Archive for the 'How To’s and Tools' Category

August 24, 2016

This translation toolset is a very neat asset to any penetration tester and especially useful for exploit development and Web Application Pen Testing.


Easy SMTP Mail Relay Test

Author: Martin Voelk
August 23, 2016

This is a neat tool to test for open relays. Whilst most true open relays are not out there these days, internal relay is as dangerous? Why? Imagine Mr Tom Smith is the boss of Mr Jack Miller. Now Jack Miller sends an insulting email to Tom Smith which could terminate his work contract. Likewise a fake Smith to Miller mail could create serious disturbance. We come across those internal relay problems in many of our audits. Disable internal mail relaying!


February 25, 2016



In the last Years, there have been several high-profile vulnerabilities in the SSL and TLS protocols such as Heartbleed or POODLE (Padding Oracle On Downgraded Legacy Encryption) that have sent administrators scrambling. There are a number of tools that can help you identify and evaluate the security of your SSL configuration. One tool, SSLyze, is a SSL scanner that can give you an idea of what flaws exist in your SSL implementation. While it won’t fix them, it will help you identify issues in your configuration.


SSLyze is a freely available SSL scanner from iSEC Partners. It works by attempting different, secure connections to the server that you are testing. SSLyze is built in python and runs in the command line. Let’s see how it works.


Let’s look how to install it, if you are Kali Linux user it present by default. Just update it frequently.


SSL is a good thing to have implemented as security on a website. But only if it is set up correctly. And the newest version, Otherwise you (your site) maybe will be hacked (Heartbleed).


It is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers. SSLyze is all Python code but it uses an OpenSSL wrapper written in C called nassl, which was specifically developed for allowing SSLyze to access the low-level OpenSSL APIs needed to perform deep SSL testing.



Some features are:


  • Multi-processed and multi-threaded scanning: it’s very fast.
  • Support for all SSL protocols, from SSL 2.0 to TLS 1.2.
  • NEW: SSLyze can also be used as a library, in order to run scans and process the results directly from Python.
  • Performance testing: session resumption and TLS tickets support.
  • Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more.
  • Server certificate validation and revocation checking through OCSP stapling.
  • Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP.
  • Support for client certificates when scanning servers that perform mutual authentication.


To install SSLyze you can use either pip



#pip install sslyze


or  clone it from Github


#git clone
#cd sslyze
#pip install -r requirements.txt –target ./lib


The following command is how you run a basic SSLyze scan:


#python  –regular

Additionally, SSLyze can be packaged as an executable so you can use it on windows machine easily. That command would look like this:



sslyze.exe –regular

This command scans the domain and writes the output back to the console. The option, –regular, is a shortcut for several options that are commonly used. The output will look something like the example screenshot below.


This gives you some good information about the security of your SSL configuration, such as whether or not specific settings are enabled (like secure renegotiation or compression), some general information about the certificate, and what SSL protocols and ciphers are accepted by your server. Let’s look at each section individually.


#sslyze -h


Screenshot from 2016-02-26 00:59:27

Screenshot from 2016-02-26 01:01:11



The first section of the report requires little explanation, it’s just SSLyze letting you know what plugins it’s using and checking to see if the host you entered is available.














—————————– =>

In the second section we start to see some of the first vulnerabilities SSLyze is looking for. All of these relate to some issue with SSL configuration.


For example, if compression is enabled, then you are probably vulnerable to the CRIME attack. Or if you have an insecure renegotiation vulnerability (that’s when client-initialed renegotiations are accepted and secure renegotiation is disabled) that can lead to denial of service attacks and man-in-the-middle request injections. Generally, if SSLyze says VULNERABLE instead of OK, then you have some reconfiguring to do.


* Deflate Compression:

OK – Compression disabled

* Session Renegotiation:

Client-initiated Renegotiations: OK – Rejected

Secure Renegotiation: OK – Supported

* OpenSSL Heartbleed:

OK – Not vulnerable to Heartbleed



The next section of the report contains a lot of simple info about the SSL certificate. It contains the name of the certificate authority that signed this certificate and the key size signature algorithm.


