Our initial posting for VASTO can be found here. Now, the author has released an updated version VASTO v0.2 at the SyScan 10 Singapore.
“VASTO, the Virtualization ASsessment TOolkit is being developed at Secure Network and wants to be the reference in penetration testing in virtualized environments.“
This version includes attacks against the Abiquo and Eucalyptus private cloud systems and improved versions of the previously released VMware-targeting modules!
Download VASTO v0.2 here.
Automated web application security scanners are very good at automating web application penetration tests. Although they are good at handling HTML, PHP, ASP, etc. webpages, they might not be able to handle FLEX applications. This is where Deblaze comes in handy.
Deblaze will allow you to perform method enumeration and interrogation against “Flash remoting” end points. Flash applications can make requests to a remote server to call server side functions, retrieving additional data and performing complex business operations. It works like a proxy while working with Flash applications, helping us in debugging network traffic. It also can help you in automatic discovery of remoting methods. In addition to that, it can also help you with basic parameter fuzzing and HTML reporting!
In short, it’s functions are:
Deblaze provides the following functionality:
Deblaze basically is a Python script that uses pyamf to what it does. It has a small database of sorts – names.txt, that you can improve/add to. This will help you a lot!
Download Deblaze version 0.3 here.
This tool finds good use in a network that has lots of network devices with the TFTP port open. TFTPTheft will almost bruteforce while guessing file names and download them.
TFTPTheft is a collection of two scripts – one for downloading files from discovered targets and the other for discovering the targets. The names of these two Python scripts are – thief.py and finder.py. So, you could consider this pretty complete. It is a tool which allows one to quickly scan/bruteforce a TFTP server for files and download them instantly. It can do so, because TFTP, the Trivial FTP protocol still suffers from a major drawback – no authentication.
Working of this tool is pretty simple. The tool has a fixed list of files to search for. This list can be edited. The list can be found in the “data” dictionary of the tool and already has about 50 odd Cisco specific file names. It has been aptly named – tftplist.txt. All of the source code is in Python. So, if you know how to code, you sure can understand how it does what it does.
Download TFTPTheft version 0.1.1 here.
Searches leading to this post:
