Airachnid Burp Extension - A Burp Extension to test applications for vulnerability to the Web Cache Deception attack

A Burp extension to test applications for vulnerability to the Web Cache Deception attack.

Once the extension has been loaded, it can be accessed in the Target - Sitemap tab and right click on the resource that should be tested. A context sensitive menu item called "Airachnid Web Cache Test" will be shown and can be used to conduct testing. If the resource is vulnerable, an Issue is created detailing the vulnerability.

The context sensitive menu item is also available for requests in the Proxy - Http History tab.

Installation

• Download the Airachnid.jar file.
• In Burp Suite open Extender tab. In Extensions tab, click Add button.
• Choose downloaded jar file -> Next.
• Check installation for no error messages.

Vulnerability

In February 2017, security researcher Omer Gil unveiled a new attack vector dubbed “Web Cache Deception” (https://omergil.blogspot.co.il/2017/02/web-cache-deception-attack.html).

The Web Cache Deception attack could be devastating in consequences, but is very simple to execute:

1. Attacker coerces victim to open a link on the valid application server containing the payload.
2. Attacker opens newly cached page on the server using the same link, to see the exact same page as the victim.

** Of course, this attack only makes sense when the vulnerable resource available to the attacker returns sensitive data.
The attack depends on a very specific set of circumstances to make the application vulnerable: 1. The application only reads the first part of the URL to determine the resource to return.
If the victim requests:

https://www.example.com/my_profile

The application returns the victim profile page. The application uses only the first part of the URL to determine that the profile page should be returned. If the application receives a request for

https://www.example.com/my_profile_test

It would still return the profile page of the victim, disregarding the added text. The same applies for other URL like

https://www.example.com/my_profile/test

2. The application stack caches resources according to their file extensions, rather than by cache header values. If the application stack has been configured to cache image files. It will cache all resources with .jpg .png or .gif extensions. That means that e.g. the image at

https://www.example.com/images/dog.jpg

Would be retrieved from the application server the first time the image is requested. All subsequent requests for the image are retrieved from cache, responding with the same resource that was initially cached (for as long as the cache timeout is set).

Attack
These preconditions can be exploited for the Web Cache Deception attack in the following manner:

Step 1: An attacker entices the victim to open a maliciously crafted link:
  https://www.example.com/my_profile/test.jpg

• The application ignores the 'test.jpg' part of the URL, the victim profile page is loaded.
• The caching mechanism identifies the resource as an image, caching it.  

Step 2: The attacker sends a GET request for the cached page:
https://www.example.com/my_profile/test.jpg

• The cached resource, which is in fact the victim profile page is returned to the attacker (and to anyone else requesting it).

Download Airachnid Burp Extension

Read More

Bradamsa - Burp Suite extension to generate Intruder payloads using Radamsa

Bradamsa is a Burp Suite extension for Radamsa, a well-known fuzzer made by the Oulu University Secure Programming Group. Inspired by burp-radamsa, this plugin allows to generate Intruder payloads using Radamsa.

Features

• Java-based plugin using native Burp Suite extension APIs
• Intruder payloads generator using Radamsa (sniper attack type only)
• Support for Radamsa v0.3 options
• Options validation directly from within Burp Suite 

Download Bradamsa

Read More

Burp Suite Professional v1.6 - The leading toolkit for web application security testing

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Changelog v1.6

Burp Suite Free Edition contains significant new features added since v1.5, including:

• Support for WebSockets messages.
• Support for PKCS#11 client SSL certificates contained in smart cards and physical tokens.
• A new Extender tool, allowing dynamic loading and unloading of multiple extensions.
• A new powerful extensibility API, enabling extensions to customize Burp’s behavior in much more powerful ways.
• Support for extensions written in Python and Ruby.
• A new BApp Store feature, allowing quick and easy installation of extensions written by other Burp users.
• An option to resolve DNS queries over a configured SOCKS proxy, allowing access to TOR hidden services.
• Generation of CSRF PoC attacks using a new cross-domain XHR technique.
• New options for SSL configuration, to help work around common problems.
• Optional unpacking of compressed request bodies in the Proxy.
• Support for .NET DeflateStream compression.
• New and improved types of Intruder payloads.
• New Proxy interception rules.
• New Proxy match/replace rules.
• Improved layout options in the Repeater UI.
• An SSL pass-through feature, to prevent Burp from breaking the SSL tunnel for specified domains.
• Support for the Firefox Plug-n-hack extension.
• An option to copy a selected request as a curl command.

Burp Suite Professional contains a number of bugfixes and tweaks, added since the last beta version, including:

• An occasional bug causing misplaced highlights on payloads in Scanner issues has been fixed.
• A bug in which restoring default settings for the Extender tool didn’t unload any currently running extensions has been fixed.
• A display bug affecting the rendering of binary content (such as images) in the raw view of the HTTP message editor has been fixed.
• A bug which prevented the automatic backup on exit feature from functioning in headless mode has been fixed.
• In previous versions, Burp stored its preferences in separate locations for each major version. This caused persisted settings to be lost on upgrading to a new major version. This behavior has been modified, and from v1.6 onwards major versions will store their preferences in the same location. As a workaround to preserve settings from earlier releases, Pro users can launch the earlier release, save a state file containing their preferences, then launch the new release and load the state file.

