Research and Development

Tools


  • RPDscan (11/6/2014) - RPDscan (Remmina Password Decrypt Scanner) is a tool to find and decrypt saved passwords in Remmina RDP configurations. Key features Finds every Remmina configuration file and preferences Decrypts every saved password for every user it finds Python based for easy access and speed Overview Remmina is a well used Linux based RDP connection software, as many people […]
  • AMES (Another Metasploit Exploit Suggester) (4/3/2014) - AMES is a tool to parse the new Nessus output files and autogenerate an easy to copy and paste command line exploit using Metasploit CLI. Key features Handles the new .nessus xml based file output Keeps up to date with new Metasploit exploits as you update MSF database Python based for easy access and speed Overview The AMES tool passes the new style .nessus xml file output […]
  • WordPress Build Review (2/14/2014) - WordPress Build Review is a tool to check the basic security settings in a WordPress installation. Key features Checks the WordPress version Checks the WordPress plugins versions Checks WordPress minor updates are enabled Checks the WordPress configuration Checks the theme configuration Identifies the presence of backup files in web folder Checks the Anti-Virus Checks the […]
  • rdp-sec-check (2/12/2014) - rdp-sec-check is a Perl script to enumerate security settings of an RDP Service (AKA Terminal Services). Key features Support for targets file Support for saving the tool output to a specified logfile Control over the connection and responses timeouts Control over the number of retries when timeouts occurs Overview rdp-sec-check is a Perl script to […]
  • iker (1/27/2014) - iker is a Python tool to analyse the security of the key exchange phase in IPsec based VPNs. Key features Discover VPN services running Fingerprint based on vendor IDs (VID) Guess implementation basing on responses analysis (backoff) Enumerate supported transforms in Main Mode Check for Aggressive Mode Enumerate supported transforms in this Aggressive Mode Enumerate […]
  • cspCalculator (1/8/2014) - cspCalculator is a PoC implementation of a dynamic Content Security Policy creator. Key features Allows on the fly manipulation of Content Security Policy Enables UX developers to get visual feedback on how a CSP affects the application functionality Minimises the changes required to an existing application to allow this to happen Overview Content Security Policies […]
  • Crash (12/17/2013) - The purpose of this tool is to catch crashes from OS X applications and print debugging information such as registers, disassembled code and a memory dump of the stack. The intended use is with the conjunction of an application fuzzer. Key features Catch OS X application’s crashes Display CPU registers Display disassembled code at the […]
  • smaSHeM (11/12/2013) - smaSHeM is a System V shared memory segment manipulator. Key features Allows dumping of segments in a variety of formats including JPEGs Allows patching of segments Overview System V shared memory segments created with shmget() are assigned an owner, a group and a set of permissions intended to limit access to the segment to designated […]
  • Finding all the vhosts (11/11/2013) - There are a number of ways to own a webapp. In a shared environment, an attacker can enumerate all the applications accessible and target the weakest one to root the server and with it all the webapps on the box. To try and emulate this approach on a pentest, we have to find ALL THE […]
  • Whois… Like A Boss! (11/4/2013) - At the outset of an external infrastructure test it’s often useful to ensure that the addresses you’re testing are correct, and actually owned by the client. Failure to do so can result in an awkward situation, and one we here at Portcullis Labs would like to avoid wherever possible. With this in mind, we’ve learned to […]
  • Mass /repair/ SAM and System Grabber (11/4/2013) - This tool will use included JCIFS library to grab copies of both system and SAM files from “C:\windows\repair\” directory from multiple hosts. Key features A large scale SAM and system grabber from /repair/. It might be useful for these corner cases where live capture of SAM and system files is not possible but you would […]
  • winlanfoe (10/24/2013) - Winlanfoe is a tool that parses the output from enum4linux and displays Domain/Workgroup membership, IP address, Operating System (OS) information and if a host is a domain controller. It is intended to provide an overview of the Samba network structure as reported by enum4linux. The name is derived from “Windows LAN Info” The auto-find mode […]
  • FreeRDP-pth (10/20/2013) - FreeRDP-pth is a slightly modified version of FreeRDP that tries to authenticate using a password hash instead of a password.  This work only against RDP v8.1 servers (Windows 2012 R2 at the time of writing) and even then, only for members of the administrators groups. Refer to companion blog post for more information about Restricted […]
  • UDP Protocol Analysis – Interactive Python Tool (9/9/2013) - UDP protocol analysis is a python module which can be used in scripted analysis or interactively using ipython. Some time ago I was tasked with understanding a protocol I had no information about. I wanted to see: Distribution of packet sizes and positions in a conversation; How payloads could be broken down into fields to […]
