Portcullis Labs - command line

Apache Users | Content

Thu, 11 Sep 2008 11:22:18 GMT

This Perl script will enumerate the usernames on any system that uses Apache with the UserDir module.

BSQL Hacker | Content

Wed, 29 Oct 2008 15:28:02 GMT

BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.

BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).

It allows metasploit alike exploit repository to share and update exploits.

Source Code Repository

Public SVN Server (including nightly builds development environment)

Download Installer

BSQLHackerSetup-0909.exe

Key Features

Easy Mode
- SQL Injection Wizard
- Automated Attack Support (database dump)
  - ORACLE
  - MSSQL
  - MySQL (experimental)
General
- Fast and Multithreaded
- 4 Different SQL Injection Support
  - Blind SQL Injection
  - Time Based Blind SQL Injection
  - Deep Blind (based on advanced time delays) SQL Injection
  - Error Based SQL Injection
- Can automate most of the new SQL Injection methods those relies on Blind SQL Injection
- RegEx Signature support
- Console and GUI Support
- Load / Save Support
- Token / Nonce / ViewState etc. Support
- Session Sharing Support
- Advanced Configuration Support
- Automated Attack mode, Automatically extract all database schema and data mode

Update / Exploit Repository Features
- Metasploit alike but exploit repository support
- Allows to save and share SQL Injection exploits
- Supports auto-update
- Custom GUI support for exploits (cookie input, URL input etc.)

GUI Features
- Load and Save
- Template and Attack File Support (Users can save sessions and share them. Some sections like username, password or cookie in the templates can be show to the user in a GUI)
- Visually view true and false responses as well as full HTML response, including time and stats

Connection Related
- Proxy Support (Authenticated Proxy Support)
- NTLM, Basic Auth Support, use default credentials of current user/application
- SSL (also invalid certificates) Support
- Custom Header Support

Injection Points (only one of them or combination)
- Query String
- Post
- HTTP Headers
- Cookies

Other
- Post Injection data can be stored in a separated file
- XML Output (not stable)
- CSRF protection support

one time session tokens or asp.net viewstate ort similar can be used for separated login sessions, bypassing proxy pages etc.

It's still beta and there are known issues :

Automated Attack for MySQL is experimental, might not work properly

BSQL brute forcer V2 | Content

Wed, 18 Jun 2008 12:21:58 GMT

This is a modified version of 'bsqlbfv1.2-th.pl'. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:-

0. MS-SQL
1. MySQl
2. Postgres
3. Oracle

The tool supports 2 attack modes(-type switch):-

Type 0:- Blind SQL Injection based on true and false conditions returned by back-end server

Type 1:- Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.

Usage example:
$./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"

ManySSL | Content

Tue, 09 Dec 2008 15:40:49 GMT

This PERL script will enumerate the SSL ciphers in use on any SSL encrypted service. It is not restricted to HTTPS and can be used on SMTP servers that support STARTTLS.

Features Include

Warn the operator if a self-signed certificate is detected.
Warn the operator if an expired certificate is detected.
Full cipher, key-exchange and authentication key strength output.
Use of a client specificed SSL certificate.

http-dir-enum | Content

Fri, 28 Mar 2008 16:49:57 GMT

http-dir-enum is a tool for finding content that is not linked on a website. Its main use is for finding directories that exist on a server. Simply provide a dictionary file and a URL.

This tool is written in PERL and uses the LWP library.

Features include:

Automatic detection of which HTTP response code to ignore (normally 404, but can vary on some sites)
Support for bruteforcing Files and Directories
Can search for directories recursively
Proxy support
Support for HTTP Basic Authentication
Support for sending custom cookies
Save scan output in XML format
Command line (lack of GUI is a feature, not a bug)
Mutli-threading for extra speed
HTTP keep alive support for extra speed (can be turned off)

Check out the usage page for a full list of options. There are also lots of examples to get you started.

enum4linux | Content

Tue, 16 Sep 2008 11:29:28 GMT

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in PERL and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. The samba package is therefore a dependency.

Features include:

RID Cycling (When RestrictAnonymous is set to 1 on Windows 2000)
User Listing (When RestrictAnonymous is set to 0 on Windows 2000)
Listing of Group Membership Information
Share Enumeration
Detecting if host is in a Workgroup or a Domain
Identifying the remote Operating System
Password Policy Retrieval (using polenum)

Check out the usage page for a full list of options. There are also lots of examples to get you started.