Tools
Here you'll find tools developed in-house by SensePost.
Suru
Suru is a Man In TheMiddle (MITM) proxy that sits between the user's browser
and the web application. It receives all the requests made by the browser and
records them. The requests can be modified in any way and replayed. Suru not
only catches requests made by the user, but also requests that use the IE
object, such as rich applications using web services, MSN ads, Google Earth
requests, application updates etc. The proxy understands multipart POSTs (MMPs)
and XML POSTs (used for web services).
Suru home page
BiDiBLAH
BiDiBLAH is an assessment/attack console that is implements almost
all of SensePost's external assessment methodologies. The tool automates 80%
of the tasks.
This covers footprinting, portscanning, banner scanning,
targeting, vulnerability discovery, and vulnerability exploitation.
The tool also includes report generation in MS Office.
BiDiBLAH home page
Scully
Scully is a brute forcer and a simple client interface to MSSQL and MYSQL
Database servers.
No more need to install database client libraries or setup ODBC connections
in windows
Scully home
page
CrowBar
CrowBar is a generic web application brute forcer. It has the ability
to perform a brute force on any part of the HTTP request. Using fuzzy logic
it compares the content of each response and gives the analyst the
oppurtunity to set trigger conditions.
CrowBar home page
Wikto
Wikto is Nikto
for Windows - but with a couple of fancy extra features
including Fuzzy logic error code checking, a back-end miner, Google
assisted directory mining and real time HTTP request/response
monitoring. Wikto is coded in C# and requires the .NET framework.
Wikto home page
Casper
Early in 2002 SensePost revealed GATSLAG, a win32 Trojan that made use of (invisible)
Internet Explorer sessions to tunnel information in and out of target networks. An amped-up
version called SETIRI was demonstrated at BlackHat Vegas 2002. While sizable snippets of
Setiri code were given to anti-virus researchers in order to possibly detect Setiri derivatives,
none of the personal firewall vendors appear to have clamped down on
the actual problem. This (short!) paper and accompanying tool demonstrates that a simple
and effective solution would be easy to implement in personal firewalls, anti-virus scanners
or even the OS itself.
Whilst Casper is a working utility that helps defend against tools like Setiri, its primary purpose
is to act as Proof-of-Concept for the solution we're suggesting.
Download the paper (644 kb)
Download the code (614 kb)
8ca72bd1cb69d791d6b9e639529fceb3
SPUD
A while back, Google encouraged developers to make use of their API. Many people built
applications around the API, but alas, Google stopped issuing API keys for their API in
2006. This rendered that large parts of functionality for many tools fell away. SensePost
Unified Data API (SPUD) will help get those tools working again. SPUD also integrates
seemlessly with BiDiBLAH and Wikto. Best of all, SPUD is free.
SPUD home page
Squeeza
Just in time for BlackHat USA 2007, we released Squeeza, a new take on exploiting SQL injection in vulnerable web applications. Squeeza splits the data generation from the channel used to return data to the attacker; hence command output, SQL queries and files can be returned via DNS, timing or HTTP error messages. The tool is GPL'ed, so grab and play.
Squeeza home page
reDuh
reDuh was released as part of SensePost's BlackHat USA 2008 talk on tunnelling data in and out of networks.
Most external firewalls block all incoming sockets except for port 80/443. reDuh allows an attacker to use the compromised
web server as a tunneling proxy into the internal network enviroment. reDuh encodes data into valid HTTP requests, which is
then delivered to the server agent, decoded, and redirects the data to the various configured tunnels. reDuh is available in
JSP/PHP/ASP.
reDuh home page
