gremwell magictree native app for OSX

MagicTree is a penetration tester productivity tool. It is designed to allow easy and straightforward data consolidation, querying, external command execution and (yeah!) report generation. In case you wonder, "Tree" is because all the data is stored in a tree structure, and "Magic" is because it is designed to magically do the most cumbersome and boring part of penetration testing - data management and reporting.

The application was written in Java, then running in operating systems with sun-jvm is not very complex (java -jar file.jar or double click --if you have the file association--). I prefer to have it in the application folder (to access with Quicksilver/Launchpad/blah..) and with application menus built inside of osx so i decided to turn it into a native application (.app corresponding to version 1.1 of MT)

To download, click:

http://dl.dropbox.com/u/813317/magictree1.1.zip

The MD5 hash is:

MD5 (magictree1.1.zip) = 09d17885821924be89f906b9aca8f254

Patch to compile Skipfish 1.27b in OSX

Yeah, I am obsessed with skipfish ;)

This is the patch to compile version 1.27b in OSX.

Now, i am working in one patch that the developer could make a definitive part of the source code to facilitate the compilation.

This was a great day for science!

Click here to download:

skipfish1.27b-osx.patch (1 KB)

Skipfish 1.26b OSX Binary!

This is the binary of the recent version: 1.26b.

MD5 Hash:

789dd25bd94259ff893ef2f46a4a7648 skipfish-1.26b-osx-bin.tgz

Click here to download:

skipfish-1.26b-osx-bin.tgz (307 KB)

Skipfish 1.26b is out and working in OSX

Hey, good news, Skipfish 1.26b is out!

Changelog from 1.19b:

Version 1.26b:
--------------

  - phtml added to the dictionary.

  - Yet another workaround for MALLOC_CHECK_. Grr.

Version 1.25b:
--------------

  - A limit on the number of identically named path elements added. This
   is a last-resort check against endless recursion (e.g., for 'subdir'
   -> '.' symlinks).

Version 1.24b:
--------------

  - XSS detection now accounts for commented out text.

Version 1.23b:
--------------

  - A minor improvement to XHTML detection.

  - HTML vs XHTML mismatches no longer trigger a warning.

Version 1.22b:
--------------

  - URL parser now accounts for its own \.\ injection pattern.

Attempt to compile as it is downloaded (without the patch).

My patch to 1.19b works fine in 1.26b too.

$ patch < skipfish.patch

patching file Makefile

patching file report.c

patching file Info.plist

This was a great day for science!

Skipfish running!

The tool is very nice and useful.

Some recommendations:

1.) Execute it in a terminal with a background color, the app runs with black and white color fonts.

2.) The tool doesn't understand the dot (.) as PATH (if you want save the report in the current folder).

3.) The USER-AGENT of Skipfish is sfish (useful to check the task in the webserver log file).

4.) Some test (with the complete.wl) may take a long time, be patient.

Scan time : 1:03:20.0777

HTTP requests : 1722046 sent (453.23/s), 1107756.62 kB in, 378751.66 kB out (391.11 kB/s)

5.) Check with detail the options of the command and naturally, the final report.

(download)

skipfish 1.19b OSX binary

In my previous post, I showed how to compile Skipfish in OSX. Now, i have a small improvement: a binary.

With it, you not compile anything, only download, uncompress and run!

The MD5 hash is f029429ec7e77270ad80674397caf0f7 please, check it after downloading.

Click here to download:

skipfish-1.19b-osx-bin.tgz (306 KB)

Compiling Google Skipfish 1.19b on OSX

The past friday March 19, Google Inc announced on its official blog, the active web application security reconnaissance tool: Skipfish.

Some important things about Skipfish by the developer (lcamtuf):

High speed: written in pure C, with highly optimized HTTP handling and a minimal CPU footprint, the tool easily achieves 2000 requests per second with responsive targets.

Ease of use: the tool features heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.

Cutting-edge security logic: we incorporated high quality, low false positive, differential security checks capable of spotting a range of subtle flaws, including blind injection vectors.

Now, how i can build it on OSX?

You need:

1.) Developer Tools from Apple (xcode)

2.) Fink or Mac ports

Ready? Go!

1.) Install libidn from fink/macports

$ sudo fink install libidn

$ sudo port install libidn

Remember the prefix paths: Fink store all files in /sw/ and macports in /opt/

2.) Download Skipfish 1.19b (last available now) from here and uncompress in any path, by the example: /usr/local/src

3.) Download my patch: skipfish-osx.patch and copy it in /usr/local/src/skipfish

4.) Apply the patch:

# patch < skipfish-osx.patch

patching file Makefile

patching file report.c

patching file Info.plist

5.) Compile with:

# make

Quick and easy ;)

Click here to download:

skipfish-osx.patch (2 KB)

Gritos desde /dev/null

Archives

Filed under security

gremwell magictree native app for OSX

Patch to compile Skipfish 1.27b in OSX

Skipfish 1.26b OSX Binary!

Skipfish 1.26b is out and working in OSX

Skipfish running!

skipfish 1.19b OSX binary

Compiling Google Skipfish 1.19b on OSX

Tags

Archives

Filed under security