渗透测试工具介绍

渗透测试————————————————————–Canvas是ImmunitySec出品的一款安全漏洞检测工具。它包含150个以上的漏洞利用, 并包含操作系统、应用软件等大量的安全漏洞。对于渗透测试人员来说，Canvas是比较专业的安全漏洞利用工具。Canvas 也常被用于对IDS和IPS的检测能力的测试。Canvas每个月会把稳定的版本及时发布，通过Web站点进行更新，同时更新漏洞利用模块和引擎程序。并且会及时发邮件提醒用户使用。aImmunity Canvas渗透测试工具————————————————————–Immunity Canvas是一款专业的渗透测试工具。Canvas渗透测试工具包含150个以上的漏洞利用, 并包含操作系统、应用软件等大量的安全漏洞。对于渗透测试人员来说，Canvas是比较专业的安全漏洞利用工具。Canvas 渗透测试工具也常被用于对IDS和IPS的检测能力的测试。Canvas每个月会把稳定的版本及时发布，通过Web站点进行更新，同时更新漏洞利用模块和引擎程序。并且会及时发邮件提醒用户使用。1. Immunity Canvas渗透测试工具安装简介：安装平台需要支撑的软件列表1. Windows XP ◆The Python Programming Language Version 2.5◆GTK aka Graphical Tool Kit◆PyGTK the Python bindings for the Graphical Tool Kit◆PyCairo the Python bindings for the Cairo Image Library◆PygObject The Python bindings for the Gobject Library2. Windows 2003 3. Vista 4. Linux 5. Debian 2. Immunity Canvas渗透测试工具攻击平台介绍（该软件包含的攻击列表）分类详细列表操作系统类 Windows，vista，linux，solaris，aix，hp-unix，mac…… WEB应用软件 IIS，APACHE，JBOSS，TOMCAT，WEBLOGIC……数据库类 DB2，ORACLE，MSSQL，MYSQL，INFORMIX……WEB应用程序 Joomla, mambo……3. Immunity Canvas渗透测试工具主要功能1．自动攻击：可以选择自动攻击功能，软件会自动对网络、操作系统、应用软件进行攻击。攻击成功后，会自动返回目标系统的控制权。2．漏洞攻击：该软件漏洞库每天进行更新。同时包含了大量的0day以及未公开的漏洞。可以指定漏洞对目标系统进行攻击。3．升级功能：该软件包含两种升级方式，月度升级和实时升级。“月度升级”指每月升级一次，适合研究机构和小型企业使用。“实时升级”基本上每天更新一次，包含0DAY漏洞和未公开漏洞，适合渗透测试团队和攻防团队使用。4. Immunity Canvas渗透测试工具主要功能模块说明1. Exploits 主要的攻击模块，包括以下几个方面：◆远程攻击：包含windowsunixlinux系统所有的远程攻击代码。◆应用程序攻击：包含windowsunixlinux所有的自带应用程序攻击代码。◆本地攻击：包含windowsunixlinux系统所有的本地漏洞攻击代码。◆WEB攻击：基于WEB应用的攻击代码。2. Trojans模块：包含常用的后门攻击模块，包括隐藏进程、端口……，后门种植等。3. 常用命令模块：包括进程创建、获取用户信息、添加共享、ARP攻击、反连等。4. DOS模块：包括各种攻击引起的DOS效应。5. TOOLS模块：包括常用的各种攻击方法◆风险扫描：扫描网络中的风险状况。◆自动攻击：自动对网络系统进行扫描，找出漏洞并自动进行攻击，返回目标系统控制权。◆ORACLE攻击：针对ORACLE数据库的各种攻击。◆口令破解：扫描弱口令以及加密口令进行破解。6. Recom模块：侦察工具，主要探测目标系统指纹、语言、服务、进程等。7. SERVERS模块：提供HTTP上传以及代理功能。8. ImportExport模块：可以调用其他工具（例如NESSUS）扫描结果。9. Fuzzers模块：协议漏洞分析检测模块。10. Configuration模块：攻击平台配置模块。11. Listener Shells模块：监听模块。 CORE IMPACT是全球公认最强的安全漏洞检测工具，是评估网络系统、站点、邮件用户和Web应用安全的最全面软件解决方案。 Core Impact通过使用渗透测试技术，检测出新出现的关键性威胁，并且追踪出将您组织的重要信息至于危险的攻击路径。Core Impact渗透测试工具————————————————————–CORE IMPACT渗透测试工具是全球公认最强的安全漏洞利用工具，是评估网络系统、站点、邮件用户和Web应用安全的最全面软件解决方案。Core Impact渗透测试工具的测试步骤如下：☆ 远程信息获取☆ 攻击渗透☆ 本地信息获取☆ 权限提升☆ 清除日志☆ 生成报告☆ 通过上面的步骤,可以看出Core Impact渗透测试工具是从一个黑客的角度进行测试,这是Core Impact与众不同的地方。Core Impact渗透测试工具产品特点l 全面评估您的安全风险CORE IMPACT渗透测试工具是评估网络系统、站点、邮件用户和Web应用安全的最全面软件解决方案。CORE IMPACT通过使用渗透测试技术，检测出新出现的关键性威胁，并且追踪出将您组织的重要信息至于危险的攻击路径。l 从黑客的角度，考虑您的安全CORE IMPACT渗透测试工具允许你从黑客的角度查看您的网络，最终用户以及Web应用程序的唯一产品，使用CORE IMPACT渗透测试工具，您可以： ☆ 在网络服务器和工作站中，确定出可被利用的系统漏洞和服务☆ 测试最终用户对钓鱼，矛钓鱼，垃圾邮件和其他电子邮件威胁的反应☆ 测试Web应用安全，表明基于Web攻击造成的后果☆ 从误报中区分出真正的威胁，以加速和简化补救措施☆ 配置和测试IPS ，IDS，防火墙以及其他防御设施的有效性☆ 确认系统的升级，修改和补丁的安全性☆ 建立和保持脆弱性管理办法的审计跟踪l 综合测试整个企业系统和应用CORE IMPACT渗透测试工具使你能够评估出组织对现今危害数据的前三名攻击方法所采取的安全策略，这些攻击包括：对网络防护漏洞的渗透，包括服务器操作系统和服务，以及运行在桌面系统上客户端应用程序的漏洞通过电子邮件对员工，承包商和其他最终用户进行的欺骗，例如钓鱼和和矛钓鱼通过SQL注入和远程文件包含技术访问后端数据，从而对Web应用进行控制l 通过可靠的测试方法，找出安全漏洞使用CORE IMPACT渗透测试工具，您不需要成为一个可以确定风险，定义如何提高信息安全的安全专家。CORE IMPACT渗透测试工具的快速渗透测试（RPT）技术为您提供了一套方法，使您轻松的实现组织的安全保障。RPT提供了一个使网络，最终用户和Web应用自动化的简介直观的界面，让您可以快速评估您的安全态势。系统需求☆ Intel Pentium 4, 1.6 GHz 或更高 ☆ 512 MB RAM (推荐1 GB ) ☆ 500 MB 磁盘空间 (推荐3 GB) ☆ Internet Explorer 7.0 ☆ 一块与Windows®兼容的网卡 ☆ Windows XP Professional with SP2, 或者 Windows Vista Ultimate/Enterprise/Business Edition D2 Exploitation Pack————————————————————–D2 Exploitation Pack（D2攻击包）包含220多个安全模块，其中大部分安全模块是与 Immunity Canvas软件配套使用的。D2攻击包由各种攻击工具以及可靠的攻击方法组成，能用于安全测试的各个步骤中。探测方面（HTTP和WAF指纹识别工具，Lotus Domino扫描器，RPC扫描器， Nessus和Qualys报告分析器•••）漏洞攻击（URL和web认证暴力攻击，弱SMB,SSH以及RSH密码攻击）客户端攻击（客户端内部进行客户端自动化攻击，对PDF,Java Applet，ActiveX等进行攻击）Server攻击（0 days攻击，对多种操作系统-WINDOWS,AIX, Linux,Solaris ，BSD进行攻击，对企业软件漏洞进行攻击-Citrix, Lotus, EMC, CA, IBM, Microsoft, Cisco, ..）特权升级（对多种操作系统进行权限提升，对Linux内核漏洞自动攻击，包含专用的简易攻击文件权限漏洞的工具•••）后门：SSH和Apache后门，密码恢复工具，Citrix/TS 客户会话破坏工具，Lotus Notes客户端和server攻击工具D2 Exploitation Pack（D2攻击包)每个月会更新5-10个新的安全漏洞和模块，包含了大量的0DAY信息，帮助安全专业人员进行渗透测试。 InteVyDis VulnDisco Pack————————————————————–InteVyDis VulnDisco Pack Professional 与Immunity Canvas渗透测试攻击配套使用，包含了300多个安全模块，用于针对最新的未修补的漏洞。行业中最丰富的未修补漏洞攻击包首次购买享受3个月免费更新和技术支持针对知名软件产品可提供客户端和服务端每月更新一次EnableSecurity VoIPPack————————————————————–EnableSecurity VoIPPack for CANVAS 是专门与Canvas软件一起使用的产品。该系统针对VoIP系统，例如 PBX server, IP Phones以及SIP网关。 EnableSecurity VoIPPack for CANVAS产品当前的特点如下：vp_asteriskdiscomfort – denial of service demo for advisory AST-2009-010 vp_asterisknow_exec – tool to launch MOSDEF on AsteriskNOW 1.0.2 when web interface credentials are known vp_asterisksscanfdos – denial of service demo for advisory AST-2009-005 vp_bypassalwaysreject – tool to enumerate extensions on an Asterisk PBX, bypassing alwaysauthreject option which tries to prevent enumeration vp_ciscophonescanner – searches for Cisco phones on the target network by using HTTP and DNS probes vp_cucmjailbreak – given an ssh username and password for CUCM’s restricted shell, this script creates a new root user and installs MOSDEF vp_cucmtftplist – makes use of CUCM’s “TFTP” server to list the phone’s mac addresses / phone names vp_digestcracker – a tool to perform an offline password cracking attack on SIP Digest authentication vp_elastix_defaults – checks for Elastix insecure default settings vp_fopextensionenum – enumerates extensions on FreePBX through the flash operator panel vp_freepbx_exec1 – installs MOSDEF on vulnerable Trixbox or FreePBX servers given a username and password for the admin interface vp_ghostcall – a tool to cause a number of phones to ring simultaneously vp_iax2autohack – a tool to automatically find IAX2 (Asterisk) servers, enumerate their extensions and break the password for each extension vp_iax2cracker – a tool to perform an online password cracking attack on an IAX2 (Asterisk) server vp_iax2enumerate – a tool to enumerate extensions on an IAX2 (Asterisk) server vp_iax2resourceexhaust – a denial of service demonstration for AST-2009-006 vp_iax2scanner – a network scanner which finds IAX2 servers vp_mgcpscanner – a generic MGCP network scanner vp_sipautohack – a tool to automatically find IAX2 (Asterisk) servers, enumerate their extensions and break the password for each extension vp_sipcracker – a tool to perform an online password cracking attack on SIP serversvp_sipdigestleak – a tool which demonstrates a weakness found in many SIP endpoints which leak the digest response, leading to their password stealing vp_sipenumerate - a tool to enumerate extensions on a SIP server vp_sipgetringers – a tool which helps find out how to get a SIP phone to ring vp_sipinviteflood – a denial of service demo tool which floods SIP entities with INVITE messages vp_sipopenrelay – a tool to find misconfigured PBX servers that allow attackers to make phone calls for free vp_sipphonecall – a base phone ringing tool used by other tools vp_sipscanner – a network scanner which finds SIP entities / endpoints / servers vp_trixbox_defaults – checks for Trixbox insecure default settings vp_unistimscanner – a network scanner which finds UNISTIM servers vp_voipsrvrecords – translates from SRV record to SIP server address White Phosphorus————————————————————–White Phosphorus Exploit Pack是2010年开始为Canvas设计的最新的攻击包。White Phosphorus旨在为客户在进行渗透测试时提供可靠的攻击方式和工具。White Phosphorus Exploit Pack包括：每月更新，无限IP使用未公开的0day漏洞公开的漏洞模块server、客户端、特权升级的攻击渗透测试的有效模块和独立工具White Phosphorus Exploit Pack Highlighted ModulesWhite Phosphorus Exploit Pack Version 1.12* wp_hp_dataprotector_stutil *This module exploits a remote overflow in the HP Data Protector Backup Client OmniInet Service. The vulnerable service listens on port 5555 so is probably only going to be found on an internal network, however it does provide you with a SYSTEM level Mosdef node.Oh and, there is always the irony of owning someone through enterprise grade backup solution.* wp_mozilla_firefox_nstreerange (CVE-2011-0073) *We are very happy to be able to bring you this module that exploits a vulnerable in Firefox versions 3.6.0 through to 3.6.16. This module bypasses DEP and ALSR on anything from Windows XP through to Windows 7 to reliably provide a Mosdef node back to you.* wp_vlc_mediaplayer_libmod (CVE-2011-1574) *This module is the 3rd VLC module to enter the White Phosphorus pack and exploits a vulnerability in the libmod_plugin on VLC v1.1.8.White Phosphorus Exploit Pack Version 1.11We have been working hard this month on a new ASLR/DEP bypass technique that works against IE8 and IE9. Looking forward to seeing this put to use in some modules in the coming months.In the meantime this pack includes an exploit for RealWin SCADA Server On_FC_RFUSER_FCS_LOGIN Remote Overflow and a recent exploit for VLC player.White Phosphorus Exploit Pack Version 1.10* wp_ie_sandbox_escape *With the recent publicity around escaping the IE protected mode sandbox, we thought it was time to release a module to provide our customers with the same ability.This module takes advantage of a weakness in the interaction of different components to provide an escalation from Low integrity level to Medium integrity level. In other words, it escapes the IE8 sandbox.As this module is independent of any original exploit, it is likely to be successful as an escape from any sandbox restricting the current process to the Low integrity level.* wp_cisco_webex_wrf (CVE-2010-3269) *This module exploits the file format overflow in the Cisco WebEX Player that was disclosed by Core. The exploit creates a single file that will exploit the player on all recent windows versionsWhite Phosphorus Exploit Pack Version 1.09* wp_vlc_mediaplayer_mkvdemuxer (CVE-2011-0522) *This module exploits a vulnerability that exists in multiple different version of VLC. Considerable effort went into the development of this module, to the extent that the generated exploit file will successfully work on the last 3 recent release versions.* Multiple Client Side Modules *Modules for the following exploits are also included in this pack;wp_globalscape_cutezip_zip (CVE-2010-2590)- GlobalSCAPE CuteZip v2.1 .zip Clientside Overflowwp_ministream_wmdownloader_m3u- Mini-Stream WM Downloader .m3u Clientside Overflowwp_real_netzip_classic- RealNetworks Netzip Classic Clientside Overflowwp_virtuosa_phoenix_asx- Virtuosa Phoenix Edition .asx Clientside Overflowwp_xradio_xrl - xRadio .xrl Clientside OverflowWhite Phosphorus Exploit Pack Version 1.08* wp_wireshark_enttec (CVE-2010-4538) *There’s something quite awesome about exploits that can be sent to every host via a broadcast address. This module exploits the vulnerability in the ENTTEC dissector on version 1.4.2 on Windows XP machines and will return a shell from any machines running the vulnerable version of the sniffer.Unfortunately it will cause a DOS on anything other OS or version, which can be still useful to disable network monitoring.* wp_winlog_scada_server *Another SCADA exploit for those rare times when they come in scope of your testing. This module reliably exploits Sielco Sistemi Winlog running on most current windows versions.White Phosphorus Exploit Pack Version 1.07* wp_ie_css_import *And they thought it was a Dos only. This latest White Phosphorus exploit module gives you a reliable shell exploiting this still unpatched IE browser bug. We’ve had this in testing for the last few days, and a proud to release it with targets for bypassing DEP and ASLR against IE 7 and 8 running on Windows XP, Windows Vista and Windows 7. Merry Christmas.* wp_exim4_string_format (CVE-2010-4344) *Things just wouldn’t be complete without a module that exploits this bug that has been around for so long. Its not often that a reliable remote in a exposed service such as this comes along, so just the thing for a Christmas release.* wp_foxit_title *This release also includes another Foxit pdf reader exploit module. This one targets the previous Foxit version and is reliable on Windows XP, Vista and Windows 7. And for those targets using Foxit on windows XP, our 0day wp_foxit_XXXXX module still successfully exploits the latest version.White Phosphorus Exploit Pack Version 1.06* wp_struts2_cmdexec (CVE-2010-1870) *This module has been designed for use in real environments, which are typically firewalled. The payload options include blind cmd execution, various reverse shell options, and the ability to upload a web shell and automatically locate and deploy into the target web root.* wp_nuance_pdf_reader_launch *Is any pdf reader safe? This new module complements the numerous other PDF attack modules contained in the White Phosphorus exploit pack. This module works against Windows XP, Vista, and Windows 7 and will bypass any DEP protection in use.* wp_oracle_java_docbase (CVE-2010-3552) *Adding to the growing number of clientside modules supported by our pack, we have included an exploit for a recent Java vulnerability.This module is a cross Windows OS universal DEP exploit against the JRE, through the docbase parameter overflow* wp_realwinserver_scpc_textevent *Another SCADA exploit module to attack clients through the RealWin SCADA Server SCPC_TEXTEVENT Remote Overflow.White Phosphorus Exploit Pack Version 1.05* wp_scadaengine_bacnet_opc_client_csv *Obviously not the most wide spread software, but our team thinks that anything to do with SCADA is worthwhile. If you find yourself in a position to be testing this type of environment, then having access to reliable SCADA client exploits is always a bonus.* wp_foxit_XXXXX (0DAY) *This module was added in version 1.2 of the White Phosphorus exploit pack, and still works against the latest version of Foxit reader when running on Windows XP.White Phosphorus Exploit Pack Version 1.04* wp_quicktime_punk (CVE-2010-1818) *This module exploits the recently released information that Apple had left in a ‘feature’ allowing the use of user supplied memory locations.Our exploit works reliably against Windows XP, Windows Vista and Windows 7 and has been tested via Internet Explorer versions 6,7, and 8.* wp_adobe_sing (CVE-2010-2883) *This still unpatched vulnerability was found to be actively exploited in the wild. This exploit module allows you to have the same fun within your target environments.This exploit module does not require Javascript to be enabled within Adobe Reader and does not require write access to any directory. The module has been confirmed against Adobe Reader 9.1.0, 9.3.0, 9.3.4 running on Windows XP, Windows Vista and Windows 7.* wp_foxit_cff (CVE-2010-1797) *Not to be left out, this module exploits the ‘iphone jailbreak’ CFF vulnerability which also affected Foxit PDF Reader. Delivered via email, HTTP or ClientD itself, this reliable exploit module targets Foxit Reader 3.1, 3.2, 3.3, and 4.0 on Windows XP, Windows Vista and Windows 7.White Phosphorus Exploit Pack Version 1.03* wp_oracle_securebackup_exec (CVE-2010-0907) *Its Oracle, and its Secure so here is a remote SYSTEM level shell for you. This module exploits two vulnerabilities to bypass authenticationand then perform a command injection attack against the PHP web application.The current module works against Windows hosted systems, with plans to include other supported platforms in the next pack release.* wp_viclient (0-Day) *This client side module exploits an issue in an ActiveX control deployed with version 2.5 of VMWare’s VIClient.* wp_sjsws70u7_webdav (CVE-2010-0361) *Another remote SYSTEM level exploit. This module exploits the server running on Windows 2003 or Windows 2008. This was an interesting bug to make reliable, and luckily enough the server has a watchdog process that we abuse to find the required padding values.White Phosphorus Exploit Pack Version 1.02* wp_????_?????? (0Day) *This module exploits a vulnerability in all recent versions of a popular PDF reader, including the current version. The exploit is delivered through a PDF file, which does not rely on javascript to carry out the exploit.Unfortunately, due to the heap header encryption that is in place for Vista and later operating systems, this module will only work reliablyon Windows XP systems.* wp_mysql_list_fields (CVE-2010-1850) *This module reliably exploits this vulnerability in MySQL to obtain SYSTEM level rights. The connection requires the knowledge of valid credentials, so is particularly useful during penetration tests after the compromise of a web application server.* wp_novell_zcm_preboot (No CVE) *Another remote SYSTEM level exploit. This module exploits the preboot service of Novell Zenworks Configuration Manager. Useful for when are already inside a network and want to expand your reach.White Phosphorus Exploit Pack Version 1.01* wp_wireshark_lwres (CVE-2010-0304) *This module exploits a vulnerability in the LWRES Dissector. The White Phosphorus module was designed from the beginning so that the exploit packetcould be sent to a network broadcast address, therefore attacking any active instances of Wireshark in the network segment.To accomplish this, the White Phosphorus exploit was specially created to work against multiple different Wireshark versions and on any Windows OS that it encountered, including the ability to bypass ASLR and DEP if applicable.* wp_aspx_shell *During a penetration testing assignment against a .net web application, it is often possible to upload a .aspx scripting file to obtain command execution. With this White Phosphorus module, you can now upload a page that will provide you a full MOSDEF node. This can then be used to harness the power of Canvas to discover and exploit further vulnerabilities within the network.This module doesn’t require the ability to write and execute a file, as it uses pointer misdirection through APIS to execute the MOSDEF payload straight from the .aspx page.* wp_tcpforward *Ever wished you could channel an RDP session through an exploited server into the network? Ever wanted the ease of using the native SQL manager to access an internal MSSQL database? Well now you can.The powerful wp_tcpforward module provides both forward and reverse TCP port redirection giving you the ability to proxy connections across multipleMOSDEF nodes. This means you can use any native client to reach any internal servers through the MOSDEF network.Gleg Agora & SCADA+————————————————————–Gleg Agora PackGleg Agora Pack目前包含了160多个安全模块。为了保持及时更新，Gleg Agora Pack每月根据最新漏洞信息以及漏洞的价值，提供3-7个模块更新。Gleg Agora Pack目前的漏洞更新主要关注在：防护+数据库+web相关软件Gleg Agora Pack特点：每月根据最新的未修复漏洞更新3-7个安全模块模块是根据最新情况进行更新：防护+数据库+web软件最新的攻击技巧Gleg SCADA+ PackGleg SCADA+ Pack几乎包含了所有公开的SCADA漏洞。SCADA及其相关漏洞是非常特别的漏洞，他们十分包含敏感信息，一旦遭受攻击，会产生十分大的影响。同时，SCADA系统很难进行修补，因此，即使是老的漏洞个，都有可能被攻击。Gleg SCADA+ Pack特点不断升值—由于真实系统补丁等级低，该产品一直在不断升值。100%涵盖SCADA漏洞，包括以前的漏洞和最新发现的漏洞。我们自身发现的最新的0DAY漏洞专注于行业软件和硬件环境，不仅评估SCADA，同时评估行业PC，芯片和行业法规。漏洞分析：针对许多行业漏洞进行分析，包括硬编码密码等等。