Download Burp Suite Professional v1.6

Read More

36 Windows Tools For Penetration Testing

Most penetration testers are using either a Mac or a Linux-based platform in order to perform their penetration testing activities.However it is always a good practice to have and a Windows virtual machine with some tools ready to be used for the engagement.The reason for this is that although Windows cannot be used as a main platform for penetration testing some of the utilities and tools can still help us to extract information from our windows targets.So in this post we will see some of the tools that we can use in our windows system.

HashCheck Shell Extension

The HashCheck Shell Extension makes it easy for anyone to calculate and verify checksums and hashes from Windows Explorer. In addition to integrating file checksumming functionality into Windows, HashCheck can also create and verify SFV files (and other forms of checksum files, such as .md5 files).

Netcat

Netcat is often referred to as a “Swiss-army knife for TCP/IP”. Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.

Metasploit Framework

The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

RealVNC Viewer

Remote access software for desktop and mobile platforms.

GetIf

SNMP tool that allows you to collect information about SNMP devices.

Cain & Abel

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

Wireshark

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development.

PuTTY

PuTTY is an SSH and telnet client for the Windows platform.

Pass The Hash Toolkit

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes.

Cachedump

Recovering Windows Password Cache Entries.

Fport

Identify unknown open ports and their associated applications.

Nbtscan

This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares.

Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Winfo

Winfo uses null sessions to remotely try to retrieve lists of and information about user accounts, workstation/interdomain/server trust accounts, shares (also hidden), sessions, logged in users, and password/lockout policy, from Windows NT/2000/XP. It also identifies the built-in Administrator and Guest accounts, even if their names have been changed.

ClearLogs

ClearLogs clears the event log (Security, System or Application) that you specify. You run it from the Command Prompt, and it can also clear logs on a remote computer.

SQLDict

SQLdict is a dictionary attack tool for SQL Server.

PMDump

PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process.

GrabItAll

GrabItAll performs traffic redirection by sending spoofed ARP replies. It can redirect traffic from one computer to the attackers computer, or redirect traffic between two other computers through the attackers computer. In the last case you need to enable IP Forwarding which can be done with GrabItAll too.

DumpUsers

DumpUsers is able to dump account names and information even though RestrictAnonymous has been set to 1.

BrowseList

BrowseList retrieves the browse list. The output list contains computer names, and the roles they play in the network. For example you can see which are PDC, BDC, stand-alone servers and workstations. You can also see the system comments (which can be very interesting reading).

Remoxec

Remoxec executes a program using RPC (Task Scheduler) or DCOM (Windows Management Instrumentation).

WMICracker

Brute-force tool for Windows Management Instrumentation (WMI).

Venom

Venom is a tool to run dictionary password attacks against Windows accounts by using the Windows Management Instrumentation (WMI) service. This can be useful in those cases where the server service has been disabled.

SMBAT

The SMB Auditing Tool is a password auditing tool for the Windows-and the SMB-platform. It makes it possible to exploit the timeout architecture bug in Windows 2000/XP, making it extremly fast to guess passwords on these platforms.

RPCScan

RPCScan v2.03 is a Windows based detection and analysis utility that can quickly and accurately identify Microsoft operating systems that are vulnerable to the multiple buffer overflow vulnerabilities released in the MS03-026 and MS03-039 bulletins.

LSASecretsDump

LSASecretsDump is a small console application that extract the LSA secrets from the Registry, decrypt them, and dump them into the console window.

SQLPing

SQL Ping is a nice little command line enumerator that specifically looks for SQL servers and requires no authentication whatsoever.

OAT

The Oracle Auditing Tools is a toolkit that could be used to audit security within Oracle database servers.

Pwdump7

Extract password hashes from local user accounts.

PsTools

The PsTools package provides a set of command line utilities that allow you to manage local and remote systems.

Incognito

Incognito is a tool for manipulating windows access tokens and is intended for use by penetration testers, security consultants and system administrators.

DumpSec

DumpSec is a security auditing program for Microsoft Windows® NT/XP/200x. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information.

X-Deep32

X-Deep/32 is an X Window Server for Windows NT/2000/9X/ME/XP that can be used to connect to host systems running UNIX, LINUX, IBM AIX etc.

LC5

Windows password cracker.

Ophcrack

Ophcrack is a free Windows password cracker based on rainbow tables.

SiVuS

SiVus is the first publicly available vulnerability scanner for VoIP networks that use the SIP protocol. It provides powerful features to assess the security and robustness of VoIP implementations.

[Source]

Read More

[Burp Suite] Free Edition v1.5

Burp Suite helps you secure your web applications by finding the vulnerabilities they contain.  Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility.

Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.

User Interface:

• Burp's UI has been completely overhauled, to improve looks and usability:
• Fonts are now available throughout the UI, with corresponding resizing of all UI elements (tables, dialogs, buttons, etc.).
• There are configurable hotkeys for all common functions.
• Intruder and Repeater now have smart tabs, which you can drag to reorder, and click to create, close or rename.
• Tables are natively sortable everywhere, except where the row ordering is part of the options you are configuring.
• Text fields now have context-aware auto-complete memory.

Burp now implements sslstrip-style functionality, allowing you to use non-SSL-capable tools against HTTPS applications, or to perform active MITM attacks against users who begin browsing using HTTP.

Download Burp Suite Free Edition v1.5

Read More