Posts

PDFCrack - Password Cracking Tool for PDF-files

Image
PDFcrack is a GNU/Linux tool for cracking password protected PDF files. It is a very small command line application. It is not preinstalled in kali linux. We can install through command line. For installing pdfcrack open a terminal and enter apt install pdfcrack Syntax and options Usage: pdfcrack -f filename [OPTIONS]           : pdfcrack -f filenmae -w passwordfile.txt OPTIONS : -b, --bench perform benchmark and exit -c, --charset=STRING Use the characters in STRING as charset -w, --wordlist=FILE Use FILE as source of passwords to try -n, --minpw=INTEGER Skip trying passwords shorter than this -m, --maxpw=INTEGER Stop when reaching this passwordlength -l, --loadState=FILE Continue from the state saved in FILENAME -o, --owner Work with the ownerpassword -u, --user Work with the userpassword (default) -p, --password=STRING Give userpassword to speed up breaking ownerpassword (implies -o) -q, --quiet Run quietly -s,

HYDRA - The Password Bruteforce tool

Image
Hydra is a login cracker which supports varoius protocols to attack. This tool makes it easy for an attacker or security researcher to gain unauthorized access to a system or web application remotely. To open Hydra Goto Kali >> Applications >> Password Attacks >> Online Attacks >> Hydra Hydra  Syntax and options Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]] Options: -R              restore a previous aborted/crashed session -I               ignore an existing restore file (don't wait 10 seconds) -S              perform an SSL connect -s PORT    if the service is on a different default port, define it here -l  LOGIN or -L FILE login with LOGIN name, or load several logins from FILE -p PASS or -P FI

Nmap - Network Scanning Tool

Image
Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and

SPARTA - Network scanning and Penetration Testing Tool

Image
SPARTA is a python GUI application that simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to their toolkit and by displaying all tool output in a convenient way. If less time is spent setting up commands and tools, more time can be spent focusing on analysing results. Features – Run nmap from SPARTA or import nmap XML output. – Transparent staged nmap: get results quickly and achieve thorough coverage. – Configurable context menu for each service. You can configure what to run on discovered services. Any tool that can be run from a terminal, can be run from SPARTA. – You can run any script or tool on a service across all the hosts in scope, just with a click of the mouse. – Define automated tasks for services (ie. Run nikto on every HTTP service, or sslscan on every ssl service). – Default credentials check for most common ser

Testing for XML Injection (OTG-INPVAL-008)

Image
XML Injection testing is when a tester tries to inject an XML doc to the application. If the XML parser fails to contextually validate data, then the test will yield a positive result. This section describes practical examples of XML Injection. First, an XML style communication will be defined and its working principles explained. Then, the discovery method in which we try to insert XML metacharacters. Once the first step is accomplished, the tester will have some information about the XML structure, so it will be possible to try to inject XML data and tags (Tag Injection). How to Test Let's suppose there is a web application using an XML style communication in order to perform user registration. This is done by creating and adding a new <user> node in an xmlDb file. Let's suppose the xmlDB file is like the following: <?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <usern