While I was trolling around on Twitter this morning PortSwigger tweeted about their latest release of Burp Suite which now supports intercepting WebSockets. Check out their release note regarding v2.1.01. This feature also appears to be in the Community version as well as their Professional version:
OWASP has just release their latest version of the Zed Attack Proxy (ZAP or ZAProxy for short) intercepting proxy. This is an open source and free competitor to PortSwigger’s BurpSuite. I have taken the liberty of cloning the repo and you can find it here:
You can also download their pre-compiled installers for Windows, macOS and Linux here:
I was just made me aware of some awesome open source efforts for doing car hacking with a CAN bus virtually. Check out the article here:
I have already taken the liberty of forking the underlying CAN bus GitHub repo:
Thank you IAmSecurity for making me aware of this!
I found this tutorial on using recon-ng, which is a tool used for pentesters for gathing open source intelligence (OSINT) about an individual or a company. It features a Metasploit-like interface and has the ability to crawl social networks, Google, WHOIS databases, etc to collect information about a company, it’s employees, it’s domains, etc.
While I was browsing Twitter today, I found an interesting open source effort which is a PowerShell module that will make the box into a SOCKv4 and v5 proxy server. I have forked the repo and you can find it here:
This YouTube video is titled “Lightening fast CTF solving – Automatic Exploit Generation & Side Channel Analysis” was sent to me by Sketch from this year’s BSides DC. It shows how to automate exploitation for stack overflows and format string vulnerabilities and the tool suite is built on top of the “angr” framework, Intel’s Pin framework and the “pwntools” package for Python. At the tail end of the video he actually applies this tool suite against a NETGEAR SOHO router which not only finds the vulnerability but will actually exploit it remotely and discusses how it can be used to identify and exploit these vulnerabilities in IoT devices.
I have already taken the liberty of forking all of his GitHub repositories and you can find them here:
At this year’s RSA Conference in San Francisco, CA NSA released their GHIDRA reverse engineer framework on GitHub. Within hours security research have found an vulnerability in it that can be exploited to gain remote code execution because it listens on a TCP port that is open on all interfaces.
Wireshark which is the best open source PCAP analyzer just hit a major milestone with the release of 3.0.0 which you can download now at:
Modeled after Metasploit, this open source tool will scan a network or an IP address range for vulnerabilities.