Penetration Testing mailing list archives
[Tools update] The Security-Database Watch Newsletter -- v20090808
From: "SD List" <list () security-database com>
Date: Sat, 8 Aug 2009 23:44:47 +0200 (CEST)
Hello Here is the site's newsletter "Security Database Tools Watch" (http://www.security-database.com/toolswatch). This letter summarizes the articles and news items published since 7 days. Expect also some changes in security-database team by Septembre 09. New articles -------------------------- ** iKat Pentest Kiosk terminals v2.0 available ** by Tools Tracker Team - 7 August 2009 iKAT was designed to aid security consultants with the task of auditing the security of internet Kiosk software and deployed Kiosk terminals. iKAT is designed to provide access to the underlying operating system of a Kiosk terminal by invoking native OS functionalit Now it comes with a new iKat Firefox extension. -> http://www.security-database.com/toolswatch/iKat-Pentest-Kiosk-terminals-v2.html ** Findbugs v1.3.9-rc1 released ** by Tools Tracker Team - 7 August 2009 FindBugs is a program to find bugs in Java programs. It looks for instances of "bug patterns" --- code instances that are likely to be errors. -> http://www.security-database.com/toolswatch/Findbugs-v1-3-9-rc1-released.html ** FakeIKEd v0.0.5 MitM Tool for Cisco PSK+XAUTH VPN ** by Tools Tracker Team - 7 August 2009 FakeIKEd, or fiked for short, is a fake IKE daemon supporting just enough of the standards and Cisco extensions to attack commonly found insecure Cisco PSK+XAUTH VPN setups in what could be described as a semi MitM attack. Fiked can impersonate a VPN gateways IKE responder in order to capture XAUTH login credentials; it doesnt currently do the client part of full MitM. Fiked is partially based on vpnc and uses libgcrypt and optionally libnet. Fiked supports IKEv1 in aggressive mode, using (...) -> http://www.security-database.com/toolswatch/FakeIKEd-v0-5-MitM-Tool-for-Cisco.html ** websecurify Web2.0 Application Security Testing Tool v0.2 released ** by Tools Tracker Team - 7 August 2009 Websecurify is a web and web2.0 security initiative specializing in researching security issues and building the next generation of tools to defeat and protect web technologies. Tool Submitted by Maximiliano Soler -> http://www.security-database.com/toolswatch/websecurify-Web2-Application.html ** ippon-mitm the Software Update MITM Attack Tool released ** by Tools Tracker Team - 6 August 2009 Software updates apply patches or introduce new features to an application. In most cases, the update procedure is conducted in an insecure manner, exposing the updater to execution of malicious code or to manipulation of application data such as anti-virus signatures This tool uses several techniques of update-exploitation attacks which leverages a man-in-the-middle technique, to build and inject a fake update reply or hijack an on-going update session. Information about (...) -> http://www.security-database.com/toolswatch/ippon-mitm-the-Software-Update.html ** Xplico Internet Traffic decoder version 0.5.2 available ** by Tools Tracker Team - 6 August 2009 The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isnt a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT). Xplico is released under the GNU General Public License (see License for more details). Xplico Features Protocols supported: HTTP, SIP, (...) -> http://www.security-database.com/toolswatch/Xplico-Internet-Traffic-decoder.html ** Stoned Bootkit released ** by Tools Tracker Team - 5 August 2009 Stoned Bootkit is a new Windows bootkit which attacks all Windows versions from XP up to 7. It is loaded before Windows starts and is memory resident up to the Windows kernel. Thus Stoned gains access to the entire system. It has exciting features like integrated file system drivers, automatic Windows pwning, plugins, boot applications and much much more. The project is partly published as open source under the European Union Public License. Like in 1987, "Your PC is now Stoned! ..again". (...) -> http://www.security-database.com/toolswatch/Stoned-Bootkit-released.html ** sslsniff v0.6 released ** by Tools Tracker Team - 5 August 2009 This tool was originally written to demonstrate and exploit IE's vulnerability to a specific "basicConstraints" man-in-the-middle attack. While Microsoft has since fixed the vulnerability that allowed leaf certificates to act as signing certificates, this tool is still occasionally useful for other purposes. It is designed to MITM all SSL connections on a LAN and dynamically generates certs for the domains that are being accessed on the fly. The new certificates are constructed in a (...) -> http://www.security-database.com/toolswatch/sslsniff-v0-6-released.html ** UCSniff v2.4 in the wild ** by Tools Tracker Team - 5 August 2009 UCSniff is an exciting new VoIP Security Assessment tool that leverages existing open source software into several useful features, allowing VoIP owners and security professionals to rapidly test for the threat of unauthorized VoIP and Video Eavesdropping. Written in C, and initially released for Linux systems, the software is freely available for anyone to download, under the GPLv3 license UCSniff was created as a Proof of Concept demonstration tool and a method of creating awareness (...) -> http://www.security-database.com/toolswatch/UCSniff-v2-4-in-the-wild.html ** New Version of Samurai Web Testing Framework 0.7 released ** by Tools Tracker Team - 5 August 2009 The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test. Starting with reconnaissance, we have included tools such as the Fierce (...) -> http://www.security-database.com/toolswatch/New-Version-of-Samurai-Web-Testing.html Regards N.OUCHN CEO & Founder at Security-Database ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- [Tools update] The Security-Database Watch Newsletter -- v20090808 SD List (Aug 09)