Black Hat USA 2011: ToolsTube with Alejandro Hernández on DotDotPwn

It’s a very flexible intelligent fuzzer to discover directory traversal vulnerabilities in software such as Web/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc. Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module. It’s written in perl programming language and can be run either under *NIX or Windows platforms.

Fuzzing modules supported:

HTTP
HTTP URL
FTP
TFTP
Payload (Protocol independent)
STDOUT

Today, DotDotPwn has found more than 10 security flaws in some HTTP, FTP and TFTP servers.

More information about DotDotPwn

Alejandro Hernández is a mexican IT Security Advisor that is mostly involved in projects regarding to Penetration Testing, IT governance, Risk analysis, Tiger Teaming, ISMS design, Gap analysis, security controls assessments, IT security strategy design, audit of IT controls over financial reporting, among other tasks.

With some years of Vulnerability Development experience, he has found design and security bugs in products of companies such as Cisco and TrendMicro, as well as in software like Ubuntu Linux, Snort and Acunetix WVS. One of his latest achievements was capturing the flag in the CTF (Capture The Flag) held in SANS Toronto 10′.

Nowadays, he spends part of his time doing research in topics regarding critical infrastructure and intelligent fuzzing. Also, he is fascinated with Computer Sciences, Evolutionary Computation (specifically Genetic Algorithms), Tactical Exploitation and Counterintelligence things.