execution        gets Program Execution Information
autoruns         gets Autostart Locations Information
log              gets Logging Information
web              gets Web Browsing Information
user_config      gets User Account Configuration Information
user_act         gets User Account General Activity
user_network     gets User Account Network Activity
user_file        gets User Account File/Folder Access Activity
user_virtual     gets User Account Virtualization Access Activity
comm             gets Communication Software Information
 
SHA1 Checksum: 
 
 55828924ce01190b5e4c292c3fb979b3b5b12c88
 
Download Link : http://regripper.googlecode.com/files/auto_rip-5-16-2013.zip 
 
 

NTFS Artifacts

AnalyzeMFT

                     analyzeMFT.py is designed to fully parse the MFT file from an NTFS
filesystem and present the results as accurately as possible in multiple formats.
 
Documentation : http://grayscale-research.org/new/pdfs/NTFS%20forensics.pdf 

Download Link : https://github.com/dkovar/analyzeMFT
 
 

Windows Journal Parser (jp) :

                                                  jp is a command line tool that targets NTFS change log journals. The change journal is a component of NTFS that will, when enabled, record changes made to files. The change journal is located in the $UsnJrnl MFT entry, and the journal entries are located in the alternate data stream $J. Each entry is of variable size and its internal structure is documented in the MSDN.

                                                   The change journal will record amongst other things: (a) time of the change, (b) affected file/directory, (c) change type - delete, rename, size extend, etc, and therefore makes a useful tool when looking at a computer forensically.







Downloads



32-bit Version64-bit Version


Windows:jp32.v.1.07.win.zipjp64.v.1.07.win.zip


Linux:jp32.v.1.07.lin.tar.gzjp64.v.1.07.lin.tar.gz


Mac OS X:jp.v.1.07.osx.tar.gzjp.v.1.07.osx.tar.gz