Microsoft release Attack Surface Analyzer tool released

Microsoft’s Trustworthy Computing (TWC) unit released the full version of its Attack Surface Analyzer today.The Attack Surface Analyzer 1.0 release comes at the end of the tool’s beta phase.
The purpose of this tool is to help software developers, Independent Software Vendors (ISVs) and IT Professionals better understand changes in Windows systems’ attack surface resulting from the installation of new applications. Since the launch of Attack Surface Analyzer, the company has received positive feedback about the value it has provided to customers.
The tool also gives an overview of changes to the system that Microsoft considers important to the security of the platform, and it highlights these changes in the attack surface report,” wrote a TwC representative in a blog post.
This release includes performance enhancements and bug fixes to improve the user experience. Through improvements in the code, they were able to reduce the number of false positives and improve Graphic User Interface performance. This release also includes documentation and guidance to improve ease of use.
As well as helping IT departments, the tool is also designed to help application developers ensure that their products don’t weaken Windows computers’ cyber defences.
The Attack Surface Analyzer enables:
  1. Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
  2. IT Professionals to assess the aggregate attack surface change by the installation of an organization’s line of business applications
  3. IT Security Auditors to evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
  4. IT Security Incident Responders to gain a better understanding of the state of a systems security during investigations (if a baseline scan was taken of the system during the deployment phase)

Backtrack 5 R3 Released

The latest version of Backtrack is out! Check out Backtrack 5 R3!
The time has come to refresh our security tool arsenal – BackTrack 5 R3 has been released. R3 focuses on bug-fixes as well as the addition of over 60 new tools – several of which were released in BlackHat and Defcon 2012. A whole new tool category was populated – “Physical Exploitation”, which now includes tools such as the Arduino IDE and libraries, as well as the Kautilya Teensy payload collection.
Backtrack Team have released a single VMware Image (Gnome, 32 bit), for those requiring other VM flavors of BackTrack.

Download BackTrack 5 R3 release via torrent
BT5R3-GNOME-64.torrent (md5: 8cd98b693ce542b671edecaed48ab06d)
BT5R3-GNOME-32.torrent (md5: aafff8ff5b71fdb6fccdded49a6541a0)
BT5R3-KDE-64.torrent (md5: 981b897b7fdf34fb1431ba84fe93249f)
BT5R3-KDE-32.torrent (md5: d324687fb891e695089745d461268576)
BT5R3-GNOME-32-VM.torrent (md5: bca6d3862c661b615a374d7ef61252c5)

NinjaWPass – Protect WordPress against keyloggers and stolen passwords

NinjaWPass is a free WordPress plugin written to protect your blog administration console. It makes it basically impossible for a hacker who stole your password to log in to your console. The way it works is simple but very efficient and it is being used by some large banking corporations in order to protect their customers online accounts. All you need to do is to define a second password (AKA the NinjaWPass password) from 10 to 30 characters.


At the WordPress login prompt, besides your current password, you will be asked to enter 3 randomly chosen characters from your NinjaWPass password. Whether your computer is infected by a keylogger or someone is spying over your shoulder, this protection will keep them away.

Additionally, the plugin offers the possibility to receive an alert by email whenever someone logs into your WordPress admin interface

HTExploit : Open Source Tool to Bypass Standard Directory Protection

HTExploit (HiperText access Exploit) is an open-source tool written in Python that exploits a weakness in the way that .htaccess files can be configured to protect a web directory with an authentication process to gain access to a protected directory contents. Presumably, if such an attack is successful, you can launch further attacks such as SQL Injection, Local File Inclusion, Remote File Inclusion, etc. on discovered files.
Features of HTExploit:
  • Multiples modules to execute.
  • Save the output to an specify directory.
  • HTML Reporting.
  • Use multiples wordlist to probe against htaccess bypassing.
  • Mode verbose for a full detailed information.
  • Multi-platform and flexible.
The vulnerability exists because web servers like Apache forward PHP-based requests within .htaccess to the PHP engine itself. The .htaccess file allows you to specify the requests get sent to PHP to try to interpret. However, on encountering non-standard input, PHP automatically treats it as a GET request, and allows the utility to start saving the PHP files on a webserver to your local filesystem, bypassing security restrictions!

WebSploit Toolkit v.1.9 – Tcp Kill Attack Added

WebSploit is an open source project for scan and New Attack Added called “Web Killer” A Tcp Kill Attack To Your WebSite On Network .
It analysis remote system from vulnerability:
  • Autopwn – Used From Metasploit For Scan and Exploit Target Service
  • wmap – Scan,Crawler Target Used From Metasploit wmap plugin
  • format infector – inject reverse & bind payload into file format
  • phpmyadmin – Search Target phpmyadmin login page
  • lfi – Scan,Bypass local file inclusion Vulnerability & can be bypass some WAF
  • apache users – search server username directory (if use from apache webserver)
  • Dir Bruter – brute target directory with wordlist
  • admin finder – search admin & login page of target
  • MLITM Attack – Man Left In The Middle, XSS Phishing Attacks
  • MITM – Man In The Middle Attack
  • Java Applet Attack – Java Signed Applet Attack
  • MFOD Attack Vector – Middle Finger Of Doom Attack Vector
  • USB Infection Attack – Create Executable Backdoor For Infect USB For Windows

Anonymous FTP Scanner – Python Script

Anonymous FTP Scanner is a Python Script “FtpScan.py” – Which Scans for FTP servers allowing Anonymous Login.