Tools
The following are recent tools published by MWR InfoSecurity..
Android WebContentResolver
Dec 02, 2011
When assessing Android devices and applications we regularly come across vulnerabilities in Android Content-Providers. These vulnerabilities are often similar to those found in web application security tests. In particular SQL Injection and directory traversal vulnerabilities are common problems in Content-Providers.
WebContentResolver runs on an Android device or emulator and will offer a web service interface to all installed Content-Providers. This will not only allow a security tester to use a web browser to test for vulnerabilities, but also to leverage the power of current web application testing tools, such as sqlmap, to find and exploit vulnerabilities in Content-Providers.
This tool is very much in an alpha state and we are currently working on several improvements for this tool and the Android assessment toolset in general.
Rulestats.pm - A SpamAssassin Rule Statistics Plugin
May 14, 2010
This is a SpamAssassin plugin which stores, on a rule by rule basis, the number of spam emails that each SpamAssassin rule (including subtests which are only used internally) fired on, the number of legitimate emails that the rule fired on and the maximum and minimum scores of emails that each rule fired on. System administrators should find this very useful as it will provide an immediate insight into the accuracy and suitability of each rule that is used, based on other rules.
There are several SpamAssassin rule-based analysis projects currently available but most of them seem to work by analysing the logs that SpamAssassin generates. This plugin does not work in this way; it hooks into SpamAssassin’s checking code and writes the statistics directly to a MySQL database, offering real-time accurate statistics which do not rely on log file parsing or analysis.
DLSw Query Tool
Nov 17, 2009
This tool is intended for the purpose of evaluating security controls applied to the DLSw service running on a Cisco routing device.
TCP-over-File Tunnel
Jan 12, 2009
As of Windows 2003, Terminal Services supports the sharing of local folders with clients by default; this tool can be used to tunnel multiple simultaneous TCP connections through shared files. This is very useful if, during a penetration test, you can connect to a server via RDP deep within a data centre and would like to forward ports but all traditional covert channels such as reverse connections and DNS tunnelling are blocked.
It is often the experience of the author that too much reliance is made upon locked down GUIs and so it is assumed it would be difficult for an attacker to directly attack other servers with the data centre. Combined with Metasploit’s meterpreter, this tool can be used to tunnel exploits through RDP to attack otherwise inaccessible servers.
It must be noted that a custom virtual channel could be implemented for the same purpose, rather than relying on shared files. However, tunnelling connections through files was chosen as this is often desired functionality and so might be a business requirement. Additionally, this tool could potentially be useful in other environments outside of RDP.
RDP Cipher Checker
Jan 12, 2009
This is a python script that will enumerate the encryption protocols supported by the server and the cipher strengths supported using native RDP encryption (assuming this is supported).
VMWare authd brute forcer
Aug 15, 2008
This is a multithreaded tool to bruteforce the VMware console. This acts as a wrapper around VMware-cmd, which must be installed for this to function. It will allow you to try multiple passwords for a single user account in order to identify any weak passwords which may have been set.
Around 10 threads will normally be fine, Windows systems will lap it up, *NIX systems will be slower. The dictionary should be specified by path. For efficiency and to ensure concurrency between threads the dictionary is read into memory.
WARNING: inetd will only allow a certain number of connections per minute (around 250) after this number the service, in this case vmware-authd, will die causing a DoS. Therefore be careful if you are using this tool against UNIX based systems. If so then ensure that xinetd is being used instead.
VMware VI toolkit
Aug 15, 2008
This toolkit allows you to use the VMware VI API from within ruby to communicate with an ESX host.
The VI API is the same API that the virtual infrastructure client provided by VMware uses in order to talk to a host. This toolkit includes modules which allow you to perform actions against and retrieve information from an ESX server.
This makes things easily scriptable and also provides access to areas which are not available through the VI client, such as patch levels.
VMware VIX toolkit
Aug 15, 2008
This toolkit allows you to use the VMware VIX API within ruby scripts. This is essentially a shared object which provides methods that ruby scripts can call in order to interact with virtual machines or VMware servers. Some of the actions which can be performed with this include:
- transferring files to the virtual machine
- copying files from the virtual machine
- executing commands and scripts on the virtual machine
This functionality is beyond what can be performed from the console of a server.
SSID Script Injection
Jul 29, 2008
To assist the testing of SSID script injection a Python based tool for Atheros chipsets was developed, which acts as a wrapper of iwconfig and wlanconfig creating two different wireless interface instances in Access Point mode with the desired SSIDs. This is a proof of concept script to assist the testing of potential SSID script injection conditions.
DHCP Script Injection
Jul 29, 2008
To assist the testing of DHCP script injection a Python based tool was developed, which uses the Scapy packet generation library and allows users to send specially crafted DHCPREQUEST packets to the target DHCP server. This is a proof of concept script to assist the testing of potential DHCP script injection conditions.
MQ Jumping
Aug 13, 2007
The tools described by Martyn Ruks for MQ jumping at DefCon 15.
Windows Access Tokens: Incognito Tool
Aug 13, 2007
Incognito tool available at: http://sourceforge.net/projects/incognito/.