Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

Havij - Advanced SQL Injection

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and  password hashes, dump tables and columns, fetching data from the database, running SQL  statements and even accessing the underlying file system and executing commands on the  operating system.

The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij. The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.

You can download Havij here:

Fast-Track - Automated Penetration Testing Toolkit

Fast-Track is a python based open-source project aimed at helping penetration testers in an effort to identify, exploit, and further penetrate a network. Fast-Track was originally conceived when David Kennedy (rel1k) was on a penetration test and found that there was generally a lack of tools or automation in certain attacks that were normally extremely advanced and time consuming. In an effort to reproduce some of his advanced attacks and propagate it down to his team, he ended up writing Fast-Track for the public. Fast-Track arms the penetration tester with advanced attacks that in most cases have never been performed before. Sit back relax, crank open a can of Jolt Cola and enjoy the ride.

Fast-Track utilizes large portions of the Metasploit Framework in order to complete successful attacks. Fast-Track has a wide variety of unique attacks that allow you to utilize the Metasploit Framework to its maximum potential. We thought that showing the different attacks and how Fast-Track integrates with the Metasploit Framework was an excellent addition and complement to the course. Let's walk through Fast-Track.

Fast-Track can be used in two different modes: console mode and web interface. Let's look at each one. 

Console mode can be launched by passing the './ -c' switch to Fast Track. 

The Web Gui Mode is launched by running './ -g'. By default, the web server will start listening on port 44444. This video will demonstrate how to own and dump the remote computer password hash using Fast-Track.

Mantra Security Toolkit

Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers, security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software. It is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, and covering tracks. Apart from that it also contains a set of tools targeted for web developers and code debuggers which makes it handy for both offensive security and defensive security related tasks.

Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. It is absolutely free of cost and takes no time for you to set up.

The Mantra is a powerful set of tools to make the attacker's task easier. The beta version of Mantra Security Toolkit contains following tools built onto it. You can also always suggest any tools/ scripts that you would like see in the next release.

  • Access Me
  • Add N Edit Cookies+
  • Chickenfoot
  • CookieSwap
  • DOM inspector
  • Domain Details
  • Firebug
  • Firebug Autocompleter
  • Firecookie
  • FireFTP
  • Firesheep
  • FormBug
  • FoxyProxy
  • Google Site Indexer
  • Greasemonkey
  • Groundspeed
  • HackBar
  • Host Spy
  • HttpFox
  • iMacros
  • JavaScript Deobfuscator
  • JSview
  • Key Manager
  • Library Detector
  • Live HTTP Headers
  • PassiveRecon
  • Poster
  • RefControl
  • Refspoof
  • RESTClient
  • RESTTest
  • Resurrect Pages
  • Selenium IDE
  • SQL Inject ME
  • Tamper Data
  • URL Flipper
  • User Agent Switcher
  • Vitzo WHOIS
  • Wappalyzer
  • Web Developer
  • XSS Me
You can check out this advanced SQL Injection tutorial using Mantra Toolkit here.

You can download Mantra here:

sqlmap - Automatic SQL Injection and Database Takeover Tool

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Database fingerprinting:
./ -u

Database name and current user:
./ -u --current-db --current-user

Database enumeration:
./ -u --dbs

Enumerate database tables and columns:
./ -u --tables --columns

 You can download sqlmap here:

Russix - Wireless Penetration Testing Live CD

Russix is a Slax based Wireless Live Linux. It has been designed to be light (circa 230Mb) and dedicated purely to wireless auditing. This last version was released on Feb 2008. Until now, there is no new releases. Even, website is no longer available online. I just thought I share the iso and tutorial files here.

Russix evolved from an internal UK Military Wireless auditing tool (debian based) which russ had developed while working for them as a penetration tester. It scripts together several WLAN attacks and will allow the user to break a WEP key in about 6 keystrokes and conduct an “Evil Tiny Twin” attack in less than 5 minutes.

It comprises a number of tools including aircrack-ng, cowpatty, asleap, nmap, wireshark, hydra, as well as scripted attacks to aid cracking WEP and WPA networks. Currently, it only supports Atheros based chipsets and those of you lucky enough to own 2 atheros cards will be able to use the scripted Evil Twin attack.

You can download the iso file here:

The tutorial files can be found here:

Using Metasploit db_autopwn With NeXpose Scan Result

We can use Metasploit db_autopwn feature to execute exploits against the host(s) from the database. Before that, we need to import our scan result into db_autopwn database. I'm going to use scan result from NeXpose vulnerability scanner for this one.

We create a new report in NeXpose and save the scan results in 'NeXpose Simple XML' format so that we can later import into Metasploit.

Next, we fire up Metasploit, choose sqlite3 as the db_driver.

Connect to the database and import our xml file. In this case, my report.xml file is located under root. Once it's done, it will prompt you that the file has been successfully imported.

Now, running the 'db_services' and 'db_vulns' command will display the all-important vulnerability information that Metasploit now has at its disposal.

We will tell db_autopwn to attack all targets using the vulnerabilities that are gathered in the database. Similarly, we can do the same for Nessus or Nmap scan results as well.

Inguma - A Free Penetration Testing and Vulnerability Research Toolkit

Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits.

While the current exploitation capabilities in Inguma may be limited, this program provides numerous tools for information gathering and target auditing. Inguma is still being heavily developed so be sure to stay current and check back for news and updates.

There are some good docs to get you up and running too:

WPA Cracker - Cracks W-LAN Password in 20 mins

WPA Cracker is a cloud cracking service for penetration testers and network auditors who need to check the security of WPA-PSK protected wireless networks.

WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes.


Orion - Incident Response Live CD

The Orion Incident Response system was created to provide a trusted incident response platform that provides secure communication channels and collaboration tools in a consistent environment that can be used by all team members. Although Orion can be used merely as a collection of tools, the intent is to enforce a consistent workflow during incident handling. Orion is a Live CD, based on Ubuntu LucidLynx (10.04) but you can also install it on your hard disk.

You can login to the system using the following credential:
Username: alpha
Password: 0rioNoir0

Nipper - Network Device Auditing Tool

Nipper performs security audits of network device configuration files. The report produced by Nipper includes; detailed security-related issues with recommendations, a configuration report and various appendices. Nipper has a large number of configuration options which are described on this page
Nipper currently supports the following device types:
  • Cisco Switches (IOS)
  • Cisco Routers (IOS)
  • Cisco Firewalls (PIX, ASA, FWSM)
  • Cisco Catalysts (NMP, CatOS, IOS)
  • Cisco Content Service Switches (CSS)
  • Juniper NetScreen Firewalls (ScreenOS)
  • CheckPoint Firewall-1 (FW1)
  • Nokia IP Firewalls (FW1)
  • Nortel Passport Devices
  • SonicWALL SonicOS Firewalls (SonicOS)

 The security audit includes details of the findings, together with detailed recommendations. The security audit can be modified using command lineparameters or an external configuration file.

You can download the free version of nipper.0.11.6 here.

Ncrack - High Speed Network Authentication Cracking Tool

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients.

Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more.

Ncrack is available for many different platforms, including Linux, *BSD, Windows and Mac OS X. There are already installers for Windows and Mac OS X and a universal source code tarball that can be compiled on every system. You can also download the latest version straight from the SVN repository.

Flint - Web Based Firewall Rules Audit Tool

Flint examines firewalls, quickly computes the effect of all the configuration rules, and then spots problems so you can:
  • CLEAN UP RUSTY CONFIGURATIONS that are crudded up with rules that can’t match traffic.
  • ERADICATE LATENT SECURITY PROBLEMS lurking in overly-permissive rules
  • SANITY CHECK CHANGES to see if new rules create problems.
Everybody makes mistakes. To understand a firewall configuration, you have to read hundreds of configuration lines, and then you have to think like a firewall does. People aren’t good at thinking like firewalls. So most firewalls are riddled with subtle mistakes. Some of those mistakes can be expensive:
  • INSECURE SERVICES might be allowed through the firewall, preventing it from blocking attacks.
  • LAX CONTROLS ON DMZs may expose staging and test servers.
  • FIREWALL MANAGEMENT PORTS may be exposed to untrusted networks.
  • REDUNDANT FIREWALL RULES may be complicating your configuration and slowing you down.

At the moment Flint only works with Cisco PIX/ASA.  Support for Cisco IOS, BSD PF, and Linux IPTables is in the works.

MagicTree - PenTester Productivity Tool

MagicTree is a penetration tester productivity tool. It is designed to allow easy and straightforward data consolidation, querying, external command execution and report generation. In case you wonder, "Tree" is because all the data is stored in a tree structure, and "Magic" is because it is designed to magically do the most cumbersome and boring part of penetration testing - data management and reporting.

MagicTree Beta Two is mostly written in Java and has been tested on Linux, Windows and MacOS. It has no complicated installation procedure.

Read more..

Report Template

Generated Report

Find Shared Folders on Your LAN

I prefer to use netscan when scanning the LAN for open or shared folders. It is a free multi-threaded IP, NetBIOS and SNMP scanner with a modern interface and many advanced features. The program pings computers, scans for listening TCP/UDP ports and displays which types of resources are shared on the network (including system and hidden).

In addition, it allows you to mount shared folders as network drives, browse them using Windows Explorer, filter the results list and more. SoftPerfect Network Scanner can also check for a user-defined port and report back if one is open. It can also resolve host names and auto-detect your local and external IP range. It supports remote shutdown and Wake-On-LAN.

LFI Scanner & Exploiter

LFI vulnerability scanner to find vulnerabilities on your web application. This script runs on python so you need python installed on your system.

Usage: python --url ""

Another LFI scanner but this one runs on perl.

Usage: perl

Once you have found the vulnerable website, you can use the LFI exploiter to exploit the vulnerability.
Usage: python --exploit-ur="" --vulnerable-parameter="page"

Maltego - Recon Tool

Maltego is an open source intelligence and forensics application. It offers timous mining and gathering of information as well as the representation of this information in a easy to understand format. Coupled with its graphing libraries, Maltego allows you to identify key relationships between information and identify previously unknown relationships between them.

More tutorials on Maltego 3

VNC Password Bruteforce using Metasploit

Metasploit module to throw dictionary attack against VNC server.

Set path to your dictionary file for the attack.

Supports vnc_none_auth module

Safe Browsing

Google Safe Browsing is a handy tool, which allows you to test a website which you think may not be genuine or distributing malware. In order to check it, you just need to type the following in your browser address bar -<Your Target Website Address>. For example, if you want to check this website for malware, then you can use

Alternatively, you can use this online scanner to check whether your website has been infected by malware.


BlackSheep - Detect FireSheep on the Network

At the Toorcon 12 security conference, Eric Butler released a Firefox plugin named Firesheep, which drew significant media attention. Firesheep allowed any user to seamlessly hijack the web session of another user on the same local network. Although such attacks are not new, the ease of use presented by Firesheep brought session hijacking to the masses.

BlackSheep, also a Firefox plugin is designed to combat Firesheep. BlackSheep does this by dropping ‘fake’ session ID information on the wire and then monitors traffic to see if it has been hijacked. While Firesheep is largely passive, once it identifies session information for a targeted domain, it then makes a subsequent request to that same domain, using the hijacked session information in order to obtain the name of the hijacked user along with an image of the person, if available. It is this request that BlackSheep identifies in order to detect the presence of Firesheep on the network. When identified, the user will be receive the following warning message:

It should be noted that Firesheep and BlackSheep cannot be installed on the same Firefox instance as they share much of the same code base. If you want to run both Firesheep and BlackSheep on the same machine, they should be installed in separate Firefox profiles.

Here is a video on how FireSheep can hijack your Facebook or Twitter account.

Automated Wi-Fi Pentest

Wi-fEye is designed to help with network penetration testing, Wi-fEye will allow you to perform a number of powerful attacks Automatically, all you have to do is to lunch  Wi-fEye, choose which attack to perform,  select your target and let Wi-fEye do the magic !!.


Vulnerable Web Applications

List of vulnerable web applications for learning purposes. It is useful for running a hands-on training for web application security.

Foundstone Hacme Applications
Acunetix Applications

Mutillidae (php)
Damn Vulnerable Web Application (DVWA) (php)
Google Gruyere
BadStore (perl CGI)
Cenzic (php)
SPI Dynamics (asp)
Watchfire (

Web Backdoor

Collection of web backdoors to exploit vulnerable file upload facilities and others.

The package includes:


Cyber Attack Management for Metasploit

I found this GUI tool for Metasploit called armitage. Very interesting. It's like core impact for the poor :)

Armitage is a graphical cyber attack management tool for Metasploit that visualizes the targets, recommends exploits, and exposes the advanced capabilities of the framework. Armitage aims to make Metasploit usable for security practitioners who understand hacking but don’t use Metasploit every day. If you want to learn Metasploit and grow into the advanced features, Armitage can help you.

Some nice video tutorials as well.

Darkc0de Archive was a security and hacking related website which contained a large archive of python scripts, exploit and tutorials. Unfortunately, the site is no longer available. The attached tar file contains most of the tools from the site.


Virus and malware analyser

Sunbelt Security
Sunbelt CWSandbox provides fast analysis of virus, spyware, trojan, or other malware samples. CWSandbox enables the automatic collection of malware from different inputs including Nepenthes, a web server/interface, or a directory. Rapidly analyze behavior of malware - including infected trojans, Office documents, browser helper objects (BHOs), malicious URLs and more - by executing the code inside a controlled environment, the Sunbelt malware sandbox!

Norman Sandbox
Norman Sandbox offers free uploads of program files that you suspect are malicious or infected by malicious components, and instant analysis by Norman SandBox. In-depth information about the analysis performed by Norman SandBox of each malicious file that is uploaded. Search facility in all analyses after Registry keys, file names, etc. The result is also sent you by email.

Microsoft Malware Protection Center
The Microsoft Malware Protection Center (MMPC) provides world class antimalware research and response capabilities that support Microsoft's range of security products and services. With laboratories in multiple locations around the globe the MMPC is able to respond quickly and effectively to new malicious and potentially unwanted software threats wherever and whenever they arise.

Comodo Instant Malware Analysis
This is a secure malware analysis system which gives a detailed report of what an executable does including registry edits and creating of folders and deleting them.

If you discover a suspicious file on your machine, or suspect that a program you downloaded from the internet might be malicious you can scan it here. Enter the file name to be checked in the box below and it will automatically be uploaded from your computer to a dedicated server where it will be scanned using FortiClient Antivirus. Only one file of up to 1 MB can be checked at any one time.

Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!