Saturday 14 January 2012

Update BackTrack Installation

Before you execute a pentest, you should always update your BackTrack installation. It's pretty easy to update it, as it can be done via apt-get.

#apt-get update
#apt-get upgrade

This will install the latest applications and changes to BackTrack.

Metasploit will not be updated via apt-get, but you can update Metasploit nowadays via a simple msfupdate in BackTrack. Quite easy :-)

Searching for reported vulnerabilities

During the information gathering phase of a pentest, it is very important to check for already reported vulnerabilities. If you know the exact version of the application, operating system, framework, $foo after the usage of different tools (like nmap for example), this version string should be checked on different public available ressources:


Exploit-db.com (is using the exploit archive of milw0rm.com, that was shout down in late 2009)


You can search all of these sites after a vendor or product and you've got a free search. 

Also a good ressource for researching public available exploits is securitytube.net. You can find a lot of different attacks and their descriptions to exploit known vulnerabilities, presented in a video.

There are also some mailing-liste available that can be searched through:

Full Disclosure (very good source for the latest vulnerabilities)

Security Focus (BugTraq archive, not possible to search mail archive)


The search engine at nist.gov is quite useful if you are looking for a certain CVE number. You will get all the information associated with this vulnerability. 

cvedetails.com is also a great ressource if you're looking for a particular CVE number. You will get even more information as on nist.gov and also a link to an exploit, if available. The most important thing for me is, that you can execute a search of a specific product version. 

For example let's say you discover an apache webserver during information gathering phase, that is also supporting PHP in version 5.3.5. Now you want to know what vulnerabilities are known for this PHP version. Just click on "Version Search" and enter the data. 


As a result you will get a listing of all CVE results that are related to PHP 5.3.5 (21 vulnerabilities right now). In this view you can also see if there is an exploit available (marked with a red circle).



But there is more to discover. If you click on PHP (red circle in screenshot above) you will get a lot of statistics about all the vulnerabilities in PHP. When we click on "Browse all versions", the next view will list a table with all versions of PHP that are known for vulnerabilities. 





If you know more public available resources, leave a comment. Thx.

Monday 9 January 2012

Useful Chrome Extensions regarding Pentesting

There are really a lot of different and useful Extensions for Google Chrome that can be used when executing a Pentest. Right now there are more pentesting Add-Ons available for Firefox, but the pentesting Extensions are growing pretty fast. So here is a short overview:

A good starting point is the project KromCAT (Google Chrome Catalog of Auditing exTensions). KromCAT is providing a Mindmap that is categorizing security and audit Extensions regarding Google  Chrome. You can download this catalogue in HTML, the actual Mindmap or a JPG of it. The result of the KromCAT project is also the basis for Mantra on Chrome. Mantra is a special Chrome version that has been adapted for students, penetration testers, web application developers, security professionals etc. and contains almost all Extensions of the KromCAT Mindmap.

As there is already a catalogue of Extensions maintained by KromCAT I don't want to start my own list here. I just want to point out some Extensions that are quite useful for me. I'm not using Extensions for XSS scanning or tampering HTTP data (especially because Extensions like XSS Rays never worked for me). There are better tools like burp that can do this kind of things. All of these Extensions are still working with the latest version of Google Chrome and are making my life easier when testing a web application:

Session Manager
This Extension is quite useful to save all your open tabs in one session to open it later in the same alignment.

Firebug Lite
Firebug for Google Chrome

Web Developer
A web developer Toolbar

IP Address and Domain Information
Quite useful Extension in information gathering phase to discover a big amount of information by one click about a certain IP or Domain.

Awesome Screenshot
Great Extension to take and modify a screenshot.

Proxy Switchy!
Proxy Switchy! is an advanced proxy manager for Google Chrome, it allows users to manage and switch between multiple proxy profiles quickly and easily.

With this ext, you can make notes on any web page, any position. when you open that page again, the notes get loaded automaticly.