Kali tools catalog - Vulnerability Analysis
Cisco Tools
cisco-global-exploiter
Cisco Global Exploiter (CGE), is an advanced, simple and fast security testing tool/ exploit engine, that is able to exploit 14 vulnerabilities in disparate Cisco switches and routers.
cisco-ocs
Compact mass scanner for Cisco routers with default telnet/enable passwords.
yersinia
yersinia is a framework for performing layer 2 attacks. The following protocols have been implemented in Yersinia current version: Spanning Tree Protocol (STP), VLAN Trunking Protocol (VTP), Hot Standby Router Protocol (HSRP), Dynamic Trunking Protocol (DTP), IEEE 802.1Q, IEEE 802.1X, Cisco Discovery Protocol (CDP), Dynamic Host Configuration Protocol (DHCP), Inter-Switch Link Protocol (ISL) and MultiProtocol Label Switching (MPLS).
Some of the attacks implemented will cause a DoS in a network, other will help to perform any other more advanced attack, or both. In addition, some of them will be first released to the public since there isn’t any public implementation.
Database Assessment
bbqsql
BBQSQL is a blind SQL injection framework written in Python.
dbpwaudit
DBPwAudit is a Java tool that allows you to perform online audits of password quality for several database engines.
hexorbase
HexorBase is a database application designed for administering and auditing multiple database servers simultaneously from a centralized location, it is capable of performing SQL queries and bruteforce attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL ).HexorBase allows packet routing through proxies or even metasploit pivoting antics to communicate with remotely inaccessible servers which are hidden within local subnets.
jsql
jSQL Injection is a lightweight application used to find database information from a distant server.
mdb-export
Export data in an MDB database table to CSV format.
mdb-hexdump
makes a hex dump of a binary file
mdb-parsecsv
mdb-parsecsv takes a CSV file representing a database table, and converts it into a C array.
mdb-sql
mdb-sql allows querying of an MDB database using a limited SQL subset language.
mdb-tables
It produces a list of tables contained within an MDB database in a format suitable for use in shell scripts.
oscanner
Oscanner is an Oracle assessment framework developed in Java. It has a plugin-based architecture and comes with a couple of plugins that currently do:
– Sid Enumeration – Passwords tests (common & dictionary) – Enumerate Oracle version – Enumerate account roles – Enumerate account privileges – Enumerate account hashes – Enumerate audit information – Enumerate password policies – Enumerate database links
The results are given in a graphical java tree.
sidguesser
Guesses sids/instances against an Oracle database according to a predefined dictionary file.
sqldict
SQLdict is a basic single ip brute-force MS SQL Server password utility that can carry out a dictionary attack against a named SQL account.
sqlmap
sqlmap is an automatic SQL injection tool entirely developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.
sqlninja
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Features:
Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
Data extraction, time-based or via a DNS tunnel
Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection or just to upload Meterpreter
Upload of executables using only normal HTTP requests (no FTP/TFTP needed), via vbscript or debug.exe
Direct and reverse bindshell, both TCP and UDP
DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box
Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
Privilege escalation to sysadmin group if ‘sa’ password has been found
Creation of a custom xp_cmdshell if the original one has been removed
TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
Evasion techniques to confuse a few IDS/IPS/WAF
Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping
Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM
sqlsus
sqlsus is an open source MySQL injection and takeover tool, written in perl.
tnscmd10g
Tnscmd can be used to communicate directly with Oracle’s TNS listener, (no client is needed). Unlike the Oracle listener control utility LSNRCTL.exe, TNSCmd.pl does not need any connection strings and a direct bi-directional conversation can be immediately established.
Fuzzing Tools
bed
Bruteforce Exploit Detector is a plain-text protocol fuzzer that checks software for common vulnerabilities like buffer overflows, format string bugs, integer overflows, etc.
fuzz_ip6
The name is self explanatory.
ohrwurm
RTP fuzzer
powerfuzzer
highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer)
sfuzz
Simple Fuzz(sfuzz) is a simple fuzzer. It has two network modes of operation, an output mode for developing command line fuzzing scripts, as well as taking fuzzing strings from literals and building strings from sequences.
siparmyknife
SIP Army Knife is a fuzzer that searches for cross site scripting, SQL injection, log injection, format strings, buffer overflows, and more.
spike generic_chunked & generic_listen_tcp & generic_send_tcp & generic_send_udp
SPIKE is a Fuzzer Creation Kit. You can use it for fuzzing or leverage its API to write your own fuzzers.
Misc Scanners
golismero
GoLismero is an open source framework for security testing. It’s currently geared towards web security, but it can easily be expanded to other kinds of scans.
lynis
Run a system and security audit on the system
The following system areas may be checked:
- Boot loader files
- Configuration files
- Common files by software packages
- Directories and files related to logging and auditing
nikto
Examine a web server to find potential problems and security vulnerabilities, including:
· Server and software misconfigurations
· Default files and programs
· Insecure files and programs
· Outdated servers and programs
Nikto is built on LibWhisker (by RFP) and can run on any platform which has a Perl environment. It supports SSL, proxies, host authentication, IDS evasion and more. It can be updated automatically from the command-line, and supports the optional submission of updated version data back to the maintainers.
unix-privesc-check
This script checks file permissions and other settings that could allow local users to escalate privileges.
Open Source Assessment
Covered in other categories.
OpenVAS
OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
openvas-check-setup
analyzes the state of your OpenVAS installation and proposes fixes should it detect any errors or misconfigurations. It will also check if all required OpenVAS services are running and listening on the correct ports.
openvas-gsd
The Greenbone Security Desktop (GSD) is a Qt-based desktop client for the OpenVAS Management Protocol
0 comments: