Today I am going to continue with cataloguing the security tools that are installed on Kali. Next is the Vulnerability Analysis section.
Cisco Global Exploiter (CGE), is an advanced, simple and fast security testing tool/ exploit engine, that is able to exploit 14 vulnerabilities in disparate Cisco switches and routers.
Compact mass scanner for Cisco routers with default telnet/enable passwords.
yersinia is a framework for performing layer 2 attacks. The following protocols have been implemented in Yersinia current version: Spanning Tree Protocol (STP), VLAN Trunking Protocol (VTP), Hot Standby Router Protocol (HSRP), Dynamic Trunking Protocol (DTP), IEEE 802.1Q, IEEE 802.1X, Cisco Discovery Protocol (CDP), Dynamic Host Configuration Protocol (DHCP), Inter-Switch Link Protocol (ISL) and MultiProtocol Label Switching (MPLS).
Some of the attacks implemented will cause a DoS in a network, other will help to perform any other more advanced attack, or both. In addition, some of them will be first released to the public since there isn’t any public implementation.
BBQSQL is a blind SQL injection framework written in Python.
DBPwAudit is a Java tool that allows you to perform online audits of password quality for several database engines.
HexorBase is a database application designed for administering and auditing multiple database servers simultaneously from a centralized location, it is capable of performing SQL queries and bruteforce attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL ).HexorBase allows packet routing through proxies or even metasploit pivoting antics to communicate with remotely inaccessible servers which are hidden within local subnets.
jSQL Injection is a lightweight application used to find database information from a distant server.
Export data in an MDB database table to CSV format.
makes a hex dump of a binary file
mdb-parsecsv takes a CSV file representing a database table, and converts it into a C array.
mdb-sql allows querying of an MDB database using a limited SQL subset language.
It produces a list of tables contained within an MDB database in a format suitable for use in shell scripts.
Oscanner is an Oracle assessment framework developed in Java. It has a plugin-based architecture and comes with a couple of plugins that currently do:
– Sid Enumeration – Passwords tests (common & dictionary) – Enumerate Oracle version – Enumerate account roles – Enumerate account privileges – Enumerate account hashes – Enumerate audit information – Enumerate password policies – Enumerate database links
The results are given in a graphical java tree.
Guesses sids/instances against an Oracle database according to a predefined dictionary file.
SQLdict is a basic single ip brute-force MS SQL Server password utility that can carry out a dictionary attack against a named SQL account.
sqlmap is an automatic SQL injection tool entirely developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
Data extraction, time-based or via a DNS tunnel
Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection or just to upload Meterpreter
Upload of executables using only normal HTTP requests (no FTP/TFTP needed), via vbscript or debug.exe
Direct and reverse bindshell, both TCP and UDP
DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box
Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
Privilege escalation to sysadmin group if ‘sa’ password has been found
Creation of a custom xp_cmdshell if the original one has been removed
TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
Evasion techniques to confuse a few IDS/IPS/WAF
Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping
Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM
sqlsus is an open source MySQL injection and takeover tool, written in perl.
Tnscmd can be used to communicate directly with Oracle’s TNS listener, (no client is needed). Unlike the Oracle listener control utility LSNRCTL.exe, TNSCmd.pl does not need any connection strings and a direct bi-directional conversation can be immediately established.
Bruteforce Exploit Detector is a plain-text protocol fuzzer that checks software for common vulnerabilities like buffer overflows, format string bugs, integer overflows, etc.
The name is self explanatory.
highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer)
Simple Fuzz(sfuzz) is a simple fuzzer. It has two network modes of operation, an output mode for developing command line fuzzing scripts, as well as taking fuzzing strings from literals and building strings from sequences.
SIP Army Knife is a fuzzer that searches for cross site scripting, SQL injection, log injection, format strings, buffer overflows, and more.
spike generic_chunked & generic_listen_tcp & generic_send_tcp & generic_send_udp
SPIKE is a Fuzzer Creation Kit. You can use it for fuzzing or leverage its API to write your own fuzzers.
GoLismero is an open source framework for security testing. It’s currently geared towards web security, but it can easily be expanded to other kinds of scans.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
Run a system and security audit on the system
The following system areas may be checked:
Boot loader files
Common files by software packages
Directories and files related to logging and auditing
Examine a web server to find potential problems and security vulnerabilities, including:
· Server and software misconfigurations
· Default files and programs
· Insecure files and programs
· Outdated servers and programs
Nikto is built on LibWhisker (by RFP) and can run on any platform which has a Perl environment. It supports SSL, proxies, host authentication, IDS evasion and more. It can be updated automatically from the command-line, and supports the optional submission of updated version data back to the maintainers.
This script checks file permissions and other settings that could allow local users to escalate privileges.
Open Source Assessment
Covered in other categories.
OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
analyzes the state of your OpenVAS installation and proposes fixes should it detect any errors or misconfigurations. It will also check if all required OpenVAS services are running and listening on the correct ports.
The Greenbone Security Desktop (GSD) is a Qt-based desktop client for the OpenVAS Management Protocol
Let’s see what fortune has in store for today:
Don’t look now, but there is a multi-legged creature on your shoulder.