WordPress Brute Force Tool
Following on from my previous post Patching WordPress Username Disclosure I got bored over the weekend and decided to implement Veronica Valeros’s username disclosure technique into a WordPress password brute force tool.
It is nothing revolutionary or difficult to code, but it may come in handy one day on a pentest or web application assessment, mainly to automate the process.
Currently you can use the tool in 3 different ways.
DVWA 1.0.7 is here!
After 9 months since the last release we are proud to present the all new Damn Vulnerable Web Application version 1.0.7.
What’s new?
The vulnerability help page has been improved.
We now display the logged on username along with the vulnerability level and php-ids status.
Blind SQL injection has been implemented.
We now have official documentation.
You can now compare all vulnerable source code in one page with the ‘view all’ button.
The whole theme has been redesigned, including a new great looking logo.
Many bug fixes and small changes throughout the application.
Skipfish – Automated web security scanner
A couple of days ago (March 19th) Michal Zalewski famous for tools such as p0f and his excellent book ‘Silence on the wire’ announced the release of an open source automated web security scanner called Skipfish from the Google Online Security Blog.
Key features:
High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
SecurityPodcasts Boxee App
What is Boxee?
Boxee is the best way to enjoy entertainment from the Internet and computer on your TV
Boxee allows you to develop ‘Apps’ which are basically XML files which grab RSS feeds. These Apps can be installed through remote repositorys. To truncate and combine all the security podcasts I used Yahoo! Pipes.
Dionaea – Low interaction honeypot
After running Glastopf (Glastopf – Web Application Honeypot) for a few days and not getting any hits, I was a bit disappointed. I speculate that maybe you need to give web application honeypots more time to propagate across the Internet and get picked up by search engines to receive any significant hits, or even give the honeypot its own domain name. From my earlier post you will notice that I had tried to get Dionaea to run first.
Markus the lead developer of Dionaea got in contact after he read my post and saw that I was having trouble getting it running. It turned out to be a complete fail on my part, after following the instructions on the Dionaea homepage, Dionaea installed perfectly fine, it was just a case of me not knowing how to run it properly.
What is Dionaea?
Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls
Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network, the ultimate goal is gaining a copy of the malware.
