Category: Projects

Hook Analyser

Name: Hool Analyser
Category : Malware Analysis
Author/Owner : Beenu Arora

Project Home URL – www.hookanalyser.com

Description:

1. Spawn and Hook to Application – This feature allows analyst to spawn an application, and hook into it
2. Hook to a specific running process – The option allows analyst to hook to a running (active) process.
3. Perform quick static malware analysis – This module is one of the most interesting and useful module of Hook 4 Analyser, which performs scanning on PE or Widows executables to identify potential malware traces.
4. Application crash analysis – This module enables exploit researcher and/or application developer to analyse memory content when an application crashes.

Project Paper – http://packetstormsecurity.org/files/download/119112/Hook_Analyser.pdf

GameOver – Web PenTest Learning Platform

Name : Game Over
Category : Web Pentest Learning Platform
File Type : VM image/iso

Author : Jovin Lobo
Mentor : Murtuja Bharmal

Download URL : http://sourceforge.net/projects/null-gameover/files

Default Credentials : [username:root / password:gameover]

Description :
Project GameOver was started with the objective of training and educating newbies about the basics of web security and educate them about the common web attacks and help them understand how they work. It is collection of various vulnerable web applications, designed for the purpose of learning web penetration testing.

GameOver has been broken down into two sections.
Section 1 consists of special web applications that are designed especially to teach the basics of Web Security. This seciton will cover
XSS
CSRF
RFI & LFI
BruteForce Authentication
Directory/Path traversal
Command execution
SQL injection

Section 2 is a collection of dileberately insecure Web applications. This section provides a legal platform to test your skills and to try and exploit the vulnerabilities and sharpen your skills before you pentest live sites. We would advice newbies to try and exploit these web applications. These applications provide real life environments and will boost their confidence.

SQLol – A Configurable SQL Injection Test-Bed

Name : SQLol
Category : SQL Injection
Author : Daniel Crowley

Download URL : https://github.com/SpiderLabs/SQLol

Description : SQLol is a configurable SQL injection testbed. SQLol allows
you to exploit SQL injection flaws, but furthermore allows
a large amount of control over the manifestation of the flaw.

PE Dumper

Name : PE Dumper
Category : PE File Analysis.
Author : Rashid Bhatt

Download URL : http://texe.codeplex.com

Description : Texe is Portable Executable Import and Exports Viewer And Disassembler for Microsoft Windows. It can view Symbols Imported and Exported by a portable Executable and can also disassembler the code section of executable. It generates output in form of a html report.

Project Jugaad

Name: Project Jugaad
Category: API (Linux)
Author/Owner: Aseem Jakhar

Source Code: https://github.com/aseemjakhar/jugaad

Download the project from github using git command:
$ git clone git://github.com/aseemjakhar/jugaad.git

Introduction:

Windows malware conveniently uses the CreateRemoteThread API to delegate critical tasks within
the context of other processes. However, there is no similar API on Linux to perform such operations.
This paper talks about my research on creating an API similar to CreateRemoteThread for the *nix
platform.
The aim of the research is to show, how a simple debugging functionality in *nix OSes can be
exploited by a piece of malware to hide itself and delegate the critical (malicious) operations to an
innocent process.
The presented Proof of Concept toolkit named “Jugaad” currently works on Linux. In order to achieve
its primary goal, it allocates the required memory space inside a specified process, creates a thread,
injects arbitrary payload and executes it in the context of the remote thread.

Whitepaper: http://null.co.in/2011/07/03/project-jugaad/

Malware Analyser

Name: Malware Analyser
Category: Malware Analysis
Author/Owner: Beenu Arora

Download URL: http://www.malwareanalyser.com

Description:
Malware Analyzer aims to aid static and dynamic analysis of malwares.

The static analysis allows analyst to predict the behaviour of malware without actually executing it which in turns saves resources in terms of time and effort. It can be useful for string based analysis for Windows registry, API calls, IRC Commands, DLL’s called and anit-VMWare code detection. It can perform a full ASCII dump of the PE along with other options. It can also generate various section of a PE. Malware analyzer also assists on the code analysis of the malware. It can also perform an online malware check. Based on PeID signatures, it can also detect packers used to compress it. It also provides a tracer functionality that can be used to identify anti-debugging calls tricks, file system manipulation calls, Rootkit hooks, keyboard hooks, DEP setting changes, Hardware Breakpoints,Internet communication etc generally used by malwares. It also performs the CRC and timestamp based verification to detect any anomalies along with entropy based scan for identification of malicious sections. The tool can be used to create signatures of a malware which then can be exported as custom signature of AV or IDS. It also allows viewing modules of process along with complete process dumping
.
The Dynamic analysis allows predicting the actual behaviour of the malware at runtime. Currently malwareanalyser allows hooking to certain APIs File creation and Registry creation and more to come near future.

Screenshot:

Malware Analyzer

metaPwn – more off the autopwn

Name: metaPwn
Category: Metasploit Automater
Author/Owner: Prajwal Panchmahalkar

Download URL: http://metapwn.sourceforge.net/

Description:
It will combine the process of nmap scanning and uses the output of the nmap scans to perform an autopwn on the target machines.

n00bRAT

Name: n00bRAT
Category: Backdoor
Author/Owner: Abhishek Kumar
Download URL: http://n00brat.sourceforge.net/

Description:

An undetectable Remote Administration Tool -OR- trojan, an all new approach. Easily usable, Client just requires any Web Browser to control remote machine via WebPage. Fooling firewalls/ids/ips security solutions, as it operates like any web-site.

Spiderpig

Name: Spiderpig
Category: PDF Fuzzer
Author/Owner: cons0ul
Download URL: http://code.google.com/p/spiderpig-pdffuzzer/

Description:
Adobe and others uses javascript in pdfs to enhance standard workflow for example connecting to database ,spell checking,printing n viewing etc..when we open pdf in reader,it executes this javascript code(ya we all know that). so goal of spiderpig is to find bugs in pdf reader’s javascript engine. spiderpig reads methods prototype from an input file and creates pdf file. Most of the pdf fuzzers which are available on internet are file format fuzzers which tries to fuzz the adobe’s file format implementation.I didnt find one fuzzer which fuzzes adobe’s javascript imeplementaiton,so here we have spiderpig a javascript fuzzer for pdf file format which tries to screw up pdf reader using javascript methods.

spiderpig uses bruteforce method to abuse reader, it creates methods using all range of evil parameters.If you are aware of fuzzers like axman and dranzer,you know what I am talking about.spiderpig reads methods prototype from an input file and creates stream of javascript code and then this stream is then added into pdf file using makepdf module.
An example Input file is in spiderpig’s directory named as test.proto .
test.proto contains methods prototypes with (object/namespace scope)which helps spiderpig to understand the method and its parameters.Add prototypes of methods which are you going to test in this file.Each new method must be written on new line. For example if you want to test methods [alert] and [beep] methods from [app] object you can write prototype as follows

app.alert(nIcon,nType,cTitle,oDoc,oCheckbox)
app.beep(nType)

it will create 2 pdfs 1 for app.alert(app.alert.pdf) and another for app.beep(app.beep.pdf).

>>/parameters type:
spiderpig understands type of parameter(strin,number,boolean,object) by reading
the first character of parameter written in methods prototype.
spiderpig understands,
n for numbers
b for boolean
o for object
c for string

so while writing prototype add them as shown in above example.

spiderpig uses javascript console(console.println and console.show) functionality provided by adobe reader to create log.so you can see which method call is being called.see following screenshot

Here are the steps to use spiderpig:
1>download spiderpig
2>extract it to folder
3>create a file for example test.proto in this file write methods prototypes
4>open comand prompt and goto the folder.
4>type python sp.py <folder-path> test.proto
where <folder-path> is exsisting folder in which pdfs will be created.
5>open pdf reader.
6>attach debugger.
7>open pdf file in reader.
8>do reverse engineering :-)

Wireplay

Name: wireplay

Category: Generic Fuzzer

Author/Owner: Abhisek Datta

URL: http://code.google.com/p/wireplay/

Description:

A minimalist approach to replay pcap dumped TCP sessions with modification as required.

The aim of this project is to build an usable but simplistic tool which can help in selecting the TCP session to replay. It can play both client as well as the server during a replay session.

Obviously replay attacks doesn’t work against protocols which are cryptographically hardened or implements protocol specific replay prevention mechanism like challenge/response etc. Wireplay implements a plugin/hook subsystem mainly for the purpose of working around those replay prevention mechanism and also perform a certain degree of fuzz testing.

Current Features

user@linux$ ./wireplay
Wireplay - The TCP Replay Tool v0.2

Options:
        -r       --role    [ROLE]       Specify the role to play (client/server)
        -F       --file    [FILE]       Specify the pcap dump file to read packets
        -t       --target  [TARGET]     Specify the target IP to connect to when in client role
        -p       --port    [PORT]       Specify the port to connect/listen
        -S       --shost   [SOURCE]     Specify the source host for session selection
        -D       --dhost   [DEST]       Specify the destination host for session selection
        -E       --sport   [SPORT]      Specify the source port for session selection
        -G       --dport   [DPORT]      Specify the destination port for session selection
        -n       --isn     [ISN]        Specify the TCP ISN for session selection
        -c       --count   [NUMBER]     Specify the number of times to repeat the replay
        -H       --hook    [FILE]       Specify the Ruby script to load as hook
        -L       --log                  Enable logging of data sent/receive
        -K       --disable-checksum     Disable NIDS TCP checksum verification
        -T       --timeout [MS]         Set socket read timeout in microsecond
        -Q       --simulate             Simulate Socket I/O only, do not send/recv


In case the --shost && --dhost && --isn && --sport && --dport parameters are not supplied,
the program will load all the TCP sessions from file and ask the user to select a session to replay

Basic Usage

./wireplay -K --role client --port 80 --target 127.0.0.1 -L -F ./pcap/http.dump

The above runs wireplay with TCP checksum calculation disabled, replaying an HTTP session from ./pcap/http.dump file.

./wireplay --role client -F ./pcap/dcedump.dump --target 172.16.34.129 --port 135

The above example reads a dcedump (Dave Aitel’s dcedump) session from the file dcedump.dump (pcap dump file) and replays it.

What to do ?

Ruby Hook Interface

First: In order to have a real life example of Wireplay hooking capability and usage, take a look at hooks/rbhooks/cgen.rb

Wireplay implements a Ruby Interface for writing callback hooks. Hooks are called on occurrance of certain events like send-data, receive-data, error etc.

For a brief guide on writing Wireplay hooks in Ruby, read the Wireplay Hook Guide

Compilation

Wireplay uses a modified version of libnids library for TCP session reassembly from pcap frames. Read the Compilation Guide for some pointers.

Field Testing