Search This Blog

Showing posts with label PenTesters. Show all posts

Browser Exploitation Framework (BeEF)~ Penetration Testing Tools

The Browser Exploitation Framework (BeEF) is a powerful professional security tool. BeEF is pioneering techniques that provide the experienced penetration tester with practical client side attack vectors. Unlike other security frameworks, BeEF focuses on leveraging browser vulnerabilities to assess the security posture of a target. This project is developed solely for lawful research and penetration testing.

BeEF hooks one or more web browsers as beachheads for the launching of directed command modules. Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors. The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.

The framework contains numerous command modules that employ BeEF's simple and powerful API. This API is at the heart of the framework’s effectiveness and efficiency. It abstracts complexity and facilitates quick development of custom modules.

Recently The Released BeEF 0.4.2.10-Alpha Version



Video Demonstration of BeEF's Metasploit Plugin

Hash Code Cracker V 1.2 Released ~PenTesting Tool from BreakTheSecurity


BreakTheSecurity is proud to release the Hash Code Cracker Version 1.2.  Our latest release supports Online Cracking function.


Description:

This password cracker is developed for PenTesters and Ethical hackers. Please Use this software for legal purposes(Testing the Password Strength).


Features:
  • This software will crack the MD5, SHA1,NTLM(Windows Password) hash codes.
  • No need to install.
  •  Supports All platforms(windows XP/7,Linux,..).
V1.2 Changelog :
  • Included Online cracking Support

Minimum Requirements:
  • Java Runtime Environment: JRE 1.6 should be installed.(you can get it from oracle.com)

How to Run the Application?
Download the .zip file and extract.
Extract the zip file.
Open the Terminal or command prompt.
Navigate to the path of Extracted zip file (i mean HashCodeCracker Folder) in Terminal/CMD.
Type this command "java -jar HashCodeCracker.jar".
Now the application will run.

Project HomePage:
http://projects.breakthesecurity.com/

Download:

From SourceForge.net

(or)

From code.google.com

DDOS Attack using Google Plus Server-Distributed Denial of Service

R00T.ATI claimed that he found some DDOS vulnerability in Google + on IHTeam Security Blog.  Using this vulnerability, hackers can launch DDOS attack on any other website using the Bandwidth of Google Plus Server.

They demonstrate how an attacker can use the Google Server as Proxy to send request to the target website. Quatrini has written a shell script that will repeatedly prompt Google's servers to make requests to a site of the attacker's choice, effectively using Google's bandwidth rather than their own.


How does it work?

The vulnerable pages are “/_/sharebox/linkpreview/“ and “gadgets/proxy?“
Is possible to request any file type, and Google + will download and show all the content. So, if you parallelize so many requests, is possible to DDoS any site with Google bandwidth. Is also possible to start the attack without be logged in Google
plus.

Attack vectors:
The advantage of using Google and make requests through their servers, is to be even more anonymous when you attack some site (TOR+This method); The funny thing is that apache will log Google IPs.
But beware: gadgets/proxy? will send your ip in apache log, if you want to attack, you’ll need to use /_/sharebox/linkpreview/

Pen Tester tried DDOS on his server itself using GOOGLE Plus Server, thread of 1000 requests and the output bandwidth will result in 91/96Mbps (His house bandwidth is only 6Mbps).