domingo, julho 06, 2014

RTIR -A premiere Open Source incident handling system.

RTIR is the premiere Open Source incident handling system. We worked with over a dozen CERT and CSIRT teams to build a world-class incident handling system. RTIR helps you handle the ever-increasing volume incident reports. RTIR lets you tie multiple incident reports to specific incidents. RTIR makes it easy to launch investigations to work with law enforcement, network providers and other partners to get to the bottom of each incident and to track it through to a successful resolution.

It's easy to integrate RTIR into your existing systems and workflow. With open source code, a rich API and a vibrant community, RTIR can be tied into many external systems with only a few lines of configuration or a few minutes of programming. If you're using a publicly available product as part of your incident handling workflow, someone has probably already integrated it with RTIR

Download From:

HoneyBOT for Windows

Honeypoth Windows
HoneyBOT is a medium interaction honeypot for windows.
A honeypot creates a safe environment to capture and interact with unsolicited and often malicious traffic on a network. HoneyBOT is an easy to use solution ideal for network security research or as part of an early warning IDS.

Get the academic release
Free for academic users
Port Editor
Data Export
Email Alerts

Download Now

Application Security Checklists

Application Security Checklists

This checklist is a helpful reference when performing a web application security test. It is not a complete list though - there are often application-specific vulnerabilities and subtle issues that this does not cover.

Logging in with an invalid user name does not reveal whether the user exists
Accounts are locked after a number of failed logins
An attacker cannot reset the lockout (e.g. by removing cookies)
Can't easily lockout an account to cause a denial of service
After login a redirect is issued, to prevent refresh attacks
Both "change password" and "logout" functions are provided
User is informed of last login time
Change password requires provision of old password
Passwords are proactively checked for strength
Password is never revealed (e.g. in the source of change password)

Session Management
Session tokens are at least 128-bit
Session tokens are unpredictable
A new session is allocated at login (i.e. session fixation is prevented)
Logout invalidates the session token on the server
Cookie has "secure" and "httponly" options set and is non-persistent
Sessions have an inactivity timeout
Sessions have an absolute timeout

Injection Attacks
Cross-site scripting
HTTP response splitting
SQL injection
LIKE pattern injection
LDAP injection
XPATH injection
Mail header injection
Directory traversal
Null-byte injection
Shell script / batch injection
Server-side script injection (PHP, Perl, etc.)
XML injection
Try to bypass filters using over-long utf-8 encodings
Try to bypass filters using wide-ASCII, or other Unicode equivalents

Content Checks
No script or CSS tags reference resources on other servers
No script or CSS tags on a page that can be accessed over HTTPS use URLs beginning http://
Use of eval, document.write, innerHTML, etc. does not cause XSS
Comments in files do not reveal sensitive information
Frames/iframes, if used, have frame spoofing protection
autocomplete=off is set on all forms asking for personal information
Private IP addresses

Server Side Script Behaviour
Arbitrary redirection
Arbitrary message inclusion
File upload features restrict uploaded content to prevent compromise
JavaScript Hijacking
Scripts that cause write actions require POST with a CSRF token
Scripts that act as an open proxy or mail relay
Exponential format accepted
Server compromise by uploading XML that sources a stylesheet
Source code disclosure through scripts that allow read access to files

All protected resources check for a valid session
All protected resources check for user permissions (forced browsing)
Parameter tampering does not allow access to others' data
Page-to-page flow is correctly enforced where required
Form POST targets perform the same authorisation as form views

cache-control: private or stronger is used on sensitive pages
All client-side validation is repeated on the server
Site supports HTTPS, and sensitive pages forbid HTTP access
All pages are displayed with status and address bars
All URLs are expected from a customer's point of view
No "Mixture of secure and insecure content" warnings

Server Configuration
There are no "orphaned" files (exist on the web server, but not linked)
No backup versions of files are accessible (may reveal source code)
No common insecure scripts (e.g. snoop servlet) are accessible
Error messages do not provide overly-detailed information

Special Cases
Dynamic login questions: question cannot be changed by the user
Application forms: restarting a transaction doesn't leak information
Smoke & mirrors: generated emails are appropriately protected
Domain auth: domain accounts cannot be locked out from the Internet
Forgotten password: understand any information leaked or risks created

SSL Client Certificates
Does login check user name matches certificate?
Can you lock out an account without holding the certificate?
Is certificate required for every request?
Does it check the certificate matches the session ID?
Can you login using a self-signed certificate?
Are test/pre-prod certificates separated from live?