  • Local MySQL Password Bruteforcer (2/15/2013) - Local MySQL Password Bruteforcer is a python script to assess the strength of the local MySQL access passwords. It attempts to enumerate local passwords against either the dictionary of passwords and single user or dictionary of users and passwords. It is written in Python and can be easily ported as an executable for windows using […]
  • HeaderCheck (2/15/2013) - HeaderCheck is a python script used to check the security settings of various headers returned by web servers. The following headers are checked: X-XSS-Protection X-Content-Type-Options X-Frame-Options Cache-Control Content-Security-Policy WebKit-X-CSP X-Content-Security-Policy Strict-Transport-Security Access-Control-Allow-Origin Origin Each header is assessed based on good practice settings as well as displayed for manual checking. Installation HeaderCheck is a stand alone […]
  • ssl-cipher-suite-enum (2/13/2013) - ssl-cipher-suite-enum is a perl script to enumerate supported SSL cipher suites supported by network services (principally HTTPS). Key features Support for legacy and newer versions of SSL/TLS: SSLv2.0, TLSv1.0/SSLv3.0, TLSv1.1, TLSv1.2 Support for SSL testing over SMTP (STARTTLS), RDP and FTP (AUTH SSL) Flagging of common security issues on a per-host and per-cipher-suite basis (see below for list) Works […]
  • UNIXSocketScanner (1/31/2013) - UNIXSocketScanner is a UNIX domain socket scanner. Key features Multi threaded Supports both internal probes format and nmap probes format Overview UNIX domain sockets are “files” that follow the semantics of the UNIX socket interface and can be utilised by applications to offer services to other processes that are present on the same host. Whilst […]
  • get-dhcp-opts (12/12/2012) - get-dhcp-opts is a tool to discover DHCP/BOOTP servers on your LAN, and dump the DHCP/BOOTP options. Sometimes network infrastructures use DHCP/BOOTP to provide special configurations. For example, a VOIP network can use these special options to configure the phones (VoIP server address, configuration file URLs, …). get-dhcp-opts display these options and detect rogue DHCP servers on your […]
  • VulnApp (9/15/2012) - VulnApp is a vulnerable web application written in ASP.net. Recently myself and a colleague were asked to give some training to a client’s ASP.net development team. My colleague was asked to give the main training session whilst I was asked to run a post training game to test the developers retention of the concepts. After […]
  • NOPC (7/3/2012) - NOPC (Nessus-based Offline Patch Checker) is a patch-checker for primarily Linux distribution and UNIX-based systems. It is a shell script that utilises Nessus’ nasls and gives instructions on what data is needed to be obtained from the system to perform to derive a list of missing security patches. This was developed for situations when network […]
  • secdump (3/24/2012) - secdump is a simple meterpreter module that uploads and runs gsecdump. Nothing fancy, just a time saver. Usage
  • SSHatter (2/16/2011) - SSHatter is a perl script to perform brute force attacks on SSH. Key features Multi threaded Supports both SSH v1 and v2 protocols Supports key based brute forcing Support for post brute force exploration Mass mode to run one command across all targets Support for sudo based privilege escalation Integrated file transfer support
  • hoppy (10/9/2009) - hoppy is python script to probe HTTP options and perform scanning for information disclosure issues. hoppy is a http options prober written in python. It checks the availability of HTTP methods as well as probing them to see if they can be forced to disclose system information. Key features HTTP Method detection, TRACK, TRACE, PUT etc Internal IP address […]
  • ManySSL (12/9/2008) - ManySSL is a perl script to enumerate supported SSL cipher suites supported by network services (principally HTTPS). It is not restricted to HTTPS and can be used on SMTP servers that support STARTTLS. Key features Warn the operator if a self-signed certificate is detected Warn the operator if an expired certificate is detected Full cipher, […]
  • udp-proto-scanner (11/26/2008) - udp-proto-scanner is a perl script which discovers UDP services by sending triggers to a list of hosts Usage The probe names (for -p) are defined in udp-proto-scanner.conf. List probe names using the -l option: What’s it used for? It’s used in the host-discovery and service-discovery phases of a pentest. It can be helpful if you […]
  • MS08-067 check (11/18/2008) - MS08-067 check is python script which can anonymously check if a target machine or a list of target machines are affected by MS08-067 vulnerability. This tool can be used to anonymously check if a target machine or a list of target machines are affected by MS08-067 issue (Vulnerability in Server Service Could Allow Remote Code Execution). Usage […]
  • polenum (10/30/2008) - polenum is a python script which can be used to get the password policy from a Windows machine. It uses the Impacket library from CORE Security Technologies to extract the password policy information from a Windows machine. This allows a non-Windows (Linux, Mac OSX, BSD etc..) user to query the password policy of a remote Windows […]
  • vessl (10/30/2008) - vessl is a bash script that can fetch and verify the SSL certificate of a remote server. It was originally written in order to script up the ability to verify SSL certificates across a large network. Key features vessl will connect to any service that OpenSSL can It will extract and verify against a given […]
  • enum4linux (9/16/2008) - A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts. Key features RID cycling (When RestrictAnonymous is set to 1 on Windows 2000) User listing (When RestrictAnonymous is set to 0 on Windows 2000) Listing of group membership information Share enumeration Detecting if host is in a workgroup or a domain Identifying […]
  • phrasen|drescher (6/27/2008) - A tool for bruteforce guessing pass phrases, password hashes or remote accounts of various services. phrasen|drescher is a modular and multi processing pass phrase cracking tool. Key Features In version 1.1 it comes with two plugins with the purposes to: crack pass phrases of RSA or DSA keys crack MS SQL 2000/2005 SHA1 hashes remote […]
  • BSQL Brute Forcer V2 (6/18/2008) - Updated version of the Blind SQL Injection Brute Forcer from www.514.es. It work against PostgreSQL, MySQL, MSSQL and Oracle and supports custom SQL queries. Key features This is a modified version of ‘bsqlbfv1.2-th.pl’. This Perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line  parameter and […]
  • acccheck (4/9/2008) - The tool is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol. It is really a wrapper script around the ‘smbclient’ binary, and as a result is dependent on it for its execution. The tool is designed as a password dictionary attack tool that targets windows authentication via the […]
  • MIBparse (4/7/2008) - MIBparse.pl has been designed as an offline parser to quickly parse output from SNMP tools such as ‘snmpwalk’. MIBparse.pl has been designed as an offline parser to quickly parse output from SNMP tools such as ‘snmpwalk’ (NET-SNMP project ‘net-snmp.sourceforge.net’). The output returned depends on the options that are selected by the user. Typically, information relating […]
  • nbtscan-1.5.2 (4/3/2008) - NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.
  • XSS Tunnel (4/2/2008) - XSS Tunnel is a standard HTTP proxy which sits on an attacker’s system. Any tool that is configured to use it will tunnel its traffic through the active XSS Channel on the XSS Shell server. What Is XSS Tunnelling? XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application […]
  • Banner Grab (4/2/2008) - BannerGrab is a tool that performs connection, trigger-based and basic information collection from network services. The program has two modes of operation; simple connection banner grabbing and the default mode which makes use of service triggers to enumerate additional information. Requirements BannerGrab requires the GNU C compiler and has been tested on Linux, but should […]
  • viewstate (4/2/2008) - Viewstate is an ASP.Net viewstate decoder, checker, parser and encoder. It supports both old and new types of viewstate and the data can be extracted directly from the web. Requirements Viewstate is platform independent and can be downloaded in source code or Windows binary formats. If you are building viewstate from source you will need […]
  • Sun Patch Check (4/2/2008) - Sun Patch Check lists missing security patches by comparing the output from the Sun Solaris “showrev” command to that from the Sun recommended patch list. Sun Patch Check is a tool that does exactly what it says on the tin. Sun Patch Check compares the output from the Sun Solaris showrev command to that from the Sun […]
  • XSS Shell (4/2/2008) - NOTE : This download is no longer available on our web site. Portcullis no longer maintain the tool, if you would like the latest version visit https://github.com/portcullislabs/xssshell-xsstunnell XSS Shell is a powerful XSS backdoor, in XSS Shell one can interactively send requests and get responses from victim and it allows you to keep the control of […]
  • sucrack (3/31/2008) - sucrack is a multithreaded Linux/UNIX tool for brute-force cracking local user accounts via su. This tool comes in handy when you’ve gained access to a low-privilege user account but are allowed to su to other users. Many su implementations require a pseudo terminal to be attached in order to take the password from the user. This can’t […]
  • rmiInfo (3/31/2008) - A tool for extracting information from Java Remote Method Invocation (RMI) services. rmiInfo is a tool to help extract information from Java Remote Method Invocation (RMI) services, which can then be used to find possible security vulnerabilities. The main aim being to identify the location of the RMI stub. If one is able to find […]
  • onesixtyone (3/31/2008) - An enhanced version of Solar Eclipse’s SNMP Community string guessing tool. This is an updated version of Solar Eclipse’s SNMP bruteforcing tool. Onesixtyone is an SNMP scanner that sends multiple SNMP requests to multiple IP addresses, trying different community strings and waiting for replies. This version fixes a number of bugs in other publically available versions […]
  • http-dir-enum (3/28/2008) - A command-line tool for bruteforce-guessing directory and filenames on web servers. http-dir-enum is a tool for finding content that is not linked on a web site. Its main use is for finding directories that exist on a server. Simply provide a dictionary file and a URL. This tool is written in PERL and uses the […]
  • BSQL Hacker (1/16/2008) - NOTE : This download is no longer available on our web site. Portcullis no longer maintain the tool, if you would like the latest version please visit https://github.com/portcullislabs/bsql-hacker BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database. NOTE : This download is […]

Twitter Feed