Security-Database Blog

FireCAT (Firefox Catalog of Auditing exTension) is a mindmap collection of the most efficient and useful firefox extensions oriented application security auditing and assessment. FireCAT is not a remplacement of other security utilities and softwares as well as fuzzers, proxies and application vulnerabilities scanners.

cudadbcracker is a salted SHA-1 cracker for cracking database password hashes using CUDA enabled videocards. It was developed using NVIDIA CUDA Software Development Kit (CUDA SDK) Version 2.1.

The year 2009 was very intense of emotions, sadness, sorrows, and conflicts. The world as we knew or at least our parents did is changing so fast and unfortunately not in the right way.

The very bad economic situation, the stinky religions conflicts, the riots and wars, the increase of radical extremists and the policy of fear that the governments feed us are urging this earth to an excruciating end.

But instead of talking about politicians and their immature and childish job they are doing as spreading fear, making the wrong choices (as usual), wasting taxpayers money and time, dumping people into poverty, we’d prefer focusing into enumerating the great software and tools we’ve seen this year.

So, we are happy that 2009 is finally over and we expect the best for 2010.

— Security-Database Team

John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

L0phtCrack is a password auditing and recovery application (now called L0phtCrack 6), originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables.[1] It was one of the crackers’ tools of choice, although most use old versions because of its price and low availability.

The PTF (pentestration tests framework) enumerates the stages one’s should perform during a test (as described in the OSSTMM manual)

• Network footprinting
• Discovery & Probing
• Enumeration
• Vulnerability assessment
• Penetration (or exploitation)
• Plus other tests as well as physical, wireless assessment...

Wapiti is a vulnerability scanner for web applications. It currently search vulnerabilities like XSS, SQL and XPath injections, file inclusions, command execution, LDAP injections, CRLF injections...It use the Python programming language.

hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby, licensed under GNU General Public License version 3 (GPLv3). It’s goal is to enumerate all hostnames and configured virtual hosts on an IP address. The primary users of hostmap are professionals performing vulnerability assessments and penetration tests.

SAINT is the Security Administrator’s Integrated Network Tool. It is used to non-intrusively detect security vulnerabilities on any remote target, including servers, workstations, networking devices, and other types of nodes. It will also gather information such as operating system types and open ports. The SAINT graphical user interface provides access to SAINT’s data management, scan configuration, scan scheduling, and data analysis capabilities through a web browser. Different aspects of the scan results are presented in hyperlinked HTML pages, and reports on complete scan results can be generated and save.

Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source (license).

YASAT (Yet Another Stupid Audit Tool) is a simple stupid audit tool. Its goal is to be as simple as possible with minimum binary dependencies (only sed, grep and cut).