Black Hat Arsenal USA 2014 – Wrap up Day 2

The second day of the Arsenal came back with a new bunch of tools. We were ready to rock the scene even if the hangover was a killer. The ambiance was awesome and the audience huge as usual.

Here is the second wave of the Arsenal narrated through pictures. You better think twice before you miss the next session of Blackhat Arsenal.

Android Device Testing Framework – Jake Valletta

The Android Device Testing Framework (“dtf”) is a data collection and analysis framework to help individuals answer the question: “Where are the vulnerabilities on this mobile device?” Dtf provides a modular approach and built-in APIs that allows testers to quickly create scripts to interact with their Android devices. The default download of dtf comes with multiple modules that allow testers to obtain information from their Android device, process this information into databases, and then start searching for vulnerabilities (all without requiring root privileges).

These modules help you focus on changes made to AOSP components such as applications, frameworks, system services, as well as lower-level components such as binaries, libraries, and device drivers. In addition, you’ll be able to analyze new functionality implemented by the OEMs and other parties to find vulnerabilities

Download link >> https://github.com/jakev/dtf

Material >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Valletta-Android-Device-Testing-Framework-Slides.pdf

Automated Memory Analysis – Tomer Teller

Automated Memory Analysis is a set of new innovative Cuckoo Sandbox plugins that adds new dynamic and memory analysis abilities such as:

Trigger-Based memory analysis: Taking multiple memory dumps during execution in “strategic moments” by analyzing API calls, CPU performance counters, and tracing execution with Dynamic Binary Instrumentation techniques.
Memory Dump differential analysis: Detecting malicious artifacts during binary execution using Virtual Machine Introspection techniques.
Mis-behavioral analysis: Detecting malware that evade traditional API-call behavioral analysis using low-level kernel hooks.

Malware samples such as Snake (Uroburos), Stuxnet, and friends that evaded analysis will be dissected live to demonstrate the toolkit abilities.

Download >> https://github.com/djteller/MemoryAnalysis

Whitepaper >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Teller-Automated-Memory-Analysis-WP.pdf

Keynote >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Teller-Automated-Memory-Analysis-Slides.pdf

C-Scad: Assessing security flaws in ClearSCADA Web-X Client Aditya K Sood

C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. Web-X client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture.

Primarily, the Web-X client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WEB-X client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.

C-SCAD is authored in Python and is capable of the following:

Enumerates active users configured for the Web-X access
Enumerates configured databases and SQL lists for the ClearSCADA
Performs complete configuration check for exposed components
Verifies access to diagnostic page and dumps required information
Executes dictionary attacks for checking weak credentials
Triggers Shodan search queries for exposed ClearSCADA Web-X client on the Internet

Download link >> http://cscad.secniche.org

Keynote >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Sood-C-Scad-Slides.pdf

Heybe – PenetrationTesting Automation – Gokhan Alkan & Bahtiyar Bircan

Heybe is Penetration Testing Automation Kit. It consists of modules that can be used to fully automate pen-tests and make them mode effective. With Heybe you can 0wn all systems in a target company in matter of minutes.

Heybe modules:

Fener: fast network discovery tool optimized for speed. Fener leverages several networking tools to discover all hosts within target network.
Kevgir : automatic vulnerability scan tool. Kevgir is an automated vulnerability scanning tool optimized for speed. With Kevgir, an entire internal network can be scanned for specific vulnerabilities within minutes.
Sees: high precision social engineering tool. Sees is used for performing tail-made social engineering campaigns with high success ratio.
Kacak: automatic domain admin takeover tool. Kacak is developed to discover target windows machines in network and take over entire Windows domain automatically.
Depdep: post exploitation tool. Depdep is a merciless sentinel which will seek sensitive files containing critical info leaking through your network
Cilingir: remote password cracker. Cilingir is a tool used to automate password / hash capturing and cracking process. Captured credentials are automatically sent to a remote password cracking server and cracked passwords are automatically stored in a local loot for usage during pen-test.
Levye : brute force tool. Levye is used for automating brute forcing process against common and not so common protocols like openvpn.