Nested Web Service
Is the WSDL file accessible?
Does access to the web service require a web session?
Does it check the web session user matches the WS user?
Also, most of this checklist also applies to the web service.

Further, Very good article on Web Application Security Checklist:

Various Security Checklists for your reference:

Patriot - NG ( Host IDS Windows )

 Segue uma ótima ferramenta para detecção de intrusão em Host na plataforma Windows. =)


Tray :

Patriot monitors:
  • New files in 'Startup' directories
  • Changes in Registry keys: Indicating whether any sensitive key (autorun, internet explorer settings...) is altered
  • New Users in the System
  • New Services installed
  • Changes in the hosts file
  • New scheduled jobs
  • Alteration of the integrity of Internet Explorer: (New BHOs, configuration changes, new toolbars)
  • Changes in ARP table (Prevention of MITM attacks)
  • Installation of new Drivers
  • New Netbios shares
  • TCP/IP Defense (New open ports, new connections made by processes, PortScan detection...)
  • Files in critical directories (New executables, new DLLs...)
  • New hidden windows (cmd.exe / Internet Explorer using OLE objects)
  • Netbios connections to the System
  • ARP Watch (New hosts in your network)
  • NIDS (Detect anomalous network traffic based on editable rules)


SSL Eye ( prism Protection )

SSL Eye is a unique tool that detects SSL man in the middle spying, by comparing SSL fingerprints of single or multiple sites across many remote nodes that are owned and managed by EEDS located in different countries such as Singapore, USA, and Netherlands. In order to compare the results with your own fingerprint that comes through your local ISP. Additionally the tool will tell you if the site is using Extended Validation (EV) certificates or perfect forward secrecy as the key exchange mechanism such as DHE_RSA or ECDHE_RSA which is used by google. We have also implemented global shortcut keys on the application so that you can copy a site from the browser address bar and call it for instant scan to check if you are a victim of Man in The Middle Attack (MITM). 

Where the attacker listens to your communication channel in a public key exchange re-sends the keys on your behalf, substituting his own fake keys for the requested one, so that the two original parties (you and your bank) will still appear to be communicating with each other. (view screenshots 123). 

SSL Eye offers:

  • Retrieve fingerprint of any given ssl url from single or multiple sites with SNI support across EEDS nodes located in Netherlans, USA and Singapore.
  • Check if the site is using Extended Validation (EV) certificates.
  • Check if the site is implementing perfect forward secrecy on key exchange.
  • Export results into HTML report.
  • Sound alerts for invalid certificates.
  • Scan with global keys from clipboard without user interaction.

Product Name: SSL Eye
Usage: Freeware
Version: 1.5
Size: 5.42 MB
Updated on: 3.06.2014
Platform: Microsoft Windows

StealthWalker - VPN tools

StealthWalker is a software-based VPN tool. It provides easy connectivity for the user and has a very straightforward mechanism to establish a VPN connection. StealthWalker creates an encrypted tunnel between your PC and the server, which means not only your browsing is secure, but also all communication going through the Internet, such as messengers, Skype, FTP, Email, etc. are all encrypted.

These features can be very useful in situations like:

  • Browsing Internet securely using public Access Points and WiFi hotspots.
  • Hiding your real identity online while using Forums, Blogs and Social networks.
  • Encrypting (AES-256) and hiding your Internet traffic from ISP or local network attackers.
What makes StealthWalker better if not unique:
  • Multiple layers of encryption including DNS encryption and protection against DNS leaks (What is a DNS leak?).
  • Fast VPN servers and bandwidth misuse monitor to avoid bottlenecks and overload issues.
  • Custom Tor (TOR Network) enabled built-in browser to offer multiple encryption layers, improved privacy and anonymity.
  • All-in-one built-in privacy solution offered by third-party open source tools such as Truecrypt, Keepass, Eraser, Processexplorer, Firefox, Dnscrypt, Tor, Autoruns, Desktops and Tcpview.
  • Custom control panel for Enterprise clients with advanced features such as user management and VPN server management.
  • Reliable and affordable high speed VPN services with variety of subscription plans.
  • Enhanced user’s guide (click here to view).
  • Enhanced user management system (click here to view).

FREE Account:

You can use StealthWalker for free with no limitations. However premium paid users will have faster servers with less users sharing the bandwidth. Due to abuse of our services we have limited free trial period to 3 day fully enjoy before you buy.

Premium Account:

After the successful free user registration through StealthWalker client you can place your desired plan order from the buy now button below. Once your order is approved your account will be instantly moved from free accounts group to the premium group.

Enterprise Edition:

We are glad to offer Enterprise Edition for corporates this includes dedicated VPN servers and additional features on the Web based Control Panel for easy management. Minimum order is 100 accounts package each account will cost you $2.8 only. Please Contact Us for more details.

Refund Policy:

Orders are eligible for a full refund only if a license/order key is not used within 30 days after the purchase date. We accept digital currency based on Bitcoins, Litecoins, and Feathercoins please Contact Us for more information.

Product Name: Stealth Walker
Usage: Commercial
Version: 2.5.3
Size: 71.3 MB
Updated on: 25.06.2014
Platform: Microsoft Windows


ODAT (Oracle Database Attacking Tool)

ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that test Oracle database security remotely.
Usage examples of ODAT:
  • You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database
  • You have a valid Oracle account on a database and want to escalate your privileges (ex: SYSDBA)
  • You have a valid Oracle account and want to execute commands on the operating system hosting this DB (ex: reverse shell)
ODAT (Oracle Database Attacking Tool)
  • search valid SID on a remote Oracle Database listener via: a dictionary attack/a brute force attack/ALIAS of the listener
  • search Oracle accounts using: a dictionary attack/each Oracle user like the password
  • execute system commands on the database server using: DBMS_SCHEDULER/JAVA/external tables/oradbg
  • download files stored on the database server using: UTL_FILE/external tables/CTXSYS
  • upload files on the database server using: UTL_FILE/DBMS_XSLPROCESSOR/DBMS_ADVISOR
  • delete files using: UTL_FILE
  • send/reveive HTTP requests from the database server using: UTL_HTTP/HttpUriType
  • scan ports of the local server or a remote server using: UTL_HTTP/HttpUriType/UTL_TCP
  • exploit the CVE-2012-313 (
ODAT is compatible with Linux only. A standalone version exists in order to don’t have need to install dependencies and slqplus (see the build folder of the git). The ODAT standalone has been generated thanks to pyinstaller.
If you want to have the development version installed on your computer, these following tool and dependencies are needed:
  • Langage: Python 2.7
  • Oracle dependancies: Instant Oracle basic & Instant Oracle sdk
  • Python libraries: cx_Oracle with the following recommended – colorlog/termcolor/argcomplete/pyinstaller
You can download ODAT standalone here:
32-Bit – odat-linux-libc2.19-i686.tar.gz
64-Bit – odat-linux-libc2.19-x86_64.tar.gz
Or read more here.

NSA catalog 2014

 Boa Tarde H4x0r's =)

- Este documento é um catalogo de serviços que a NSA realiza confira!

Qual é o valor de Descobrir alguem na rede TOR ? 3mil dolares é a resposta!!!

Uma das conferências do Black Hat 2014, que acontece de 2 a 7 de agosto em Las Vegas, poderá ser decepcionante para os usuários da rede Tor: os pesquisadores de segurança Alexander Volynkin e Michael McCord vão apresentar os resultados de seus estudos sobre um método de tirar do anonimato os IPs em uso.O título da apresentação é “Você não precisa ser a NSA para quebrar o Tor: é barato tirar o anonimato dos usuários” e eles deverão mostrar que o custo para se fazer isso é da ordem de US$ 3 mil.

A descrição da palestra dos pesquisadores diz que em sua análise eles descobriram que um adversário persistente com alguns servidores poderosos e alguns links gigabit podem tirar do anonimato centenas de milhares de clientes Tor e milhares de serviços em alguns meses. O custo total do investimento? Pouco menos de US $ 3.000. Durante essa apresentação, eles cobrirão rapidamente a natureza, a viabilidade e as limitações de possíveis ataques, e, em seguida, mergulharão em dezenas de estudos de casos reais de sucesso de quebra de anonimato, que vão desde a tomada de centros de comando de botnets e a sites de comércio de drogas e de pedofilia.

A apresentação será concluída com as lições aprendidas e conclusões sobre o futuro da segurança das redes  distribuídas de anonimato.Veja no link o briefing da palestra: 

sexta-feira, julho 04, 2014

WhatsApp Key/DB Extractor | CRYPT7 | NON-ROOT

The purpose of this script is to provide a method for WhatsApp users to extract their cipher key on NON-ROOTED Android devices. The cipher key is required to decrypt WhatsApp CRYPT6 and CRYPT7 backup files. This script works by hooking into the USB backup feature on Android 4.0 or higher. It will NOT work with earlier Android versions or on devices where this feature has been deliberately disabled by the manufacturer.

The cipher key can be used with WhatCrypt, both on the Website(online decryption / exportation) and with the Android App (offline decryption / recryption). Other apps and websites may also support WhatsApp cipher keys. It should be noted that WhatsApp cipher keys can roll (update) periodically. If this happens then you will need to repeat the instructions contained within this file in order to extract the latest cipher key. This script will also extract the latest UNENCRYPTED WhatsApp Message Database (msgstore.db) and Contacts Database (wa.db).

In addition to the above. A copy of the cipher key will also be pushed to the WhatsApp Database directory on the device itself and contained within a file called ".nomedia". The reason for this is to allow Android Developers a unified method in which they can offer their app users WhatsApp Decryption for those willing to run this script.

  1. O/S: Windows Vista, Windows 7 or Windows 8
  2. Java - If not installed: Download Java
  3. ADB (Android Debug Bridge) Drivers - If not installed: ADB Installer
  4. USB Debugging* must be enabled on the target device. Settings -> Developer Options -> (Debugging) USB debugging
  5. Android device with Android 4.0 or higher
*= If you cannot find Developer Options then please go to: Settings -> About phone/device and tap the Build number multiple times until you're finally declared a developer.

  1. Extract "" on your computer maintaining the directory structure.
  2. Browse to the extracted folder and click on "WhatsAppKeyExtract.bat".
  3. Connect your device via USB**, unlock your screen and wait for "Full backup" to appear.
  4. Leave the password field blank and tap on "Back up my data".
  5. The "extracted" folder will now contain your "whatsapp.key", "msgstore.db" and "wa.db".
** = If you have never used USB Debugging before, you may also need to verify the fingerprint.

1.1 - Removed Java check, due to some users reporting that they're getting stuck in an install loop.
1.0 - Initial release.

Not my hub, but many thanks to Abinash Bishoyi who has created an unofficial fork on GitHub. He has added a *nix variant "sh" script and made some modifications for users who have experienced problems with ADB on Android 4.4.3. Kudos to him. 

  1. WhatCrypt Tool 1.3+
  2. WhatsApp Tri-Crypt 1.2+
The apps listed above have been confirmed working with WhatsApp Key/DB Extractor. I.E. They will either look for and use the static cipher key that this tool will copy to: "sdcard/WhatsApp/Databases/.nomedia" as an alternative decrypt/recrypt method, or will allow you to manually set the path to the key file. If you wish your app to be added to this list, then please let me know and I will add your app (pending verification / confirmation).

AUTHOR: TripCode
THANKS: dragomerlin for Android Backup Extractor, Snoop05 for ADB Installer and Abinash Bishoyi for GitHub fork.
Click image for larger version

Name: WhatsAppKeyDBExtractorSC.png
Views: 1868
Size: 12.2 KB
ID: 2782960  
File Type: - [Click for QR Code] (3.75 MB, 2495 views)

WhatCrypt - WhatsApp Database Crypt Tool

WhatCrypt is a decryption and recryption tool for backed up WhatsApp databases.

Usage Examples:
  1. Decrypt .crypt, .crypt5, .crypt6 or .crypt7 database files and turn them into SQLite files.
  2. Decrypt or Recrypt .crypt5, .crypt6 or .crypt7 database files that have not been linked to any account.
  3. Recrypt .crypt5, .crypt6 or .crypt7 database files so they can be used on another device / account.
  4. Recrypt .crypt5, .crypt6 or .crypt7 database files to .crypt so they can be used on older WhatsApp versions.
  5. Recrypt .crypt, .crypt5 or .crypt6 database files to .crypt7 so they can be used on newer WhatsApp versions.
All decrypted and recrypted files will be saved in the same directory as the original encrypted
file. Decrypted files will end in .db. Recrypted files will end in re.crypt, re.crypt5, re.crypt6 or re.crypt7. The
original encrypted files will not be moved or deleted. If you get any Decryption Failed messages
then it means that either the encrypted database is corrupt or you have supplied the incorrect
account name or key file. Root access will be required to obtain your crypt key (crypt 6 /7) or Android 4.0+.

Download Here:

Version History
Version 1.0 - Initial release.
Version 1.1 - Added disable minions (sounds) option.
Version 1.2 - Added support for empty or null accounts with crypt5.
Version 1.3 - Added support for crypt6.
Version 1.4 - Added root key copier.
Version 1.5 - Added support for crypt7.
Version 1.6 - Removed minions (sounds).
Version 1.7 - Added decrypt / recrypt progress bar.


How To Convert Whatsapp Database Crypt5 To Crypt7

Whatsapp is a popular messaging app used by millions of users worldwide. It is the most dominant messaging app available today for smartphones. Everyday we send and receive hundreds of messages on Whatsapp which is automatically saved by the app everyday 4:00 AM on sdcard as chat history backup file. The chat history backup file has an extension of either .crypt5 or .crypt7. Crypt7 is the newest file extension for the chat history database file. In this tutorial I am going to teach you how you can convert an older crypt5 Whatsapp database to newer crypt7 database. 

A crypt5 chat history backup file can not be restored to newer version of Whatsapp which makes crypt7 format. I discovered this problem when I was trying to restore crypt5 chat history from an older android phone to newer one which only supported crypt7 format. Finally the conversation was not restored on the new android phone. So I found a way and converted the crypt5 database to crypt7 format. After this conversion all the chat history was successfully restored on the new phone.


  • Your old android phone’s Whatsapp should have all the chat history visible within the app. So that you can take a backup.
  • If you have accidently deleted the chats then you must have the chat history backup file. It can be found in ‘sdcard>Whatsapp>Databases’
  • If step 2 is your problem then copy the database file to some other folder on your sdcard and uninstall Whatsapp. Now make a folder directory on sdcard like ‘Whatsapp>Databases’ and place the chat history backup file in this folder and read Restore messages on Whatsapp.
  • Now you have restored the chat history and chats are again visible in Whatsapp.
  • Skip steps 2 and 3 if you fulfill step 1.

Convert Whatsapp Database Crypt5 To Crypt 7

  • Now on your older android smartphone download and install the latest version of Whatsapp. 
  • After updating the app, backup chat history by going to ‘Settings>Chat settings>Backup conversations’. The database will be saved in crypt7 as msgstore.db.crypt7 format on your older phone’s sdcard.
  • On your new android phone download and install the latest version of Whatsapp and place the old phone’s chat history backup file in ‘Whatsapp>Databases’ on new phone and open it.
  • Now follow the app's instructions. Enter the same mobile number and do not use a new one. After few seconds you will see a page in which whatsapp will ask you to restore your messages. See the image below. Click the "Restore" button.

crypt5 to crypt7

  • Now your messages are restored and can be easily seen within whatsapp.
You have successfully converted Whatsapp database crypt5 to crypt7 format and restored the chat history from old phone to new phone without using additional android apps. This trick will work for converting crypt, crypt3, crypt5 to crypt7. - See more at:


WazzapMigrator Crypt7 whatsapp


Crypt7 decryption

Added some additional info about the new Android archive crypt7 (msgstore.db.crypt7) encryption. Shortly, you have three ways to get down to this:
  1. import your iPhone's messages only by NOT ticking "Merge Android archive" (99% of the cases when you will be using Whatsappmigrator, as you just bought a brand new Android device)
  2. OR just email your pre-existing conversations directly from Whatsapp in order to store them for future reference (from Whatsapp:Settings -> Chat settings -> Email conversation)
  3. OR root your Android device then use WhatsApp Tri-Crypt (free on Play Store) to decrypt the msgstore.db.crypt7. Rooting is a very technical procedure whose aim is to gain full administrative access to your device. If you want more info you can take a look here or here (please note: those links are not supported by Whatsappmigrator in any way, they're provided for your reference only).
TECHNICAL DETAILS: This is due to Whatsapp recently changing its encryption from .crypt to .crypt5 to .crypt6 to .crypt7 (in just 2 months!!). Until .crypt5 it was possibile to decrypt without much hassle, but with .crypt6 and .crypt7 they had the idea of periodically changing the decryption key plus storing it in a private area of your phone, therefore not accessible without root access.
 Whatsapp - Send conversations by email Whatsapp - Send conversations by email - Part 2

terça-feira, julho 01, 2014

Falha montagem HD Externo - NTFS

Caros; Boa Noite. (:

- Hoje me deparei com outra situação inusitada  tentando acessar um HD externo,ele me mostrou seguinte erro:

Failed to mount '/dev/sdc1': Input/output error NTFS is either inconsistent, or there is a hardware fault, or it's a SoftRAID/FakeRAID hardware. In the first case run chkdsk /f on Windows then reboot into Windows twice. The usage of the /f parameter is very important! If the device is a SoftRAID/FakeRAID then first activate it and mount a different device under the /dev/mapper/ directory, (e.g. /dev/mapper/nvidia_eahaabcc1). Please see the 'dmraid' documentation for more details.

- Então ele me apresentou que /dev/sdc1 não foi possível realizar a montagem da partição, e citou algumas recomendações como realizar comando chkdsk /f ( windows ) para corrigir a montagem. Como estou utilizando linux realizei os seguintes procedimentos:

-Instale: NTFS-3G + Ntfsprogs.Vamos utilizar alguns recursos disponíveis neste pacote como: ntfsfix (: Segue o man :

------------------------------------------------------------ Inicio
       ntfsfix - fix common errors and force Windows to check NTFS

       ntfsfix [options] device

       ntfsfix  is  a  utility that fixes some common NTFS problems.  ntfsfix is NOT a Linux version of chkdsk.  It only repairs some fundamental NTFS inconsisten‐ cies, resets the NTFS journal file and schedules an NTFS consistency check for the first boot into Windows.You may run ntfsfix on an NTFS volume if you think it was damaged by Windows or some other way and it cannot be mounted.

       Below is a summary of all the options that ntfsfix accepts.  Nearly all options have two equivalent names.  The short name is preceded by  -  and  the  long
       name  is  preceded  by --.  Any single letter options, that don't take an argument, can be combined into a single command, e.g.  -fv is equivalent to -f -v.
       Long named options can be abbreviated to any unique prefix of their name.

       -b, --clear-bad-sectors
              Clear the list of bad sectors. This is useful after cloning an old disk with bad sectors to a new disk.

       -d, --clear-dirty
              Clear the volume dirty flag if the volume can be fixed and mounted.  If the option is not present or the volume cannot be  fixed,  the  dirty  volume
              flag is set to request a volume checking at next mount.

       -h, --help
              Show a list of options with a brief description of each one.

       -n, --no-action
              Do not write anything, just show what would have been done.

       -V, --version
              Show the version number, copyright and license

 There are no known problems with ntfsfix.  If you find a bug please send an email describing the problem to the development team:

       ntfsfix was written by Anton Altaparmakov, with contributions from Szabolcs Szakacsits.  It was ported to ntfs-3g by Erik Larsson and Jean-Pierre Andre.

       ntfsfix is part of the ntfs-3g package and is available from:

       mkntfs(8), ntfsprogs(8)

------------------------------------------------------------ Fim.

então para corrigir use o comando :  sudo ntfsfix /dev/sdc1  
..... e problema Resolvido. (: