cum security toolkit – cgi vulnerability scanner and a port scanner

The “cum security toolkit” (cst) contains a cgi vulnerability scanner and a port scanner, and can be used as a hacking tool, or as a security vulnerability assesment tool.

The cgi scanner is a web vulnerability scanner that scans using a database of scripts, files and directories (user editable). The sample databases included contain +2200 possibly vulnerable scripts/dirs. You can scan with or without using (multiple) proxy servers. The cgi scanner has +11 different anti-IDS tactics (hex-values, double slashes, self-reference directories, session splicing, parameter hiding, http misformatting, dos/win directory syntax, case sensitivity, null method processing, long urls, premature request ending and http 0.9 scans), and sends fake “X-Forwarded-For:”, “Referer:” and “User-Agent:” headers to hide your scans even more. You can also specify a waittime between 2 script fetches. The cgi scanner uses HEAD requests for faster scanning (you can scan using GET by providing an extra flag), and supports scanning virtual hosts. You can also specify another port to scan instead of the standard port 80, or another directory than the standard cgi-bin or scripts. The scanner outputs the scripts and/or directories that return a 200, 201, 202, 204, 403 or 401 HTTP code (you can specify other codes too using an extra flag) and outputs the target webserver software. You can scan single hosts, or supply a file with a list with targets for bulk scanning.

The port scanner is a simple TCP portscanner with banner grabbing. It outputs which ports are open, sends a string to the open ports (user specified), and shows their reply. It is more an enumeration / stress tool. You can scan separate ports and/or portranges, and you can scan a single host, or supply a list with servers for bulk scanning.

The cum security toolkit is not updated but very effective for some known vulnerabilities which help hackers / crackers to gain access.

How to scan:
To scan a server, start cst_cgis.class like this:
java cst_cgis -db:<scandb> -d:<dir> -h:<host>

Download CGI vulnerability database here

Download cum security toolkit here

If you enjoyed this article, you might also like:

• May 24, 2010 -- UPDATE: Darkjumper v5.8!
  You can find our original post regarding Darkjumper here. An updated Darkjumper version 5.8 was rele...
• February 24, 2010 -- Darkjumper – A scanner to check for SQL injection, LFI’s and RFI vulnerabilities!
  Darkjumper is a tool that will try to find every website that host at the same server at your target...
• February 4, 2010 -- UPDATE: CAT.NET 2.0 – Beta!
  We have previously written about Microsoft CAT.NET here. Now, the Microsoft Security Tools team has ...
• December 16, 2009 -- Microsoft Code Analysis Tool .NET – A Binary Code Analysis Tool!
  What is Microsoft Code Analysis Tool .NET? CAT.NET is a binary code analysis tool that helps ident...
• September 14, 2009 -- Mutillidae – Set Of PHP Vulnerable Scripts That Implement The OWASP Top 10
  Mutillidae is a set of PHP Vulnerable Scripts, that implement the OWASP Top 10 for testing and teach...
• August 31, 2010 -- DllHijackAuditor: Audit the DLL Hijacking Vulnerability!
  DllHijackAuditor is the smart tool to audit against the DLL Hijacking Vulnerability on any Windows a...
• August 20, 2010 -- UPDATE: XSSer v0.7a!
  All of you web application penetration testers, check out this release of XSSer version 0.7a, for i...
• August 18, 2010 -- UPDATE: WhatWeb v0.4.5!
  We originally wrote about WhatWeb in our previous post here. It has now been updated to WhatWeb ve...
• August 18, 2010 -- Nmapsi: A NMAP GUI!
  Yet another nmap GUI - NmapSi is a complete Qt-based GUI with the design goals to provide a complete...

Tagged as: cross-site scripting, FastCGI, port scanner, Vulnerability Scanner