i love tools with personality:
Caught exit of DirBuster
Writing report
Report saved to 192.168.254.8.dirbuster.html
Enjoy the rest of your day
The compilation process of nmap comes to mind:
awesome
as does KARMA:
Loading config file etc/karma-scan.xml
DNS-SERVER is running
DHCP-SERVER is running
Delivering judicious KARMA, hit Control-C to quit.
Others?
#!/bin/bash
#webservercheck.sh
for i in `cat $1` ## for all lines in the file provided to the script
do
echo “Nikto’ing $i”
##NOTE: Nikto needs to have been untarred here.
/home/jcran/toolkit/nix/attack-net-webserver/nikto/nikto.pl -host $i -config /home/jcran/toolkit/nix/attack-net-webserver/nikto/config.txt | tee report.nikto.$i.txt## Wget
echo “wgett’ing HTTP://$i/”
wget -r -l 2 http://$i/## dirbuster
java -jar /home/jcran/toolkit/nix/brute-web/DirBuster-0.12/DirBuster-0.12.jar -H -l /home/jcran/toolkit/wordlist/directory-list-2.3-tiny.txt -e asp,aspx,jsp -v -P -R -r $i.dirbuster.html -u http://$i
done
Call it as: ./webservercheck.sh <file with ips>
Ignore the awful pathing problems if you can. Anyhow, it does a nikto / wget / dirbuster for every host. handy if you’ve run a portscan on :80 (using something like nmap or propecia).
jcran
Doing a little research on an exploit, i came across SecurityDot.Net. Google provided the link. However, when i clicked on it, i got this:
Of the 174 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-09-11, and the last time suspicious content was found on this site was on 2009-09-11.Malicious software includes 2 trojan(s), 1 exploit(s). Successful infection resulted in an average of 3 new process(es) on the target machine.
Malicious software is hosted on 5 domain(s), including odile-marco.com/, google-analyze.org/, 213.163.89.0/.
This site was hosted on 1 network(s) including AS25220 (GLOBALNOC).
Also, when i tried to browse to the site directly, i got this:
Which turns out to be a built-in interface for the same google-stopbadware database.
This is a handy way to execute code within the browser. Kudos to Jesse Ruderman and Dan Kaminsky for the bug discovery and POC.
Essentially, in Firefox up through 3.0.13 (my ubuntu 9.04 is running 3.0.11), there’s a publicly exposed javascript function which allows you to call an arbitrary crypto library on the system. Assuming you’re able to place a malicious library (see below) in the target environment, you could use this to get other systems to execute it. Extra win, you can use UNC paths to locate the library 
Source is here. <– note, this is live, but it’s calling a non-existent crypto library.
The malicious library would need a function named CPkunkcsApp(), which, in this case, just calls ShellExecute.
<font face="monospace">CpkunkcsApp::CpkunkcsApp()
{
char *str = "c:\\windows\\system32\\calc.exe";
wchar_t *wText;
size_t len;
len = strlen(str)+1;
wText = new wchar_t[strlen(str)];
memset(wText, 0, len * sizeof(wchar_t));
::MultiByteToWideChar(CP_ACP, NULL, str, -1, wText, len);
ShellExecute(NULL, NULL, wText, NULL, NULL, SW_SHOW);
}</font>
I followed Scott Hanselman around for a year when I was touring with the Dead^W^W^W^W a build / team system admin. He always puts out a good utils list: http://www.hanselman.com/blog/ScottHanselmans2009UltimateDeveloperAndPowerUsersToolListForWindows.aspx
There are a few that are already in the pentesting toolkit:
And a few new ones
etc etc etc. lots of good stuff here. (i’m learning to blog when i’m procrastinating. back to work!)
ever get this error in firefox?
if i accept a ssl certificate with an attack proxy (such as burp suite) in the middle, then later go back to the same site without the proxy, i get this error.
and i can’t do anything about it.
not fun.
:/
Recently I had a financial-sector client contact me regarding tools and techniques for security and reputation monitoring. The client had recently had their web site scraped and placed under a similar domain. It was apparently a simple identity theft attack (on arbitrary users), but it scared them nonetheless.
Wanting to prevent or minimize the risk of this type of thing, they were in need of some simple reputation and keyword monitoring tools, so we came up with a few immediately:
You’ll want to pick some keywords to monitor. Other folks have talked specifically about what keywords you should be monitoring. It’s also a good idea monitor your website for those specific keywords with Google’s power search operators (inurl: and site:)
Then we started thinking about monitoring for more direct IT security issues. Several things came to mind immedately, such as:
You should also be monitoring your domain to ensure you don’t have any google dorks showing up within the domain. You can do that by setting up google alerts such as:
You’ll definitely want to get analytics on your website, and monitor where your users are sourcing from. This will provide additional lists of sites that are linking to you. There are definitely some IRC and forums it would be handy to keep an eye on. we’ll save that for the commercial version of this article 
Thinking a bit more in-depth about what classes of things you’d want to monitor, i come up with a couple classes:
Thoughts? Other sources which should be monitored?
notice anything conspicuous about those serial #’s?
Twitter (jcran)
