Minion – Mozilla Security Testing Framework

Find your website's Achilles' Heel


Minion is a security testing framework built by Mozilla to bridge the gap between developers and security testers. To do so, it enables developers to scan with a wide variety of security tools, using a simple HTML-based interface.

Minion - Mozilla Security Testing Framework

It consists of three umbrella projects:


  • Minion Frontend, a Python, angular.js, and Bootstrap-based website that provides a HTML interface to authenticate and authorize users, manage sites, initiate scans, and report issues
  • Minion Backend, a Python, Flask, and Twisted-based backend that provides an API for the Minion Frontend, and acts as a middleman between the frontend and external security tools
  • Minion VM, a repository of recipes to allow quick installations of Minion either via Vagrant or Docker

Functionality

Minion has limited scanning functionality built into itself. Instead, it relies on the large variety of pre-existing open source and commercial scanning tools. These plugins include:

You can download Minion here:

Back-end: minion-backendv0.3.zip
Front-end: minion-frontend-v0.4.zip

Or read more here.


Tags: , , , , , , , ,

Posted in: Countermeasures, Security Software, Web Hacking | Add a Comment

HexorBase – Administer & Audit Multiple Database Servers

Find your website's Achilles' Heel


HexorBase is a database application designed to administer and to audit multiple database servers simultaneously from a centralised location, it is capable of performing SQL queries and brute-force attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL).

HexorBase - Administer & Audit Multiple Database Servers

It allows packet routing through proxies or even Metasploit pivoting antics to communicate with remotely inaccessible servers which are hidden within local subnets.


Requirements

  • python
  • python-qt4
  • cx_Oracle
  • python-mysqldb
  • python-psycopg2
  • python-pymssql
  • python-qscintilla2

You can download HexorBase here:

hexorbase_1.0_all.deb

Or read more here.


Tags: , , , , , , , , , , , ,

Posted in: Database Hacking, Hacking Tools | Add a Comment

UK Encryption Backdoor Law Passed Via Investigatory Powers Act

Find your website's Achilles' Heel


The latest news out of my homeland is not good, the UK encryption backdoor law passed via Investigatory Powers Act or the IPA Bill as it’s commonly known. And itself was passed through a kind of backdoor route, which avoided the scorn of the public.

UK Encryption Backdoor Law Passed Via Investigatory Powers Act

Which was good for the lawmakers, but not for the citizens as with the case of the Burr-Feinstein Bill proposed in the US which was turned around by a huge backlash.

Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors.

As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliged ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and allow the government to demand “technical” changes to software and systems.

As per the final wording of the law, comms providers on the receiving end of a “technical capacity notice” will be obliged to do various things on demand for government snoops – such as disclosing details of any system upgrades and removing “electronic protection” on encrypted communications.


There is no point at which forcing companies or service providers to develop or utilise less secure products is a good idea. That’s the problem when policy makers have no real depth in their understanding of the subject and how dangerous the decisions they are making really are.

So now browsing logs are available to the UK government and any form of encryption will be backdoored to allow the government to decrypt it if they feel like it. Great.

Thus, by “technical capability,” the government really means backdoors and deliberate security weaknesses so citizens’ encrypted online activities can be intercepted, deciphered and monitored.

In effect, the UK government has written into law a version of the much-derided Burr-Feinstein Bill proposed in the US, which would have undermined encryption in America. A backlash derailed that draft law.

No such backlash happened in the UK over the Investigatory Powers Bill, though, and so here we are. Web browser histories logged by ISPs 24/7, and the looming possibility of crippled cryptography. There may be not much point using a VPN to conceal your web activities if it can be blown open by a technical capability notice.

To be fair, there were some fears that Blighty’s law would effectively kill off the UK software industry as well as undermine Brits’ privacy, and expose them to surveillance and hacking by criminals exploiting these mandatory backdoors. This mild panic did bring about some changes to the UK’s Investigatory Powers Bill before it was passed.

Next UK will finally be introducing a mandatory ID system scheme, seen as though soon enough everyone will be linked to every transaction they conduct online, on their smart phone or on their TV.

It’s really turning into a draconian state.

Source: The Register


Tags: , , , , , , ,

Posted in: Cryptography, Legal Issues, Privacy | Add a Comment

Pulled Pork – Suricata & Snort Rule Management

Your website & network are Hackable


Pulled Pork is a PERL based tool for Suricata and Snort rule management – it can determine your version of Snort and automatically download the latest rules for you.

Pulled Pork - Suricata & Snort Rule Management

The name was chosen because simply speaking, it Pulls the rules. Using a regular crontab you can keep your Snort or Suricata rules up to date automatically.

Features and Capabilities

Pulledpork 0.7.2 has been tested and works with Snort 2.9.8.3/Suricata 3.1.3 and the Snort Registered rules/ETOpen/ETPro rulesets.

  • Automated downloading, parsing, state modification and rule modification for all of your snort rulesets.
  • Checksum verification for all major rule downloads
  • Automatic generation of updated sid-msg.map file
  • Capability to include your local.rules in sid-msg.map file
  • Capability to pull rules tarballs from custom urls
  • Complete Shared Object support
  • Complete IP Reputation List support
  • Capability to download multiple disparate rulesets at once
  • Maintains accurate changelog
  • Capability to HUP processes after rules download and process
  • Aids in tuning of rulesets
  • Verbose output so that you know EXACTLY what is happening
  • Minimal Perl Module dependencies
  • Support for Suricata, and ETOpen/ETPro rulesets

Usage

You can download Pulled Pork here:

pulledpork-v0.7.2.zip

Or read more here.


Tags: , , , , , , ,

Posted in: Countermeasures, Network Hacking, Security Software | Add a Comment
Acunetix Web Vulnerability Scanner v11 Released

Acunetix Web Vulnerability Scanner v11 Released

Acunetix Web Vulnerability Scanner v11 has just been released with lots of exciting new features and tools. The biggest change is that v11 is now integrated with Vulnerability Management features to enable your organization to comprehensively manage, prioritise and control vulnerability threats – ordered by business criticality. There are other changes too including the web […]

Tags: , , , , , , , ,

Posted in: Advertorial | Add a Comment
PyExfil - Python Data Exfiltration Tools

PyExfil – Python Data Exfiltration Tools

PyExfil started as a Proof of Concept (PoC) and has ended up turning into a Python Data Exfiltration toolkit, which can execute various techniques based around commonly allowed protocols (HTTP, ICMP, DNS etc). The package is very early stage (alpha release) so is not fully tested, any feedback and commits are welcomed by the author. […]

Tags: , , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Androguard - Reverse Engineering & Malware Analysis For Android

Androguard – Reverse Engineering & Malware Analysis For Android

Androguard is a toolkit built in Python which provides reverse engineering and malware analysis for Android. It’s buyilt to examine * Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation), * APK (Android application) (.apk), * Android’s binary xml (.xml) and * Android Resources (.arsc). Androguard is available for Linux/OSX/Windows (Python powered). Features Map and manipulate DEX/ODEX/APK/AXML/ARSC […]

Tags: , , , , , , , ,

Posted in: Forensics, Malware | Add a Comment
Android Devices Phoning Home To China

Android Devices Phoning Home To China

So unsurprisingly a security researcher found some cheap Android devices phoning home to China when buying a phone to travel with. One of the phones seems to be Blu R1 HD, which is ‘Currently unavailable’ on Amazon.com and customers that bought it have received security update e-mails. Security researchers have uncovered a secret backdoor in […]

Tags: , , , , , , , , , , ,

Posted in: Malware, Privacy | Add a Comment
Netdiscover - Network Address Discovery Tool

Netdiscover – Network Address Discovery Tool

Netdiscover is a network address discovery tool that was developed mainly for those wireless networks without DHCP servers, though it also works on wired networks. It sends ARP requests and sniffs for replies. Built on top of libnet and libpcap, it can passively detect on-line hosts, or search for them, by actively sending ARP requests, […]

Tags: , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Signal Messaging App Formal Audit Results Are Good

Signal Messaging App Formal Audit Results Are Good

I’ve recommended Signal Messaging App quite a few times and I do use it myself, I know there are some privacy concerns with the fact it requires Google App Store – but that’s the developers choice. It’s a pretty solid app, clean, sleek and works well across both Android and iOS and the latest news […]

Tags: , , , , , , ,

Posted in: Countermeasures, Cryptography, Privacy | Add a Comment