iSEC Partners -

Fuzzbox

anastasia — Tue, 07 Aug 2007 10:04:39 -0700

Fuzzbox is a multi-codec media fuzzer.

Prerequisites: Python, py-vorbis 1.4, and mutagen 1.11
Downloads:
fuzzbox.tar.gz

Forensic Fuzzing Tools

alex — Fri, 03 Aug 2007 16:30:07 -0700

This is a collection of scripts that can be used to generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files. These can be used to test the robustness of forensics tools and examination systems.

Prerequisites: Linux/Python
Downloads:iSEC Forensics Fuzzing Tools

SAMLPummel

anastasia — Tue, 31 Jul 2007 11:08:17 -0700

SAML Pummel is a BeanShell plug-in for WebScarab. It automates eight different injection attacks to assist in auditing the implementation of SAML 2.0 single sign-on systems.

C14N Entity Expansion
C14N Transforms
Remote DTD
Remote KeyInfo RetrievalMethod
Remote KeyInfo WSSE Security Token Reference
SignedInfo Remote Reference
XSLT Transform URL Retrieval (Xalan)
XSLT Transform Thread Suspension (Xalan)

Prerequisites: Java Runtime Environment 1.5 or greater, WebScarab (modified self-contained jar included)
Downloads: SamlPummel

Jailbreak

anastasia — Tue, 31 Jul 2007 10:04:26 -0700

Jailbreak is a tool for exporting certificates marked as non-exportable from the Windows certificate store. This can help when you need to extract certificates for backup or testing. You must have full access to the private key on the filesystem in order for jailbreak to work.

Prerequisites: Win32
Downloads:
jailbreak_3.1.zip

ProxMon

alex — Thu, 29 Mar 2007 10:14:01 -0700

ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you’re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression testing scenarios.

Key features:

automatic value tracing of set cookies, sent cookies, query strings and post parameters across sites
proxy agnostic
included library of vulnerability checks
active testing mode
cross platform
open source license
easy to program extensible python framework

Prerequisites: Python
proxmon-1.0.18.tar.gz
proxmon-1.0.18.exe

CyberVillainsCA

anastasia — Wed, 28 Mar 2007 10:26:08 -0700

The CyberVillainsCA is a small Java library for on-the-fly generation, duplication and substitution of X.509 certificates. It is intended for use in building or extending security testing tools, for example, WebScarab (example included).

Generates a Certification Authority certificate for importation as a Trusted Root
Automatically generates standard SSL server certificates for a given CNAME
Simple API to duplicate and re-sign any certificate, preserving all extensions
Automatically manages persistence and the mapping between original and duplicated certificates
Also can manage substitution of ‘naked’ public keys or a mixture of keys and certificates (as may be seen in WS-Security)

Prerequisites: Java Runtime Environment 1.5 or greater, Legion of the Bouncy Castle Java Cryptography Provider (included)

Download:
CyberVillainsCA.zip

File Fuzzers

alex — Fri, 22 Sep 2006 12:36:41 -0700

These tools are useful for testing any program which processes binary file inputs such as archivers and image file viewers.

FileP is a python-based file fuzzer. It generates mutated files from a list of source files and feeds them to an external program in batches.
Prerequisites: Python 2.4

FileH is a haskell-based file fuzzer. It generates mutated files from a list of source files and feeds them to an external program in batches.
Prerequisites: GHC 6.4.2

Downloads:
filep.zip
fileh.zip

Windows IPC Fuzzing Tools

alex — Tue, 22 Aug 2006 20:25:18 -0700

This is a collection of tools used to attack applications that use Windows Interprocess Communication mechanisms. This package includes tools to intercept and fuzz named pipes, as well as a shared memory section fuzzer.

Prerequisites: Windows, Python
iSEC_Public_IPC_Fuzzing_Tools.zip

WSMap

chris — Mon, 31 Jul 2006 17:41:10 -0700

WSMap is a Python-based tool that helps penetration testers find web service endpoints and discovery files.

Parses WebScarab logs to find testing targets
Tests URLs and implies URLs found in log
Tests for WSDL and DISCO web service discovery formats

Prerequisites: WebScarab, Python 2.4, pyCurl

Download:
WSMap.py.txt

WSBang

chris — Mon, 31 Jul 2006 17:39:12 -0700

WSBang is a Python-based tool used to perform automated security testing of SOAP based web services.

Takes URL of WSDL as input
Fuzzes all methods and parameters in the service
Identifies all methods and parameters, including complex parameters
Fuzzes parameters based on type specified in WSDL
Reports SOAP responses and faults

Prerequisites: Python 2.4, SOAPpy v11.6 , pyXML, fpconst

Downloads:
WSBang.zip
WSBang.tar.gz