Right now, SHA1 with a 2048 bit key is the standard, however in the next few years, browsers will no longer trust SHA1. Also, this section is where SSLyze will check if OCSP (Online Certificate Status Protocol) Stapling or session resumption are enabled.


* Certificate – Content:

SHA1 Fingerprint: 00000000000000000000000000000

Common Name:

Issuer: Some SSL CA – G2

Serial Number: 0000000000000000000000000000000

Not Before: Jan 24 00:00:00 2015 GMT

Not After: Jan 22 23:59:59 2019 GMT

Signature Algorithm: sha1WithRSAEncryption

Key Size: 2048 bit

Exponent: 65537 (0x10001)

X509v3 Subject Alternative Name: {‘DNS’: [‘’]}

* Certificate – Trust:

Hostname Validation: OK – Certificate matches

“Mozilla NSS – 08/2015” CA Store: OK – Certificate is trusted

“Microsoft – 08/2015” CA Store: OK – Certificate is trusted

“Apple – OS X 10.9.4” CA Store: OK – Certificate is trusted

“Java 6 – Update 65” CA Store: OK – Certificate is trusted

Certificate Chain Received: [‘’, ‘Some SSL CA – G2’, ‘Some CA’, ‘Some Secure Certificate Authority’]

* Certificate – OCSP Stapling:

NOT SUPPORTED – Server did not send back an OCSP response.

* Session Resumption:

With Session IDs: OK – Supported (5 successful, 0 failed, 0 errors, 5 total attempts).

With TLS Session Tickets: NOT SUPPORTED – TLS ticket not assigned.



The last section of the report details all of the enabled protocols and the allowed cipher suites on top of those protocols.


In this example, the administrator has disabled SSL version 2 as it is very insecure (yay!). However, SSLv3 is enabled and there are still some weak ciphers enabled on the TLS protocols, namely RC4 and DES. The next step for this admin would be to implement SSLv3, to avoid issues like POODLE (Padding Oracle Over Downgraded Legacy Encryption). After that, it would be wise to disable older, insecure suites and support NIST compliant cipher suites. For example, EDCHE RSA key exchange, with RSA encryption.


* SSLV2 Cipher Suites:

Server rejected all cipher suites.

* TLSV1_2 Cipher Suites:


AES128-SHA – 128 bits HTTP 200 OK


AES256-SHA – 256 bits HTTP 200 OK

RC4-SHA – 128 bits HTTP 200 OK

AES128-SHA – 128 bits HTTP 200 OK

DES-CBC3-SHA – 112 bits HTTP 200 OK

* TLSV1_1 Cipher Suites:


AES128-SHA – 128 bits HTTP 200 OK


AES256-SHA – 256 bits HTTP 200 OK

RC4-SHA – 128 bits HTTP 200 OK

RC4-MD5 – 128 bits HTTP 200 OK

AES128-SHA – 128 bits HTTP 200 OK

DES-CBC3-SHA – 112 bits HTTP 200 OK

* TLSV1 Cipher Suites:


AES128-SHA – 128 bits HTTP 200 OK


AES256-SHA – 256 bits HTTP 200 OK

RC4-SHA – 128 bits HTTP 200 OK

RC4-MD5 – 128 bits HTTP 200 OK

AES128-SHA – 128 bits HTTP 200 OK

DES-CBC3-SHA – 112 bits HTTP 200 OK

* SSLV3 Cipher Suites:


AES128-SHA – 128 bits HTTP 200 OK


AES256-SHA – 256 bits HTTP 200 OK

RC4-SHA – 128 bits HTTP 200 OK

RC4-MD5 – 128 bits HTTP 200 OK

AES128-SHA – 128 bits HTTP 200 OK

DES-CBC3-SHA – 112 bits HTTP 200 OK



You can download SSLyze here. Hopefully you now have enough information about this excellent tool to take advantage of it.  and keep your website safe from hacking.



January 31, 2016

Any experienced Pentester will tell you that the enumeration and reconnaissance phases of a Penetration Test are probably the most important parts of any Security Assessment. The problems many Pentesters face these days is the sheer volume of different tools available and which one(s) to use.

