Today I am going to continue with cataloguing the security tools that are installed on Kali. Next is the Vulnerability Analysis section.

Cisco Tools

cisco-global-exploiter

Cisco Global Exploiter (CGE), is an advanced, simple and fast security testing tool/ exploit engine, that is able to exploit 14 vulnerabilities in disparate Cisco switches and routers.

cisco-ocs

Compact mass scanner for Cisco routers with default telnet/enable passwords.

yersinia

yersinia is a framework for performing layer 2 attacks. The following protocols have been implemented in Yersinia current version: Spanning Tree Protocol (STP), VLAN Trunking Protocol (VTP), Hot Standby Router Protocol (HSRP), Dynamic Trunking Protocol (DTP), IEEE 802.1Q, IEEE 802.1X, Cisco Discovery Protocol (CDP), Dynamic Host Configuration Protocol (DHCP), Inter-Switch Link Protocol (ISL) and MultiProtocol Label Switching (MPLS).

Some of the attacks implemented will cause a DoS in a network, other will help to perform any other more advanced attack, or both. In addition, some of them will be first released to the public since there isn’t any public implementation.

Database Assessment

bbqsql

BBQSQL is a blind SQL injection framework written in Python.

dbpwaudit

DBPwAudit is a Java tool that allows you to perform online audits of password quality for several database engines.

hexorbase

HexorBase is a database application designed for administering and auditing multiple database servers simultaneously from a centralized location, it is capable of performing SQL queries and bruteforce attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL ).HexorBase allows packet routing through proxies or even metasploit pivoting antics to communicate with remotely inaccessible servers which are hidden within local subnets.

jsql

jSQL Injection is a lightweight application used to find database information from a distant server.

mdb-export

Export data in an MDB database table to CSV format.

mdb-hexdump

makes a hex dump of a binary file

mdb-parsecsv

mdb-parsecsv takes a CSV file representing a database table, and converts it into a C array.

mdb-sql

mdb-sql allows querying of an MDB database using a limited SQL subset language.

mdb-tables

It produces a list of tables contained within an MDB database in a format suitable for use in shell scripts.

oscanner

Oscanner is an Oracle assessment framework developed in Java. It has a plugin-based architecture and comes with a couple of plugins that currently do:

– Sid Enumeration – Passwords tests (common & dictionary) – Enumerate Oracle version – Enumerate account roles – Enumerate account privileges – Enumerate account hashes – Enumerate audit information – Enumerate password policies – Enumerate database links

The results are given in a graphical java tree.

sidguesser

Guesses sids/instances against an Oracle database according to a predefined dictionary file.

sqldict

SQLdict is a basic single ip brute-force MS SQL Server password utility that can carry out a dictionary attack against a named SQL account.

sqlmap

sqlmap is an automatic SQL injection tool entirely developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

Usage: python sqlmap [options]

Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)

  Target:
    At least one of these options has to be provided to define the
    target(s)

    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -g GOOGLEDORK       Process Google dork results as target URLs

  Request:
    These options can be used to specify how to connect to the target URL

    --data=DATA         Data string to be sent through POST
    --cookie=COOKIE     HTTP Cookie header value
    --random-agent      Use randomly selected HTTP User-Agent header value
    --proxy=PROXY       Use a proxy to connect to the target URL
    --tor               Use Tor anonymity network
    --check-tor         Check to see if Tor is used properly

  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts

    -p TESTPARAMETER    Testable parameter(s)
    --dbms=DBMS         Force back-end DBMS to this value

  Detection:
    These options can be used to customize the detection phase

    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (0-3, default 1)

  Techniques:
    These options can be used to tweak testing of specific SQL injection
    techniques

    --technique=TECH    SQL injection techniques to use (default "BEUSTQ")

  Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables. Moreover you can run your own SQL statements

    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --passwords         Enumerate DBMS users password hashes
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate

  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system

    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC

  General:
    These options can be used to set some general working parameters

    --batch             Never ask for user input, use the default behaviour
    --flush-session     Flush session files for current target

  Miscellaneous:
    --sqlmap-shell      Prompt for an interactive sqlmap shell
    --wizard            Simple wizard interface for beginner users

[!] to see full list of options run with '-hh'

sqlninja

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.

Features:

Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)

Data extraction, time-based or via a DNS tunnel

Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection or just to upload Meterpreter

Upload of executables using only normal HTTP requests (no FTP/TFTP needed), via vbscript or debug.exe

Direct and reverse bindshell, both TCP and UDP

DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames

ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box

Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)

Privilege escalation to sysadmin group if ‘sa’ password has been found

Creation of a custom xp_cmdshell if the original one has been removed

TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell

Evasion techniques to confuse a few IDS/IPS/WAF

Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping

Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM

sqlsus

sqlsus is an open source MySQL injection and takeover tool, written in perl.

tnscmd10g

Tnscmd can be used to communicate directly with Oracle’s TNS listener, (no client is needed). Unlike the Oracle listener control utility LSNRCTL.exe, TNSCmd.pl does not need any connection strings and a direct bi-directional conversation can be immediately established.

Fuzzing Tools

bed

Bruteforce Exploit Detector is a plain-text protocol fuzzer that checks software for common vulnerabilities like buffer overflows, format string bugs, integer overflows, etc.

fuzz_ip6

The name is self explanatory.

ohrwurm

RTP fuzzer

powerfuzzer

highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer)

sfuzz

Simple Fuzz(sfuzz) is a simple fuzzer. It has two network modes of operation, an output mode for developing command line fuzzing scripts, as well as taking fuzzing strings from literals and building strings from sequences.

siparmyknife

SIP Army Knife is a fuzzer that searches for cross site scripting, SQL injection, log injection, format strings, buffer overflows, and more.

spike generic_chunked & generic_listen_tcp & generic_send_tcp & generic_send_udp

SPIKE is a Fuzzer Creation Kit. You can use it for fuzzing or leverage its API to write your own fuzzers.

Misc Scanners

golismero

GoLismero is an open source framework for security testing. It’s currently geared towards web security, but it can easily be expanded to other kinds of scans.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

/----------------------------------------------\
| GoLismero 2.0.0b3 - The Web Knife            |
| Contact: golismero.project<@>gmail.com       |
|                                              |
| Daniel Garcia Garcia a.k.a cr0hn (@ggdaniel) |
| Mario Vilas (@Mario_Vilas)                   |
\----------------------------------------------/

usage: golismero.py COMMAND [TARGETS...] [--options]

  SCAN:
    Perform a vulnerability scan on the given targets. Optionally import
    results from other tools and write a report. The arguments that follow may
    be domain names, IP addresses or web pages.

  PROFILES:
    Show a list of available config profiles. This command takes no arguments.

  PLUGINS:
    Show a list of available plugins. This command takes no arguments.

  INFO:
    Show detailed information on a given plugin. The arguments that follow are
    the plugin IDs. You can use glob-style wildcards.

  REPORT:
    Write a report from an earlier scan. This command takes no arguments.
    To specify output files use the -o switch.

  IMPORT:
    Import results from other tools and optionally write a report, but don't
    scan the targets. This command takes no arguments. To specify input files
    use the -i switch.

  DUMP:
    Dump the database from an earlier scan in SQL format. This command takes no
    arguments. To specify output files use the -o switch.

  UPDATE:
    Update GoLismero to the latest version. Requires Git to be installed and
    available in the PATH. This command takes no arguments.

examples:

  scan a website and show the results on screen:
    golismero.py scan http://www.example.com

  grab Nmap results, scan all hosts found and write an HTML report:
    golismero.py scan -i nmap_output.xml -o report.html

  grab results from OpenVAS and show them on screen, but don't scan anything:
    golismero.py import -i openvas_output.xml

  show a list of all available configuration profiles:
    golismero.py profiles

  show a list of all available plugins:
    golismero.py plugins

  show information on all bruteforcer plugins:
    golismero.py info brute_*

  dump the database from a previous scan:
    golismero.py dump -db example.db -o dump.sql

lynis

Run a system and security audit on the system

The following system areas may be checked:

• Boot loader files

• Configuration files

• Common files by software packages

• Directories and files related to logging and auditing

nikto

Examine a web server to find potential problems and security vulnerabilities, including:

· Server and software misconfigurations

· Default files and programs

· Insecure files and programs

· Outdated servers and programs

Nikto is built on LibWhisker (by RFP) and can run on any platform which has a Perl environment. It supports SSL, proxies, host authentication, IDS evasion and more. It can be updated automatically from the command-line, and supports the optional submission of updated version data back to the maintainers.

unix-privesc-check

This script checks file permissions and other settings that could allow local users to escalate privileges.

Open Source Assessment

Covered in other categories.

OpenVAS

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.

openvas-check-setup

analyzes the state of your OpenVAS installation and proposes fixes should it detect any errors or misconfigurations. It will also check if all required OpenVAS services are running and listening on the correct ports.

openvas-gsd

The Greenbone Security Desktop (GSD) is a Qt-based desktop client for the OpenVAS Management Protocol

Let’s see what fortune has in store for today:

Don’t look now, but there is a multi-legged creature on your shoulder.