Download link >> https://github.com/galkan/ (you must download all the tools under Galkan repository. Heybe is a set of separate modules)

JTAGulator – Joe Grand former ‘Kingpin’ of L0pht

JTAGulator is an open source hardware hacking tool that assists in identifying on-chip debug interfaces from test points, vias, or component pads on a circuit board. The tool can save a tremendous amount of time during reverse engineering, particularly for those who don’t have the skill and/or equipment required for traditional processes.

Released at Black Hat USA 2013, the tool supports detection of JTAG and asynchronous serial/UART interfaces. New features are being added as they’re developed to expand the functionality and increase support for other protocols.

Download Link >> https://github.com/grandideastudio/jtagulator

Material from Arsenal >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Grand-JTAGulator-Tool.zip

Keynote >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Grand-JTAGulator-Slides.pdf

Melkor – An ELF File Format Fuzzer

Since its adoption as the standard binary file format for *nix systems, a variety of vulnerabilities in ELF parsers have been found and exploited in OS kernels, debuggers, libraries, etc. Most of these flaws have been found manually through code review and binary modification. Nowadays, 15 years later, common programming mistakes are still being implemented in many ELF parsers that are being released these days very often, either as debuggers, reverse engineering tools, AV analyzers, plugins or as malware (yes, malware has parsers too). Here’s where ELF file format fuzzing comes into the game to help you to identify these bugs in an automated fashion.

In this presentation, I will show you the security risks involved in the ELF parsing process as well as the materialization of such risks by showing different bugs found during this research. After that, I’ll explain how intelligent file format fuzzing can help greatly in the flaw discovery process. Having a good background about the ELF file format and how smart fuzzing could help, I’ll continue with a detailed explanation on how I mixed and implemented both concepts in Melkor – an ELF file format fuzzer.

Melkor, written in C, it’s an intuitive and easy-to-use ELF file format fuzzer. Its fuzzing rules were designed using three inputs: ELF specification violations, programming patterns seen in ELF parsers, and other misc ideas and considerations. In order to have higher code/branch coverage in the programs to be tested, certain metadata dependencies must be in place; I’ll show you how Melkor implements these rules when creating malformed ELF files.

In the end of the presentation, the code of Melkor will be released and I’ll show you how to use it with some live demos where some real-world applications will be tested against fuzzed ELF files.

Download Link >> http://www.brainoverflow.org/code/melkor-v1.0.tar.gz

Keynote >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Hernandez-Melkor-Slides.pdf

ModSecurity – Ryan Barnett

ModSecurity is an open source, cross-platform web application firewall (WAF) module.

Known as the “Swiss Army Knife” of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. Come checkout the new advancements in ModSecurity and try some hands-on evasion challenges!

New features presented at Arsenal
* JSON Parser is no longer under tests. Now it is part of our mainline;
* Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list;
* New variables: FULL_REQUEST and FULL_REQUEST_LENGTH were added, allowing the rules to access the full content of a request;
* ModSecurity status is now part of our mainline;
* New operator: @detectXSS was added. It makes usage of the newest libinjection XSS detection functionality;
* Append and prepend are now supported on nginx (Ref: #635);
* SecServerSignature is now available on nginx (Ref: #637).

Download link >> https://www.modsecurity.org/

MozDef The Mozilla Defense Platform – Jeff Bryner

Attackers have all the fun. With slick, integrated, real-time, open suites like metasploit, armitage, SET, and lair they quickly seek out targets, share exploits, gain footholds, and usually win.

The time has come for defense to get the same capabilities in an open source platform dedicated to defense and based on modern technology.

To this end the operations security group at Mozilla has developed MozDef: The Mozilla Defense Platform to take on traditional SIEM functionality of event management, alerting and correlation, and expand the real-time capabilities of the defender into automated defense and shared incident response.

Download link >> https://github.com/jeffbryner/MozDef/

Volatility Framework 2.4 – Michael Ligh

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples of Windows, Linux, Mac OS X, and Android systems.

Our last release received over 40,000 downloads and we’re equally as excited to get 2.4 into the hands of forensic investigators and malware analysts. Some of the key features of the 2.4 release that we’ll be demoing are:

Extraction of cached Truecrypt passphrases and master keys (AES, Twofish, Serpent, etc.)
Support for Windows 8.1 and 2012 R2 x64 memory dumps, including on-the-fly decoding of the kernel debugger data block
Tracking Mac OS X Mavericks user activity by recovering unencrypted PGP emails, OTR (off-the-record) chat messages, contacts, calendar items, notes, and saved Keychain credentials
Detection of advanced Linux rootkits, such as those that leverage GOT/PLT in user mode and Netfilter hooking in the kernel
Circumventing the new compressed swap facility implemented in Mac OS X and Linux operating systems

Download link >> https://github.com/volatilityfoundation

Documentation and everything Volatility >> http://www.volatilityfoundation.org/

FSExploitMe – Brad Antoniewicz

FSExploitMe is a purposely vulnerable ActiveX Control to teach you about browser exploitation. Along the way you’ll learn reverse engineering, vulnerability analysis, and general exploitation on Windows.

Download link >> https://github.com/OpenSecurityResearch/FSExploitMe

Ice-Hole – Darren Manners

Ice-Hole is a phishing awareness email program. It is designed to help security analysts/system administrators keep track and test end users.

The tool can be used in conjunction with various third party software, like SET, for further leverage. 1.7 has some new features and enhancements like IRC triggers, integrating with a new portal feature, automatic times, dates, and sending reports on a schedule.

Download link >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Manners-Ice-Hole-Tool.zip

Impacket – Andres Blanco

Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB, SMB and MSRPC and DCOM. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapy. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies.

The following features will be demoed:

New RPC and NDR runtime (located at impacket.dcerpc.v5, old one still available):
- Support marshaling/unmarshaling for NDR20 and NDR64 (experimental)
- Support for RPC_C_AUTHN_NETLOGON (experimental)
- The following interface were developed based on its standard definition:
  - [MS-LSAD] – Local Security Authority (Domain Policy) Remote Protocol (lsad.py)
  - [MS-LSAT] – Local Security Authority (Translation Methods) Remote Protocol (lsat.py)
  - [MS-NRPC] – Netlogon Remote Protocol (nrpc.py)
  - [MS-RRP] – Windows Remote Registry Protocol (rrp.py)
  - [MS-SAMR] – Security Account Manager (SAM) Remote Protocol (samr.py)
  - [MS-SCMR] – Service Control Manager Remote Protocol (scmr.py)
  - [MS-SRVS] – Server Service Remote Protocol (srvs.py)
  - [MS-WKST] – Workstation Service Remote Protocol (wkst.py)
  - [MS-RPCE]-C706 – Remote Procedure Call Protocol Extensions (epm.py)
  - [MS-DTYP] – Windows Data Types (dtypes.py)

Most of the DCE Calls have helper functions for easier use. Test cases added for all calls (check the test cases directory)

ESE parser (Extensive Storage Engine) (ese.py)
Windows Registry parser (winregistry.py)
TDS protocol now supports SSL, can be used from mssqlclient
Support for EAPOL, EAP and WPS decoders
VLAN tagging (IEEE 802.1Q and 802.1ad) support for ImpactPacket, done by dan.pisi
WMI query and execution

Download link >> https://code.google.com/p/impacket/

Documentation and cool stuffs >> http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket

iSpy – Joe DeMesy

Frustrated with the lack of mature tools for iOS security assessment? Wouldn’t you like an integrated toolchain to pull together many of the existing tools, but also integrate new and interesting tools? Perhaps you’d like to use some more advanced iOS hacking/reversing/debugging but don’t have time on the job to learn gdb. Maybe you just want to pick up iOS hacking fast and would like a mature toolchain to help you.

We can help. We’ll be bringing goodies to the table:

A “reverse sandbox” in which iOS apps can be run on jailbroken devices. It provides easily configured monitoring, hooking, disabling/enabling, and logging of Objective-C methods, C functions, and other goodies. We’ll show you how to use this to defeat common anti-jailbreaking checks in a matter of minutes.
Automated tools to help cover the routine aspects of iOS app security:
- Insecure functions
- Insecure network transmission
- Insecure compiler settings
Hands up if you’d rather choke on a pretzel than write a report. Yeah, us too. We’ll be presenting tools that not only do security work, but that provide data that can be easily incorporated into deliverables.
We’ll help you streamline your testing by automating a lot of the grunt work, leaving you free to do what you do best: hack.
We might even drop some mobile device management 0day! (pending serious people in suits telling us it’s ok)

Download link >> https://github.com/BishopFox/iSpy

Praeda – Deral Heiland

Praeda – Latin for “plunder, spoils of war, booty”. Praeda is an automated data/information harvesting tool designed to gather critical information from various embedded devices.

Praeda leverages various implementation weaknesses and vulnerabilities found on multifunction printers (MFP) and extracts Active directory credentials from MFP configurations such as SMTP, LDAP, POP3 and SMB settings.

Praeda also test for default passwords on targeted devices and gathers SNMP community strings from network cameras, sans, UPSs and other embedded devices on the network.

During demonstration we will introduce everyone to the features and functions of this tool and how to effectively leverage it during internal penetrations testing to gather credentials that can be used to gain access to critical internal system.

Download Link >> https://github.com/percx/Praeda

reGeorg – Willem Mouton

In 2008 we released reDuh (http://research.sensepost.com/tools/web/reduh), a network tunnelling tool that allowed port forwarding via a web-shell and HTTP/S to backend services. reDuh has since become part of any attackers standard toolkit, featuring in several books and notoriously described as “insidious” by HBGary in their leaked e-mails.

However, when doing any sort of tunnelling, targeting multiple hosts and ports can be frustrating as it requires a tunnel to be setup for each unique host:port combination. Enter reGeorg; this is a rewrite of reDuh to support a full SOCKS4/5 proxy interface. This allows one tunnel to be used to make multiple connections, including port scans. Additionally, capabilities to take advantage of HTML5 websockets (where available) have been built for faster connections.

In short, if you can get a webshell up, you can use reGorg to gain access with your favourite tool (Nmap, Metasploit, etc.) to the entire internal network range your compromised server has access to.

The list of currently supported web frameworks are: ASP.NET, JSP, PHP, ASP
The list of currently supported transports are: HTTP, HTTPS, HTML5 WebSockets

Download link >> https://github.com/sensepost/reGeorg

ThreadFix – Dan Cornell

ThreadFix is the industry leading application vulnerability management platform that provides a window into the state of application security programs for organizations that build software. The platform helps to bridge a challenging communication gap between security and software development teams by aggregating vulnerability test results from static and dynamic application security scanning tools.

ThreadFix also allows users to input the results of manual penetration testing, code review and threat modeling to provide a comprehensive view of software security for an organization. Once a unified list of security vulnerabilities has been created, ThreadFix allows application security managers to further prioritize discovered vulnerabilities via a centralized dashboard. Our platform allows companies to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. As the development team resolves defects, status updates are synchronized within ThreadFix, enabling the security team to schedule follow-up testing to confirm that security holes have indeed been closed. ThreadFix also auto-generates application firewall rules to block application attacks while remediation efforts occur.

ThreadFix empowers managers with vulnerability trending reports that demonstrate software security progress over time.

Changelog during Arsenal

-Hybrid Analysis Mapping (HAM) to correlate SAST and DAST scanner results
-Scanner plugins for OWASP ZAP and BurpSuite that pre-calculate application attack surface
-Support for HP Quality Center and Version One integration
-Support for Cenzic/Trustwave Hailstorm and Checkmarx
-IDE plugins for Eclipse and IntelliJ

Download and great resources >> http://www.threadfix.org

Arsenal Keynote >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Cornell-ThreadFix-Slides.pdf

W3af Web Security Scanner – Andres Riancho

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

W3af is structured around plugins. They are very important to w3af, they extend the framework in various ways such as finding new vulnerabilities, identifying new URLs and writing these to different file types. The plugins are coordinated by the core strategy and consume the core features.

Our framework is proudly developed using Python to be easy to use and extend, and licensed under GPLv2.0.

Download link and documentation >> http://w3af.org

Arsenal Keynote >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Riancho-w3af-Slides.pdf

Zig Tools – Mike Warner

ZigTools is a Python framework, which was developed to reduce the complexity in writing additional functionality in communicating with the Freakduino (Low cost arduino based 802.15.4 platform).

Features such as initializing the radio, changing channels, sending data and processing that data can be written in just a few lines, allowing developers to focus on writing more complex applications without worrying about the low-level communications between the radio and computer.

Download link >> https://github.com/iSECPartners/ZigTools

BeEF – Michele Orru

A bag of fresh and juicy 0days is certainly something you would love to get as a Christmas present, but it would probably be just a dream you had one of those drunken nights.

Hold on! Not all is lost! There is still hope for pwning targets without 0days.

We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.

The examples will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.

We’ll delve into Chrome and Firefox extensions (automating various repetitive actions that you’ll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.

You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, this is for you.

Download link and BeEF resources >> http://beefproject.com/

Cynomix – Giacomo Bergamo

The stream of malicious software artifacts (malware) discovered daily by computer security professionals is a vital signal for threat intelligence, as malware bears telling clues about who active adversaries are, what their goals are, and how we can stop them. Unfortunately, while security operations centers collect huge volumes of malware daily, this “malware signal” goes underutilized as a source of defensive intelligence, because organizations lack the right tools to make sense of malware at scale.

To contribute to addressing this problem we will be launching Cynomix.org at the opening of Black Hat USA 2014. Cynomix will include three key, novel capabilities that we hope will broadly impact the way malware analysis is performed:

A subsystem for revealing “social network” style relationships between malware samples based on their shared characteristics. This subsystem allows analysts to see a group of malware samples in relation to a population-scale database of millions of malware samples.
A subsystem for revealing malware sample capabilities based on correlations between samples’ extracted technical symbols and a machine-learning model trained on web question-and-answer documents.
A subsystem for automatically generating statistically principled Yara signatures for malware samples and malware sample groups based on Bayesian reasoning at scale. This subsystem will allow users of Cynomix to quickly defend against new malware families before anti-virus companies generate signatures for them.

In our demonstration presentation at Black Hat Arsenal we will introduce Black Hat attendees to Cynomix.org, which will host a freely available version of our system. As part of our demonstration we will give detailed explanations of our platform’s visualizations and algorithms while also helping people to sign up to use the system in their own security operations work.

Register to beta >> http://www.cynomix.org/

DAMM – Differential Analysis of Malware in Memory – Vico Marziale

Detecting malware is difficult, and analyzing a detected piece of malware’s behavior is even more difficult. Techniques for analysis generally fall into one of three camps: static analysis of the malicious binary on disk, dynamic analysis as the binary executes, or a hybrid approach using a snapshot of physical RAM taken as the malware executes. As the result of our DARPA Cyber Fast Track (CFT) funded research, we extend this third approach.

We present a novel technique for leveraging information including multiple snapshots of physical RAM for malware detection and analysis. The technique is implemented as DAMM, a tool for differential analysis of malware in memory. DAMM functions by leveraging multiple snapshots of RAM, domain knowledge about known-benign in-memory artifacts, and indicators of malicious activity to present to the user a powerful view of malicious execution in memory.

Download link >> Awaiting update from authors

iMas – iOS Mobile Application Security Libs – Gregg Ganley

iOS apps are vulnerable to static analysis and attack through binary code patching. Incorporating jailbreak and debugger detection algorithms can be rendered useless with a quick binary patch. Once patched the app can be further exploited, its app data stolen, and even cloned.

The iMAS research team, the team that brought Encrypted CoreData (ECD) to Github open source, has your back! At this talk we will introduce open source Encrypted Code Modules (ECM) as a technique to protect sensitive enterprise iOS applications. Using ECM as the base we will demonstrate an iOS app anti-tamper technique that is considerably more resistant to patching. We will walk through this step-by-step process to make your iOS apps more secure and … authentic.

Download link and documentation >> http://project-imas.github.io/

OWASP PCI Toolkit – Johanna Curiel

The PCI toolkit is based on a decision tree assessment methodology, which helps you identify if your web applications are part of the PCI-DSS scope and how to apply the PCI-DSS requirements. By decomposing, one by one, you will be able to create an assessment and a final report of your scope delimitation and which OWASP guidelines must be used.

Changelog during Arsenal
Alpha Release 1.2 is Plan for End July 2014
-Analysis Report of Development Environment process and procedures
-Analysis Report of Testing Environment process and procedures

Download link and documentation >> https://www.owasp.org/index.php/Category:OWASP_PCI_Project#tab=Main

SecureScan SaaS Free Scanner – Edward Smith

Tripwire SecureScan™ is a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks.

This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability among many others. Fast, free, and simple to use – no license required.

Free registration and documentation >> http://www.tripwire.com/securescan/

Serpico – Will Vandevanter & Peter Arzamendi

Serpico is a report generation and collaboration tool. Serpico’s primary function is to cut down on the amount of time it takes to write a penetration testing report. When building a report the user adds “findings” from the template database to the report. When there are enough findings, the user clicks ‘Generate Report’ to create the docx of the report.

New Report templates can be added through the UI making the reports easy to customize. The Report Templates themselves use a custom Markup Language that includes common variables (i.e. finding name, customer name, customer address, etc.) along with more complex requirements. It is meant to be simple and intuitive.

Serpico is already in use by a number of consultants, but we think it is time to get the word out. Serpico was built by penetration testers with a pen-testers methodology in mind. It might make you hate report writing just a little bit less.

Download link >> https://github.com/MooseDojo/Serpico/

Viproy VoIP Penetration Testing & Exploitation Kit – Fatih Ozavci

Viproy Voip Pen-Test Kit is developed to improve the quality of VoIP Penetration Tests. First version of Viproy had SIP trust hacking, SIP proxy bounce scan and advanced SIP attacks.

Viproy 2.0 will provide improved SIP penetration testing features such as TCP, TLS, vendor (Cisco, Microsoft Lync) supports and multi-thread fixes. Furthermore, the new version will have Cisco Skinny protocol and Cisco HCS (VOSS) server supports to initiate unauthorised call redirection attacks, speed dial manipulation, unauthorised calls using Skinny and information gathering attacks.

Documentation and official website >> http://www.viproy.com/

Code published at Arsenal >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Ozavci-Viproy-Tool.zip

Arsenal Keynote >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Ozavci-Viproy-Slides.pdf

Watobo – The Web Application Toolbox – Andreas Schmidt

WATOBO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.

Most important features are:

WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
WATOB can act as a transparent proxy (requires nfqueue)
WATOBO can perform vulnerability checks out of the box
WATOBO can perform checks on functions which are protected by Anti-CSRF-/One-Time-Tokens
WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
WATOBO is written in (FX)Ruby and enables you to easily define your own checks
WATOBO runs on Windows, Linux, MacOS … every OS supporting (FX)Ruby
WATOBO is free software (licensed under the GNU General Public License Version 2)

Changelog at Arsenal

* fixed ntlm authentication
* Fixed status bar infos
* if match value contains 3 digits it will be treated as response code (reduces false positives)
* CA serial now starts with current time to avoid serial number conflicts after reinitializing CA
* fixed cookie access in passive module ‘possible_login’
* little fix in xxe module
* fixed crash when selecting ‘scope only’ in sites-tree
* fixed transcoder, so all CRLF will be removed before Base64 decoding
* now removes Expect-100-continue headers from client
* added json support for table editor (only first level paramaters)
Download Link and documentation >> http://watobo.sourceforge.net