Another interesting tool was drawn to my attention yesterday - Chrome Extension Exploitation Framework or XSS ChEF, which exploits XSS vulnerabilities in Chrome extensions. What you can acctualy do with this tool (when you have appropriate privileges):
 - Monitor open tabs of victims
 - Execute JS on every tab (global XSS)
 - Extract HTML, read/write cookies (also httpOnly), localStorage
 - Get and manipulate browser history
 - Stay persistent until whole browser is closed (or even futher if you can persist in extensions localStorage)
 - Make screenshot of victims window
 - Further exploit e.g. via attaching BeEF hooks, keyloggers etc.
 - Explore filesystem through file:// protocol
 - Bypass Chrome extensions content script sandbox to interact directly with page JS
Demo video:

Demo video 2:

More information about XSS ChEF @ : http://blog.kotowicz.net/2012/07/xss-chef-chrome-extension-exploitation.html
Download from github: https://github.com/koto/xsschef

Today I came across to a new tool which seems to be interesting - SP Toolkit (Simple Phishing Toolkit). Since phishing is one of the biggest problem in IT security it seems logical to build a toolkit to test people/customers/organizations for phising emails. Combined with some other tools, e.g. metasploit, this could be a very useful tool when performing a pentest. The authors of the toolkit are information security proffesionals who needed a tool for phishing attacks, so they wrote a toolkit. From the website:
spt is a simple concept with powerful possibilities.  It is what it’s name implies:  a simple phishing toolkit.
The basic idea we (the spt project) had was that wouldn’t it be cool if there were a simple, effective, easy to use and free (most importantly!) tool that information security professionals could use to evaluate and train what we all know is the weakest link in any security minded organization:  the people.  Since the founders of the spt project are themselves information security professionals by day (and possibly either LOL cats or zombies by night), they themselves faced the frustration of dealing with people within their own organizations that claimed to know better, but 9 times out of 10 fell for the most absurdly obvious phishing emails ever seen.  A malware outbreak here, a stolen password and loss of critical organizational data there and the costs of dealing with the results of phishing can get to be astronomical pretty darn quickly!...

  

More information @: http://www.sptoolkit.com/
Watch the video:

Rob Dixon [ @304geek ] from AccuvantLABS published small but simple tool writen in bash called Scrape-DNS which can be used for quering cached DNS entries in search for malware and other "bad" sites. Short exerpt from 304geeks blog post:
"Back at my old job, we used cache snooping techniques (Scraping) to check for evidence of client systems that were attempting to resolve known malware sites.

We would use the list at Mayhemiclabs.com and compare it to our cached DNS entries.

So, why don't we do something badass like that, but to support the penetration test or red team mission?

Using standard cache snooping techniques you can determine what anti-virus vendors might be in use on a clients network.

HOW? Simple. By making non-recursive queries to the client's DNS servers for known AV update site domains.

Yes, it is that simple.

 

To query cached DNS entries, you need only to make a NON-recursive request a target DNS server..."

[Download]

Original post: http://304geeks.blogspot.com/

The Samurai Web Testing Framework is a LiveCD focused on web application testing. We have collected the top testing tools and pre-installed them to build the perfect environment for testing applications.

[Download]

ModSecurity is an embeddable web application firewall, which means it can be deployed as part of your existing web server infrastructure (Apache, IIS7 and Nginx).

This deployment method has certain advantages:

1. No changes to existing network. It only takes a few minutes to add ModSecurity to your existing web servers. And because it was designed to be completely passive by default, you are free to deploy it incrementally and only use the features you need. It is equally easy to remove or deactivate it should decide you don't want it any more.
2. No single point of failure. Unlike with network-based deployments, you will not be introducing a new point of failure to your system.
3. Implicit load balancing and scaling. Because it works embedded in web servers, ModSecurity will automatically take advantage of the additional load balancing and scalability features. You will not need to think of load balancing and scaling unless your existing system needs them.
4. Minimal overhead. Because it works from inside the web server process there is no overhead for network communication and minimal overhead in parsing and data exchange.
5. No problem with encrypted or compressed content. Many IDS systems have difficulties analysing SSL traffic. This is not a problem for ModSecurity because it is positioned to work when the traffic is decrypted and decompressed.

ModSecurity is known to work well on a wide range of operating systems. Our customers are successfully running it on Linux, Windows, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, and HP-UX.

[Download ModSecurity v2.7]