Thankfully there is an answer for the Enumeration Phase. A great tool with a nice GUI has been developed and best of all it’s absolutely free and has been integrated into Kali Linux 2.0. Of course it can also be downloaded as a standalone on Github.

It’s called Sparta: 

An extremely powerful tool which goes beyond NMAP, SMTP, SNMP, NetBIOS, FTP etc. but also includes fancy tools like dirbuster and other nice Web Assessment tools all through 1 single user interface.



January 28, 2016

Today we would like to introduce a website which offers a neat collection of very useful Penetration Testing Tools. From Web Shells and reverse shells to useful scripts and enumeration tools. We highly recommend Penetration Testers and Ethical Hackers to add them to their portfolio.


Vulnerability Scanning with NMAP

Author: Martin Voelk
January 12, 2016

Almost everyone in IT Security has either heard of or used the powerful port scanning tool NMAP. However a lot of the folks don’t seem to know that NMAP can be turned into a free powerful Vulnerability Scanner like Nessus or OpenVAS.

Here is how to do that (from Kali or any other Linux distro):

nmap -sS -sV –script=vulscan/vulscan.nse target

To eliminate false positives:
nmap -PN -sS -sV –script=vulscan –script-args vulscancorrelation=1 target



January 7, 2016

There are lot of “pay for email encryption” companies out there. Today we want to feature a new great and secure service from Switzerland. A lot of people mistrust governments and so this service can provide a valid alternative to privacy. We are not saying it’s 100% bullet proof but from our first tests it looks promising. They have seen such great success that you now have to go on a waiting list. But it’s worth it!


Cisco is one of the leading Network manufacturers in the world. They moved on from traditional Routing & Switching to Security, Unified Communications, Storage, Wireless and many other areas of IT. Not surprisingly a lot of the Network infrastructure is powered by Cisco products.

In order to test some of the Security aspects of Cisco products, there are a few free tools out there which you will find below.


Cisco Auditing Tool

Cisco Global Exploiter

Cisco OCS




April 17, 2015

The Cisco ASA is a very popular firewall and not only that, it’s also Cisco’s flagship VPN concentrator after discontinuing the VPN 3000 Concentrator a few years ago.

Many Admins may know this problem. The ASA was inherited by the previous engineer(s), nothing has been documented – the usual. Now the company wants to migrate the ASA to a newer model and the question arises? Who has the PSK for the VPN (Pre-Shared Key). The “show run” output will show *** which is not any good 🙂

There is an easy way of recovering the key. Good for Admins!! Bad for Security!! A lot of Cisco Admins believe that the PSKs are not recoverable on the ASA or PIX – wrong. They can be easily recovered:

show run

tunnel-group MARTIN ipsec-attributes
ikev1 pre-shared-key *****

more system:running-config

tunnel-group MARTIN ipsec-attributes
ikev1 pre-shared-key cisco



April 15, 2015

This one deserves a post. A nice guy who teaches Web Application Security to Universities has developed an awesome VMware image with a lot of vulnerable Web Applications. He has combined a lot of the common vulnerable Web Apps such as DVWA and OWASP Bricks into a single bootable bundle.

A lot of the Web Apps come with complete course modules where Penetration Testers can run through modules in a course style environment. Best of all. It’s completely free, fun and safe.

Students can practice simple stuff such as HTML GET and POST manipulation, LFI/RFI to advanced Javascript vulnerabilities, Cross Site Scripting (XSS) and SQL Injection. You can test automated tools such as Burp Suite, Nikto, OWASP-ZAP, Netstalker etc. You can use Firefox Pentesting plugins all the way to manual testing.

A special funny highlight is the OWASP Hackademic Challenges Project where you become a little Cyber agent with tasks of gaining access to websites, find hidden files etc.

IMHO, working with such vulnerable distributions is a LOT more valuable to Penetration Testers than reading and understanding dry theory and concepts. Penetration Testing is all about being able to face challenges and to be able to do Pentesting not just understanding the concepts.

You can download the VMware image here: